Heartbleed and passwords: don’t panic
Freedom to Tinker 2014-04-12
The Heartbleed bug has captured public attention this week like few security vulnerabilities before it. This is a good thing, as indeed this is a catastrophic flaw. Many people have focused on its impact on passwords with headlines like “Security Flaw Exposes Millions Of Passwords” and “Change these passwords right now.” Heartbleed certainly could have been used to steal millions of passwords. However, while Heartbleed gives the security community plenty of new problems to worry about, it doesn’t introduce any problems for passwords that haven’t existed for a long time and I’d discourage widespread panic about passwords.
Was/is Heartbleed used for stealing large numbers of passwords?
I doubt it, though this is impossible to rule out and the security community is still searching for and analyzing evidence of Heartbleed exploits in the wild. Heartbleed isn’t targeted, so large-scale password collection would have required a large amount of Heartbleed traffic to login servers. This would possibly have tripped intrusion-detection systems and it almost surely would have left evidence that will be found in logs sooner rather than later. Every day which passes without this evidence strengthens the likelihood that Heartbleed was never exploited at scale to steal passwords.
Furthermore, to an attacker with a zero-day exploit as powerful as Heartbleed the risk of burning it to collect mundane passwords doesn’t seem worth the benefit. It’s much more likely that Heartbleed would have been used to go after server keys, or possibly in targeted attacks after observing a specific high-value user log in somewhere. It’s possible some passwords were stolen as a byproduct of more targeted attacks, but I doubt that was on a large scale.
If Heartbleed were used to collect large numbers of passwords, wouldn’t that be a disaster?
If so, that disaster would already have occurred. Acquiring large numbers of passwords isn’t a new risk, there are regular leaks and one source has compiled over 250 million leaked passwords in the past 2 years alone. Those are just the leaks that go public. I’ve personally seen credible evidence of at least this volume of passwords in private leaks and there are probably many, many more. Of course, with Heartbleed passwords can be collected in plaintext, but most sites don’t hash at all or only do so poorly and the majority of users’ passwords are recoverable from hashes anyways.
We survive the deluge of compromised passwords because turning credentials into cash is hard. If lots of private keys were stolen with Heartbleed that would be a possibly-unprecedented disaster. Even if lots of passwords were stolen, it would be neither unprecedented nor a disaster.
What about session cookies?
Session cookies need to stay in memory for much longer than passwords, so a password-stealing attack with Heartbleed would obtain many times more session cookies as bycatch. Of course, session cookies don’t last forever and hence are less valuable to attackers. For the same reasons as above, I’d be doubtful these were collected at scale. This problem also should be fixable now with no user intervention as system administrators can revoke outstanding session cookies after upgrading their servers (though many won’t).
Should I change all of my passwords?
It wouldn’t hurt, but for the reasons above I consider it unlikely that anybody has stolen your passwords using Heartbleed. It’s more likely that they had already stolen them using another method. If you weren’t worried about that, there’s not much new reason to worry here, not to mention the complexity that changing passwords before servers are fixed won’t help. I wouldn’t recommend panic unless evidence comes out that this was exploited on a large scale. If you’re going to change a password, change the one to your email account, since that usually can be used to reset all others.
Would choosing stronger passwords have helped?
No. As is usually the case with potential password compromises, Heartbleed had nothing to do with individual passwords being good or bad. Media stories often focus on the password angle with security news, even when it’s completely irrelevant. For the most part I’d say ignore discussions of “stronger passwords” and focus on less password reuse.
Would using a password manager have helped?
Somewhat, in that they can help cut down on reuse if deployed properly. In general password managers are a great idea if you can find one that fits your browsing habits. But against Heartbleed you would have lost your passwords in exactly the same scenarios and changing them all would still be a headache (though somewhat easier in that you wouldn’t need to memorize new passwords).
Would two-factor authentication have helped?
Likely yes, although for second-factor schemes with a secret key there’s a chance the login server had to read that key into memory to verify your second factor and it could have been stolen along with your password. You’re safe if the login server called some other backend server to verify your second factor input, which may be the case for engineering reasons. In general, second-factor schemes won’t survive a complete server compromise unless your second factor is doing public-key crypto, but there’s a good chance they’re resilient in practice to Heartbleed.
Will this help rally support for replacing passwords with something more secure?
I highly doubt it. Much as we all say we’d like to replace passwords with something better, I’ve written at length about why incentives are aligned against replacing passwords on a large scale. Heartbleed adds very little to the case for replacing them. Most users probably won’t notice any direct consequences and many proposed replacements would have had security consequences from Heartbleed as well.
So is Heartbleed actually a big deal?
For the security community, absolutely yes. Fixing the problem everywhere is a major engineering challenge that will take years. There will definitely be negative real-world impact and that’s a major black eye for security engineers everywhere. For most ordinary users though, the impact is probably negligible.
If it isn’t such a big deal to me, why have I heard so much about it?
Like most security vulnerabilities, the impact of Heartbleed, particularly with regards to passwords, is likely overstated due to a number of biases:
- We prefer to be safe rather than sorry. Prospect theory suggests that we are biased towards loss aversion and avoiding potentially large negative outcomes.
- It’s easy to enumerate potential negative costs of a security vulnerability and much harder to tabulate the cost of asking millions of people to change behavior (change passwords) let alone the cost of panicking them.
- Claiming the sky is falling lets us feel our job as security engineers is important, whereas admitting that even a very bad technical flaw may not impact the outside world much has the opposite effect.
- There are always a few cases of individual grandstanding and attention-seeking and this encourages dire predictions.
- Users want to do something in response and changing passwords is one of the few things they can do. Security engineers and reporters want to tell them something they can do besides “rely on a bunch of overworked sysadmins to patch this up with duct tape.”
- Passwords are the easiest component of this for users to relate to. It’s also the easiest component to write about, much easier than trying to explain what a private key is or discuss the layout of memory on the heap.
Conclusion
Heartbleed is an embarrassing mess and it highlights some ugly facts about security infrastructure like slow patching cycles and the inability to rotate TLS keys gracefully. But it doesn’t tell us much new about passwords or suggest every password must be updated. Here’s another way to think about it: Heartbleed could have been used to steal large quantities of credit card numbers, just like passwords. But nobody is claiming that people should cancel all of their credit cards or that we need a new payment system.
If Heartbleed is a teachable moment which encourages people to change passwords or use a password manager, that’s a good thing. But passwords aren’t the main story here and even with no action Heartbleed shouldn’t have much impact on password security for the vast majority of people.