Heartbleed OpenSSL Bug and 1Password

Another day, another vulnerability. This one is scary. It's called Heartbleed and it's a problem with OpenSSL.  It allows the skimming of information that would normally be protected by SSL/TLS encryption.  You can find more information at heartbleed.com along with a comprehensive list of frequently asked questions. The good news is  there is a fix but we're going to have to wait for venders, distributors and administrators to adopt it.

As usual, the folks at AgileBits have done a comprehensive summary on their blog, as well as breaking down what this vulnerability means to 1Password users. While having strong unique passwords for all your various sites certainly helps in circumstances like this, inputing your passwords in a compromised site could make make them susceptible.

From AgileBIts Blog: Imagine no SSL encryption, it’s scary if you try:

Your 1Password data remains safe, as does your 1Password Master Password. But whether or not you use 1Password to log into an affected site or service, your username and password, along with everything else that happens over that supposedly encrypted connection, may be exposed to attackers.

You will, at some point, need to change a lot of passwords. But don’t rush to do that just yet. Not every server is affected, and those that are need to fix things at their end before you change your password. If you change your password before the servers fix things, then your new password will also be vulnerable to capture.

All that most of us can do is wait at this point. Presumably, various service providers will announce over the next few days when and whether users should change passwords or be aware that other confidential information may have been exposed.

If you're a user of 1Password Anywhere, be sure you read the additional information concerning Dropbox and Heartbleed on the AgileBits blog. For now, seems the best advice is to hang tight, be mindful of where you've been on the web and be prepared to change your passwords soon. Also, trust no one

Disclosure: 1Password is a sponsor of Mac Power Users