February 22, 2017

Heartbleed and passwords: don't panic

The Heartbleed bug has captured public attention this week like few security vulnerabilities before it. This is a good thing, as indeed this is a catastrophic flaw. Many people have focused on its impact on passwords with headlines like “Security Flaw Exposes Millions Of Passwords” and “Change these passwords right now.” Heartbleed certainly could have been used to steal millions of passwords. However, while Heartbleed gives the security community plenty of new problems to worry about, it doesn’t introduce any problems for passwords that haven’t existed for a long time and I’d discourage widespread panic about passwords.
Was/is Heartbleed used for stealing large numbers of passwords?
I doubt it, though this is impossible to rule out and the security community is still searching for and analyzing evidence of Heartbleed exploits in the wild. Heartbleed isn’t targeted, so large-scale password collection would have required a large amount of Heartbleed traffic to login servers. This would possibly have tripped intrusion-detection systems and it almost surely would have left evidence that will be found in logs sooner rather than later. Every day which passes without this evidence strengthens the likelihood that Heartbleed was never exploited at scale to steal passwords.
Furthermore, to an attacker with a zero-day exploit as powerful as Heartbleed the risk of burning it to collect mundane passwords doesn’t seem worth the benefit. It’s much more likely that Heartbleed would have been used to go after server keys, or possibly in targeted attacks after observing a specific high-value user log in somewhere. It’s possible some passwords were stolen as a byproduct of more targeted attacks, but I doubt that was on a large scale.
If Heartbleed were used to collect large numbers of passwords, wouldn’t that be a disaster?
If so, that disaster would already have occurred. Acquiring large numbers of passwords isn’t a new risk, there are regular leaks and one source has compiled over 250 million leaked passwords in the past 2 years alone. Those are just the leaks that go public. I’ve personally seen credible evidence of at least this volume of passwords in private leaks and there are probably many, many more. Of course, with Heartbleed passwords can be collected in plaintext, but most sites don’t hash at all or only do so poorly and the majority of users’ passwords are recoverable from hashes anyways.
We survive the deluge of compromised passwords because turning credentials into cash is hard. If lots of private keys were stolen with Heartbleed that would be a possibly-unprecedented disaster. Even if lots of passwords were stolen, it would be neither unprecedented nor a disaster.
What about session cookies?
Session cookies need to stay in memory for much longer than passwords, so a password-stealing attack with Heartbleed would obtain many times more session cookies as bycatch. Of course, session cookies don’t last forever and hence are less valuable to attackers. For the same reasons as above, I’d be doubtful these were collected at scale. This problem also should be fixable now with no user intervention as system administrators can revoke outstanding session cookies after upgrading their servers (though many won’t).
Should I change all of my passwords?
It wouldn’t hurt, but for the reasons above I consider it unlikely that anybody has stolen your passwords using Heartbleed. It’s more likely that they had already stolen them using another method. If you weren’t worried about that, there’s not much new reason to worry here, not to mention the complexity that changing passwords before servers are fixed won’t help. I wouldn’t recommend panic unless evidence comes out that this was exploited on a large scale. If you’re going to change a password, change the one to your email account, since that usually can be used to reset all others.
Would choosing stronger passwords have helped?
No. As is usually the case with potential password compromises, Heartbleed had nothing to do with individual passwords being good or bad. Media stories often focus on the password angle with security news, even when it’s completely irrelevant. For the most part I’d say ignore discussions of “stronger passwords” and focus on less password reuse.
Would using a password manager have helped?
Somewhat, in that they can help cut down on reuse if deployed properly. In general password managers are a great idea if you can find one that fits your browsing habits. But against Heartbleed you would have lost your passwords in exactly the same scenarios and changing them all would still be a headache (though somewhat easier in that you wouldn’t need to memorize new passwords).
Would two-factor authentication have helped?
Likely yes, although for second-factor schemes with a secret key there’s a chance the login server had to read that key into memory to verify your second factor and it could have been stolen along with your password. You’re safe if the login server called some other backend server to verify your second factor input, which may be the case for engineering reasons. In general, second-factor schemes won’t survive a complete server compromise unless your second factor is doing public-key crypto, but there’s a good chance they’re resilient in practice to Heartbleed.
Will this help rally support for replacing passwords with something more secure?
I highly doubt it. Much as we all say we’d like to replace passwords with something better, I’ve written at length about why incentives are aligned against replacing passwords on a large scale. Heartbleed adds very little to the case for replacing them. Most users probably won’t notice any direct consequences and many proposed replacements would have had security consequences from Heartbleed as well.
So is Heartbleed actually a big deal?
For the security community, absolutely yes. Fixing the problem everywhere is a major engineering challenge that will take years. There will definitely be negative real-world impact and that’s a major black eye for security engineers everywhere. For most ordinary users though, the impact is probably negligible.
If it isn’t such a big deal to me, why have I heard so much about it?
Like most security vulnerabilities, the impact of Heartbleed, particularly with regards to passwords, is likely overstated due to a number of biases:
  • We prefer to be safe rather than sorry. Prospect theory suggests that we are biased towards loss aversion and avoiding potentially large negative outcomes.
  • It’s easy to enumerate potential negative costs of a security vulnerability and much harder to tabulate the cost of asking millions of people to change behavior (change passwords) let alone the cost of panicking them.
  • Claiming the sky is falling lets us feel our job as security engineers is important, whereas admitting that even a very bad technical flaw may not impact the outside world much has the opposite effect.
  • There are always a few cases of individual grandstanding and attention-seeking and this encourages dire predictions.
  • Users want to do something in response and changing passwords is one of the few things they can do. Security engineers and reporters want to tell them something they can do besides “rely on a bunch of overworked sysadmins to patch this up with duct tape.”
  • Passwords are the easiest component of this for users to relate to. It’s also the easiest component to write about, much easier than trying to explain what a private key is or discuss the layout of memory on the heap.
Heartbleed is an embarrassing mess and it highlights some ugly facts about security infrastructure like slow patching cycles and the inability to rotate TLS keys gracefully. But it doesn’t tell us much new about passwords or suggest every password must be updated. Here’s another way to think about it: Heartbleed could have been used to steal large quantities of credit card numbers, just like passwords. But nobody is claiming that people should cancel all of their credit cards or that we need a new payment system.
If Heartbleed is a teachable moment which encourages people to change passwords or use a password manager, that’s a good thing. But passwords aren’t the main story here and even with no action Heartbleed shouldn’t have much impact on password security for the vast majority of people.


