Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Ask HN: Who's willing to reset user passwords in response to heartbleed?
4 points by jmathai on April 10, 2014 | hide | past | favorite | 3 comments
I'm struggling to know what the right decision is for our users. My gut says we should reset everyone's password and put them through the password reset flow.

Most of the emails I've received have been suggestions to do so with the exception of an email from Optimizely.

Is there a sound argument to not reset passwords? I realize it's a pain for users and we've been trained to avoid adding friction at all costs. When is there an exception to that rule? And is it heartbleed?



I decided not to reset password for everyone for my web service.

Instead, I sent out a security alert email to everyone with links to ArsTechnica article http://arstechnica.com/security/2014/04/critical-crypto-bug-... and Heartbleed bug http://heartbleed.com/ for more information and a link to our password reset page.

We also have a security alert on user dashboard that they see after logging into our system.


A better method might be next time they come onto the site and log in (or if they are already logged in), put up a stop page (similar to a paywall message) warning them in plain English of what happened and strongly recommend a password change. Make it easy for them to skip or X out of the box.

I think forcing users to change passwords or taking a passive email stance when there is a chance most might not read their email are both not ideal solutions


In addition, their email could be compromised, so resetting in the app after a login is preferable I think.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: