The web is rife with recommendations that users change their passwords following a catastrophic bug in the widely used cryptography suite OpenSSL. So the question is, should you change your password?
The short answer is: Maybe?
This particular security hole is scary because we have no way of knowing whether someone stole your password until someone makes unauthorized use of it. Be skeptical of any advice regarding the OpenSSL vulnerability since everyone's situation is different and the experts are still figuring this one out. We probably won't know what is the best option until it is too late to make a difference.
For my non-technical friends, here is my best guess at recommendations at present. Your choice depends on your level of paranoia.
-
"Losing my password is NBD (no big deal)"
If losing a password is not a life changing event, then you can wait to see if stories emerge about stolen passwords-- then change your passwords ASAP at the first sign of trouble. The "wait and see" approach is still viable as of April 9th, 2014 because there are no examples of mass compromise of user passwords. However, it is widely believed that intelligence agencies have exploited this bug and probably have your password. -
"Losing my passwords would be bad"
If you decide to change your passwords, you should wait a few days to give online service providers time to change their encryption keys. If you change your password before the service provider changes the encryption key, you might be making yourself less secure. -
"Losing my passwords would be horrific"
If you want the greatest security possible with your passwords, then you should change your passwords today and again next week. This will mitigate the immediate problem while also protecting yourself long term. -
"Losing my passwords could kill me"
Pray. This one is bad.