Skip to main content

Originally published Friday, April 25, 2014 at 4:29 PM

  • Share:
  • Comments (0)
  • Print

Heartbleed fallout: It’s time to change most passwords

The big question is which passwords to change. Mashable has put together of major services, like Facebook and Tumblr, noting whether they were affected and if a fix is in place.

Special to The Seattle Times


Practical Mac

I suppose it’s fitting that the most serious security issue facing Apple customers right now also has a great logo.

You’ve probably heard about the Heartbleed vulnerability and seen its iconic logo: a simple red outline in the shape of a heart with a few drips running down (). The problem was a small bit of incorrect code in OpenSSL, a widely used framework for encrypting online communications, potentially exposing information we thought was secure. How does it affect Mac and iOS users?

The tiny bit of good news is that Apple’s operating systems weren’t affected by Heartbleed (although Apple uses OpenSSL, it employs an older version that doesn’t include the bad code). The large bit of bad news is that you do need to change most of your online passwords.

But which ones? If you change the password for a service that has not yet implemented a fix, attackers could still get your new password. (Most sites should have patched their systems by now, but I’m realistic enough to assume that’s probably not the case.)

Mashable has put together a good list of major services, like Facebook and Tumblr, noting whether they were affected and if a fix is in place.

Of course, if you’re like me, you have hundreds of passwords. At least, you should by now. The days of using a single password across multiple sites are long gone.

And the best way to manage them all is using dedicated software such as 1Password () or LastPass ().

1Password for Mac costs $49.99 for a single license or $69.99 for a 5-user family license, and 1Password for iOS costs $17.99 (although all prices are 50 percent off through April 27). LastPass is available in a free version or a premium version that costs $12 per year.

Both companies responded to Heartbleed with ways to check whether sites you use are vulnerable. The 1Password Watchtower () and the LastPass Heartbleed Checker () checks any site address you enter and reports on the Heartbleed patch status.

I use 1Password, which was updated this week for both OS X and iOS. Heartbleed prompted me to take advantage of the software’s Security Audit feature in the OS X version.

Since the app knows all the passwords and other private numbers (like software licenses, encrypted notes, and the like) you’ve entered, the Security Audit identifies weak passwords, sites with duplicate passwords, and passwords that are 6 to 12 months old, 1 to 3 years old, and more than 3 years old.

I have 663 items in my 1Password vault, and even though I thought I was doing well in updating passwords in general, I was embarrassed to see how many sites list a single, older password I used.

Many of those are defunct sites or ones I haven’t visited in years, but a few were ones that I hadn’t realized were using the old password.

Another welcome feature I’ve started taking advantage of is shared vaults.

My wife and I both use 1Password, but there’s overlap for some of the websites we share, such as a joint bank account, credit card, Netflix and a couple of personal blog sites. Updating those passwords causes our data to get out of sync in our respective 1Password vaults.

So I set up a shared vault that syncs with all of our devices via Dropbox. I didn’t have to re-enter information, which would immediately kill such an endeavor. Any item can be shared via email, text message, AirDrop (Apple’s technology for transferring documents between devices), and between vaults.

Also, not to be morbid, but I also included my 1Password master password in our shared vault so that if I were to unexpectedly die, my wife would be able to access all of my accounts.

It’s unfortunate that in this regard, we all have to become technical just to interact with companies and services online, and that the interaction is a prime target for attackers. Having dedicated tools like 1Password and LastPass definitely help to not only keep us secure but also organized, too.

Jeff Carlson writes the Practical Mac column for Personal Technology and about technology in general for The Seattle Times and other publications. Send questions to More Practical Mac columns at

Four weeks for 99 cents of unlimited digital access to The Seattle Times. Try it now!

News where, when and how you want it

Email Icon

Relive the magic

Relive the magic

Shop for unique souvenirs highlighting great sports moments in Seattle history.


About Practical Mac | Jeff Carlson

Mac owners, this is for you. Practical Mac explores Apple's new software offerings, hardware upgrades and more. Appears every other Saturday.


The Seattle Times

The door is closed, but it's not locked.

Take a minute to subscribe and continue to enjoy The Seattle Times for as little as 99 cents a week.

Subscription options ►

Already a subscriber?

We've got good news for you. Unlimited content access is included with most subscriptions.

Subscriber login ►
The Seattle Times

To keep reading, you need a subscription upgrade.

We hope you have enjoyed your complimentary access. For unlimited access, please upgrade your digital subscription.

Call customer service at 1.800.542.0820 for assistance with your upgrade or questions about your subscriber status.

The Seattle Times

To keep reading, you need a subscription.

We hope you have enjoyed your complimentary access. Subscribe now for unlimited access!

Subscription options ►

Already a subscriber?

We've got good news for you. Unlimited content access is included with most subscriptions.

Activate Subscriber Account ►