Researchers recently announced a security vulnerability ("Heartbleed") in Open SSL, affecting security on more than 66 percent of websites around the globe. UM did have servers affected by this bug, and subsequently installed patches and updated security certificates to fix this vulnerability.
What employees need to do
The University of Montana is requiring that all employees change their NetID password by 11:59 PM on April 21, 2014.
You can select a new password by logging in to the UM login page and selecting the "Change Password" icon located at the bottom of the page.
Keep in mind that you will need to enter the new password into software and devices that had been automatically connecting, such as UMWPA wireless, and some e-mail clients.
Don't delay. Change your password now. If you wait until April 22, your current password will expire, and you will have to change your password via the "Security Question".
If you've changed your NetID password since April 9, you do not need to change it again, and your password will not expire on April 22.
What students need to do
We will not force password changes for student NetID accounts, but we do recommend that you change your password if you've not done so since April 9.
Implications for non-UM logins
As mentioned above, the Heartbleed bug affected approximately two-thirds of the secure web servers on the internet, so odds are high that some of your non-UM logins could have been compromised. The following sites are all believed to have been compromised: Google (including Gmail), Yahoo (including Yahoo Mail), Facebook, Instagram, Pinterest, Tumblr, Dropbox
A more comprehensive list of sites and their status related to Heartbleed can be found at The Heardbleed Hit List. Check your sites against this list and if they have not patched the flaw, avoid logging in to their service until they do. Once they confirm they have fixed the problem, then change your password for that particular site.
Beware of imposters
Scammers are already hard at work sending false "change your password" messages via e-mail. If you receive a message to change your password, do not click any links in the message. Instead, visit the site as you normally would via your browser, and change your password once you verify that you are on the correct site.
There are many great articles on the implications and details of the Heartbleed bug. Here are just a few:
- CODENOMICON: The Heartbleed Bug (original announcement)
- Christina Warren: Why Heartbleed Is the Ultimate Web Nightmare (mashable.com)
- Stephen Shankland: 'Heartbleed' bug undoes Web encryption, reveals Yahoo passwords (cnet.com)
- Gail Sullivan: Heartbleed: What you should know (Washington Post)
- Steven J. Vaughan-Nichols: Heartbleed: Serious OpenSSL zero day vulnerability revealed (zdnet.com)