A lot of folks are going around at the moment telling the public to change all of their passwords in response to the serious Heartbleed internet security bug.

For instance, here's what the Tumblr website (owned by Yahoo) has told its users: "This might be a good day to call in sick and take some time to change your passwords everywhere - especially your high-security services like email, file storage, and banking, which may have been compromised by this bug"

That's awful advice.

You should only change your password in response to the Heartbleed bug after a website or internet company has:

  1. Checked to see if it is vulnerable
  2. Patched its systems
  3. Grabbed a new SSL certificate
  4. Told you it is fixed

Ideally they would initiate a mandatory change of passwords at that point. (By the way, when you do change your password, remember to also enable two factor authentication if the website or service offers it - as it will increase your overall level of security in the long run).

The danger is that if you change your passwords before a website has been fixed, you might actually be exposing your credentials to greater risk of being snarfled up by people exploiting the vulnerability in the buggy versions of OpenSSL.

Don't forget - there are an awful lot more people now testing to see how well the vulnerability can be exploited now that details are public.

Sadly, mainstream media are proving to be a little guilty of parroting the advice of the likes of Tumblr.

Check out this BBC News article, for instance, entitled "Heartbleed Bug: Tech firms urge password reset". You have to scroll way down the article before you realise that actually you shouldn't change all your passwords, but instead wait until a website has fixed the flaw.

And, if a website you use hasn't made clear if they have fixed the problem (or indeed if they were ever vulnerable) then the best thing you can do is badger them into telling you.

This article was originally posted at Graham Cluley's blog.