Many computer users are facing this dilemma following the discovery of the potent Heartbleed, which has opened the door for hackers to enter two-thirds of websites around the world.
Security experts have advised that it be done after an affected website had been patched to get rid of the bug.
But many of the highly popular websites reportedly affected by Heartbleed appear to have left users in the dark as to whether they need to take action.
Google, for instance, said that it fixed the bug early, applying patches to key Google services such as Search, Gmail, YouTube, Wallet, Play, Apps and App Engine.
It announced the move in a blog post on Wednesday and, when contacted, told The Straits Times yesterday: “Google users do not need to change their passwords.”
Its failure to inform Gmail account holders infuriates users like Mr Aaron Koh, 37, who said he does not track vendors’ blog posts.
“The very least Google could have done is to update users via an e-mail,” said the marketing manager.
Agreeing, engineer John Wong, 36, said websites should be proactive and inform users of any vulnerability.
“A lot of websites let users log in via their Google or Facebook accounts,” he noted, adding that it was how he would log into book-sharing site Goodreads.
He was among many who learnt of the need to change their usernames and passwords, when accessing sites such as Facebook, Yahoo Mail, GoDaddy, Instagram, Tumblr and Dropbox, from the media.
Websites reportedly affected by Heartbleed include e-mail service providers Gmail and Yahoo Mail, GoDaddy poll management service, social networks Tumblr and Instagram, as well as file-sharing service Dropbox.
The bug, which has been lurking undetected for more than two years, is found in a computer code called OpenSSL.
This code is designed to secure data on websites but the flaw lets hackers pull data, including passwords, from the affected server’s working memory.
“This is why usernames and passwords become unsafe, and should be changed after services have been fixed and if the service provider instructs users to change the passwords,” said Mr Ari Takanen, chief technology and research officer at Finnish security firm Codenomicon, which helped uncover the bug.
Mr Tan Shong Ye, IT risk and cyber-security leader at consulting firm PricewaterhouseCoopers Singapore, said website operators may still be assessing the potential damage.
It is the reason they have not sent out a notice asking users to change their passwords.
“It may take days to completely patch the security loophole and assess the sensitive information that may be leaked,” Mr Tan added.
Dr Calvin Chan, head of the business programme at SIM University’s School of Business, has this advice for users: “Play a part in having the discipline to update (your) passwords regularly.”
Website operators may still be assessing the potential damage. It is the reason they have not sent out a notice asking users to change their passwords, said Mr Tan Shong Ye, IT risk and cyber-security leader at consulting firm PricewaterhouseCoopers Singapore.
“It may take days to completely patch the security loophole and assess the sensitive information that may be leaked,” he added.
Source: The Straits Times © Singapore Press Holdings Limited. Reproduced with permission.
The views, material and information presented by any third party are strictly the views of such third party. Without prejudice to any third party content or materials whatsoever are provided for information purposes and convenience only. Council For The Third Age shall not be responsible or liable for any loss or damage whatsoever arising directly or indirectly howsoever in connection with or as a result of any person accessing or acting on any information contained in such content or materials. The presentation of such information by third parties on this Council For The Third Age website does not imply and shall not be construed as any representation, warranty, endorsement or verification by Council For The Third Age in respect of such content or materials.