You don’t need to change all your passwords
This is probably going to be a wildly unpopular opinion and IDGAF. So many of my non-technical friends are freaking out that I feel the need to provide a bit of reassurance/reality.
First, an analogy.
In 2005 we learned that you can open a Kryptonite U-lock with a ballpoint pen. Everyone freaked out and changed their bike locks ASAP. Remember that?
Now, I wasn’t riding a bike at the time, but I started riding a bike a few years later in San Francisco, and I know how widespread bike theft is there. I used multiple levels of protection for my bike: a good lock, fancy locking posts on the seat and handlebars, and I parked my bike somewhere secure (work, home) about 90% of the time and only locked it up in public for short periods. Everywhere I went I saw sad, dismembered bike frames hanging forlornly from railings, reminding me of the danger. Those were paranoid times, and if I’d been riding in SF in 2005 you can bet I would have been first in line to replace my U-lock.
These days I live in Ballarat, a country town in Victoria, Australia. Few people ride bikes here and even fewer steal them. I happily leave my bike unlocked on friends’ front porches, dump it under a tree while I watch birds on the lake, lean it against the front of a shop just locked to itself while I grab a coffee, or park it outside divey music venues while I attend gigs late at night. I have approximately zero expectation of anything happening to it. If I heard that my bike lock had been compromised, I wouldn’t be in too desperate a hurry to change it.
Here’s the thing: if you are an ordinary Jane or Joe living the Internet equivalent of my cycling life in Ballarat, you don’t need to freak out about this thing.
Here are some websites I use where I’m not going to bother changing my password:
- The place where I save interesting recipes
- The one I go to to look at gifs of people in bands
- That guitar forum
- The one with the cool jewelry
- The wiki I edit occasionally
- The social network I only signed up for out of a sense of obligation but never use
Why? Because a) probably nobody’s going to bother trying to steal the passwords from there, and b) even if they did, so what?
This Heartbleed bug effectively reduces the privacy of an SSL-protected site (one whose URL starts with https://, which will probably show a lock in your browser’s address bar) to that of one without. Would you login to a site without SSL? Do you even know if the site uses SSL? If you’d login to your pet/recipe/knitting/music site anyway — if you’d do it from a coffee shop or airport — if you’d do it from a laptop or tablet or phone doesn’t have a strong password on it — if you don’t use two-factor authentication or don’t know what that means — then basically this won’t matter to you.
(I’m not saying it shouldn’t matter. You should probably set strong passwords and use VPNs and two-factor authentication. Just like you should probably lock your bike up everywhere you go, floss, and get your pap smears on the regular. Right? Right? *crickets*)
So if you’re a regular Jane — not working in IT security, not keeping state secrets, etc — here’s where you really need to change your passwords:
- Any site you use to login to other sites (eg. Google, Facebook)
- Any site that gives access to a good chunk of your money with just your password (eg. your bank, PayPal, Amazon)
(To do this: use this site to check if the site in question is affected, then if it’s “all clear” change your password. Don’t bother changing your password on a still-affected site, as that defeats the purpose. Oh, and you should probably change your passwords on those sites semi-regularly anyway, like maybe when you change the batteries in your smoke alarm. Which I just realised I should have done the other day and didn’t. Which tells you everything, really.)
Beyond those couple of key websites, you need to do a little risk assessment. Ask yourself questions like:
- Has anyone ever heard of this site? Does anyone care? Is it likely to be a target of ominous dudes in balaclavas?
- If I lost my login to this site, or someone could snoop what I had on that account, what is the worst that could happen?
If your answer is “I’d lose my job” or “I absolutely cannot survive without my extensive collection of Bucky/Steve fanart” then by all means change your password.
If your answer is “Eh, I’d sign up for a new one” or “Wait, even I’d forgotten that site existed” then you can probably stop freaking out quite so much.
DISCLAIMER: I am not an Internet security expert, just a moderately well-informed techhead. Some people, including better-informed ones, will disagree with me. You take this advice at your own risk. La la la what the fuck ever, you’ll most likely be fine.