  1. Daniel Faigin says:

    Thank you! I’ve been saying the same thing to my friends for a few days now (see http://cahighways.org/wordpress/?p=9217 ). I’d say this is yet another example of the media misunderstanding risks and exposures, but we’ve had folks like Bruce S. saying this is an 11 on a scale of 1 to 10. Perhaps for the site owners, yes. But for the average user, the exposure really hasn’t been all that broad. Thanks again!

    • Jonathan Guerin says:

      For someone like Schneier, it is a huge deal – remember that his focus is on the security of the Internet as a whole. A vulnerability like this would allow a State Actor the unwarranted surveillance that we’ve been discussing for a while now. In that context, I wouldn’t call it quite an ’11’ (that would be a mathematical break of the core ciphers that we use), but it’s definitely a ‘9’.

  2. Onno Benschop says:

    If only the multitude of “experts” blogging and talking about #heartbleed were actually communicating what you have said, the world would be a little less afraid and a little more informed.

    Thank you.

  3. James W Sexton II says:

    I’m just the average consumer. Except I love learning about everything a probably have just enough knowledge on a subject to get me in trouble.

    I was under the impression this was pretty serious (11 on the scale of 10) due to the articles just like everyone has referenced. Then there seemed to be quite a bit of yelling from the roof tops of “FUD”. And then I got the distinct impression from the CloudFlare challenge that they were quite indignant and incredulous over the whole thing. But we all know now that it’s not impossible to get the private server keys.

    That seems pretty bad to me. Can’t servers be impersonated using server keys? Has something to do with certificates I think.

    There is a good chance your response will be over my head. If you could keep it on the level of a TED talk or Kahn Academy lesson, I’d appreciate it. 😀

  4. I think you’re right that, on average, most users’ passwords weren’t exposed, because users typically log in to their sites once, then never enter their password again.

    That “never enter their password again” is crucial, because it means that the relevant session cookies remain valid on the server for a very long time. Thirty days seems to be common, and it’s not uncommon for a cookie to be valid until it is explicitly invalidated.

    Generally speaking, most sites do not offer an option to explicitly invalidate outstanding session cookies, but most will do it automatically on a password change. To my understanding, that is the main reason we as security practitioners should be encouraging users to change their passwords: Not because their passwords were exposed, but because their session cookies were.

  5. 2FA doesn’t help at all if your session cookies are stolen. Yahoo usernames/passwords were stolen in bulk on the day the news broke. Examples were all over Twitter.

  6. Tim Newsham says:

    You don’t need to use this vulnerability to repeatedly collect passwords. You just need to use it once (still making many many requests, however) to get the server keys (unless your target is using PFS, which most people are not). Then you can passively gather all the information you wish, including passwords and other content.

    What sort of IDS rules do you anticipate would have caught heartbleed traffic and raised a flag? What sort of strange evidence do you expect to see in log files that would be noticed?