View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Heartbleed: Why changing your password is the worst advice EVER

Security experts say 'don’t listen to Tumblr'.

By Ben Sullivan

Following the massive Heartbleed computer vulnerability that was discovered this week, websites susceptible to the bug have advised users to change their passwords to keep secure.

Tumblr, a blogging platform owned by Yahoo, told its users: "This might be a good day to call in sick and take some time to change your passwords everywhere- especially your high-security services like email, file storage, and banking, which may have been compromised by this bug."

Graham Cluley, a British IT security expert, said on his website that this is "awful advice."

He went on to advise that you "should only change your password in response to the Heartbleed bug after a website or internet company has 1. Checked to see if it is vulnerable, 2. Patched its systems, 3. Grabbed a new SSL certificate (having revoked their previous one), and 4. Told you it is fixed."

The argument is that if users change their passwords before a website is deemed safe, users’ details may be made even more vulnerable by opportunistic attackers that are taking advantage of Heartbleed.

A cyber security chief at the Institution of Engineering and Technology, Hugh Boyes, also said: "Changing the password before the bug is fixed could compromise your new password."

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Microsoft software architect Troy Hunt also advised on his Twitter account that the popular method of checking whether a website is Heartbleed-vulnerable,, is not at all trustworthy.

Hunt said: "Let me make this graphically explicit: top test run 1st, bottom one 5 secs later. Don’t rely on []."


When websites are eventually safe, it is a good idea to follow our tips here for a how-to on making secure passwords. Making them long and complex, not reusing the same passwords, regularly changing passwords, and two-factor authentication are all reliable methods of making stronger passwords.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.