Several tech firms are urging people to change all their passwords after the discovery of a major security flaw.
The Yahoo blogging platform Tumblr has advised the public to “change your passwords everywhere – especially your high-security services like email, file storage and banking”.
Security advisers have given similar warnings about the Heartbleed Bug.
It follows news that a product used to safeguard data could be compromised to allow eavesdropping.
OpenSSL is a popular cryptographic library used to digitally scramble sensitive data as it passes to and from computer servers so that only the service provider and the intended recipients can make sense of it.
Don’t choose one obviously associated with you
Hackers can find out a lot about you from social media so if they are targeting you specifically and you choose, say, your pet’s name you’re in trouble.
Choose words that don’t appear in a dictionary
Hackers can precalculate the encrypted forms of whole dictionaries and easily reverse engineer your password.
Use a Mixture of Characters
You can use a word or phrase that you can easily remember but where characters are substituted, eg, Myd0gha2B1g3ars!
Don’t use the Same Details
If hackers compromise one system you do not want them having the key to unlock all your other accounts.
Keep them Safe
With lots of different login details you may want to keep them with you. Don’t use a pen and paper, use a secure password vault on your mobile.
Google Security and Codenomicon – a Finnish security company – revealed on Monday that a flaw had existed in the software for more than two years that could be used to expose the secret keys that identify service providers employing OpenSSL.
They said that if attackers made copies of these keys they could steal the names and passwords of people using the services, as well as take copies of their data and set up spoof sites that would appear legitimate because they used the stolen credentials.
They nicknamed it the Heartbleed Bug because the flaw caused the “leak of memory contents” between servers and their clients.
It is not known whether the exploit had been used before the revelation, since doing so would not leave a trail – unless the hackers published their haul online.
The BBC understands that Google warned a select number of organisations about the issue before making it public, so they could update their equipment to a new version of OpenSSL released at the start of the week.
A researcher at the University of Cambridge Computer Laboratory said it would be an overreaction to say everyone should drop what they are doing to reset all their passwords, but that those concerned should still act.
Security companies have developed tests that can reveal if a service remains vulnerable to the flaw ”I think there is a low to medium risk that any given password has been compromised,” said Dr Steven Murdoch.
“It’s not the same as previous breaches where there’s been confirmed password lists posted to the internet. It’s not as urgent as that.
“But changing your password is very easy. So it’s not a bad idea but it’s not something people have to rush out to do unless the service recommends you do so.”
Sources: Ben Gaskell, BBC, Leo Kelion