There is a lot of reason to change passwords and in most business settings passwords are requested to be changed every 90 days. This is usually for the end users and rarely for the system to system accounts. A recent vulnerability creates the possibility that any account that accesses a system on the internet (specifically using HTTPS w/ OpenSSL, but lets not complicate the clarion call here) is exposed and known by someone other than the owner.
By that very condition the password should be changed, and now.
So if you are a person reading this …
- Pull up your accounts and begin methodically changing them to a fresh new version (there is a condition here that the site you are updating at has already fixed the vulnerability and has internally followed good practices, but lets presume best scenario here)
- Add a note on your calendar 3-4 months from now, to again change the passwords
If you run an technology environment that had OpenSSL installed and was vulnerable, grab a cup of coffee and sandwich, then…
- Begin the methodical (perimeter first .. working your way in through layers) and careful task of updating all of the certificates, credentials, and end-user accounts. Also consider end-users too.
- Write amazing and clear explanations to the need, value, and importance of this process to your users
- Set all users that have accounts accessing your services, to be forced to reset.
- Log out (invalidate sessions) all Apps and online cookie sessions (revoke, etc..)
- Reissue your private key and SSL certificate
- Review and examine your API and third party connections to confirm these are updated, reset, and secured
- Add a bit of extra monitoring on the logs for a bit
This is all the result of the Heartbleed.com disclosure, but lets not get technical here .. these are good practices, but now with the probability above 'unlikely', it is a timely habit to re-embrace.