If you used the internet this week you should change all your passwords

The more we learn about the Heartbleed bug, the gaping security flaw in the widely-used encryption software OpenSSL, the grimmer it gets. Here’s just some of the unhappy facts that have come clear in the last 24 hours.

The hours after Heartbleed was announced represented a huge window of opportunity for the bad guys. Software to exploit the vulnerability was widely available, and a lot of websites hadn’t protected themselves until recently.

Unfortunately, the Heartbleed attack leaves few fingerprints. So we may never know how many sites were attacked and whose private information was exposed. That’s why changing your password is a good precaution even if you haven’t seen any sign of your account being attacked. Someone might have captured your password and be waiting for the right moment to strike.

We don’t have precise statistics on how many websites were affected, but the researchers who discovered the vulnerability note that two popular web servers, Apache and nginx, both used the affected version of OpenSSL. Together, these two servers account for almost two thirds of all sites on the web.

That means almost everyone on the web likely logged into a vulnerable website on Monday or Tuesday may have had their information exposed. Indeed, OpenSSL has had the vulnerability for about 2 years, so you could be at risk even if you haven’t used the Internet this week.

Even if the test shows a website is safe, that doesn’t necessarily mean you’re in the clear. If an attacker previously captured a website’s encryption keys, then it may be able to eavesdrop on users even after the insecure software has been updated. So the only way to be sure you’re safe is if a website announces that it has updated its software and changed its encryption keys.

To make things worse, if you change your password while a site you’ve is still vulnerable, the bad guys might just get ahold of the new password. So you should change your passwords now, and then change them all again in a few weeks. That’s good practice anyway — and a good time to invest in a password manager like 1Password or LastPass.

This has been a bad year for SSL encryption software, which underlies almost all secure sites on the web — it’s the code that makes the lock symbol appear in your browser’s menu bar. In February, a serious bug was discovered in Apple’s implementation of SSL. A serious bug was found in another SSL implementation in March. It’s a near-certainty that other vulnerabilities will be discovered in the future.

All complex software has bugs. But the stakes are higher for encryption software than most other types of software because a single error can compromise the privacy of millions of users.

The Heartbleed story highlights just how central to online security the OpenSSL library has become. Thousands of organizations use it to protect the privacy of millions of users. Yet the software is developed by a small, volunteer-driven organization. The project lists just 15 developers as responsible for maintaining the software. As one security expert puts it, the team does “a hard job with essentially no pay.”

With so many organizations depending on a small, under-resourced project, mistakes were inevitable. It will cost companies and governments millions of dollars to clean up the mess created by Heartbleed. It would be good if some of those deep-pocketed organizations invested resources in helping to improve the OpenSSL code so it’s less likely to happen again.

Unfortunately, there’s a huge collective action problem. The risk of any specific company or policymaker being blamed for a security breach is low, so everyone assumes that someone else will do something about it.