The heartbleed bug has been causing mayhem this week, many a headache has been felt in IT departments the world over. Second Life users were obviously concerned about this and Linden Lab have produced a blog post relevant to Second Life : Account Safety and the Heartbleed OpenSSL Bug.
There’s some really good news from the lab about this:
You do not need to take extra action to secure your Second Life password if you have not used the same password on other websites. Your Second Life password was not visible via Heartbleed server memory exposure. No secondlife.com site that accepts passwords had the vulnerable SSL heartbeat feature enabled.
However it should be noted that Second Life properties were not immune to this issue, as the blog post explains :
Supporting sites such as Second Life profiles are hosted on cloud hosting services. Some of these sites were previously vulnerable to Heartbleed, which may have exposed one of these servers’ certificates. As an extra precaution, we are in the process of replacing our SSL certificates across the board. This change will be fully automatic in standard web browsers.
Initially this may seem confusing, but login to Second Life profiles is done via the main website login, rather than a login directly on those servers, so the initial advice that there’s no need to take extra action stands.
However there are circumstances whereby you may want to change your Second Life password and that is if you use that very same password on a site that may have had login information exposed.
Linden Lab in the blog post offer the following sensible guidance:
If you used the same password for Second Life that you used on a third-party site, and if that third-party site may have been affected by the vulnerability, you should change your password.
Generally, the advice on passwords is to change them regularly and use different passwords on different sites. We all know that in practice people find this difficult. However passwords are an issue we should all take care with, back in 2009 Jeska Linden blogged : Is your password safe? That blog post contains some great password tips, such as :
- No real words = important.
- Long passwords = essential.
- Mixed case = good.
- Misspelled = better.
- Added numerals and symbols = best.
That post is well worth a read, it also contains a link to what back in 2009 were considered the 500 worst passwords. There’s a lot more useful information in that blog post. Linden Lab also offer more advice on passwords on the Wiki : Linden Lab Official:Password Protection
Whereas Linden Lab have issued guidance that no further action is required, this may still be a good time to set your Second Life password to a more secure one or to get into the habit of changing your password regularly.
Hi, I was told by a friend that you should NOT change your password on a compromised site UNTIL they have patched the site since doing so would expose your new password and make it obvious that it is being changed. It’s sort of a Catch 22 but he’s pretty up on security stuff.
Your friend is correct.