

Ask HN: Who's willing to reset user passwords in response to heartbleed? - jmathai

I&#x27;m struggling to know what the right decision is for our users. My gut says we should reset everyone&#x27;s password and put them through the password reset flow.<p>Most of the emails I&#x27;ve received have been suggestions to do so with the exception of an email from Optimizely.<p>Is there a sound argument to not reset passwords? I realize it&#x27;s a pain for users and we&#x27;ve been trained to avoid adding friction at all costs. When is there an exception to that rule? And is it heartbleed?
======
akg_67
I decided not to reset password for everyone for my web service.

Instead, I sent out a security alert email to everyone with links to
ArsTechnica article [http://arstechnica.com/security/2014/04/critical-crypto-
bug-...](http://arstechnica.com/security/2014/04/critical-crypto-bug-exposes-
yahoo-mail-passwords-russian-roulette-style/) and Heartbleed bug
[http://heartbleed.com/](http://heartbleed.com/) for more information and a
link to our password reset page.

We also have a security alert on user dashboard that they see after logging
into our system.

------
OafTobark
A better method might be next time they come onto the site and log in (or if
they are already logged in), put up a stop page (similar to a paywall message)
warning them in plain English of what happened and strongly recommend a
password change. Make it easy for them to skip or X out of the box.

I think forcing users to change passwords or taking a passive email stance
when there is a chance most might not read their email are both not ideal
solutions

~~~
logn
In addition, their email could be compromised, so resetting in the app after a
login is preferable I think.

