Skip to main content

NOTE: This wasn't exactly how I intended to announce my Triumphant Return® to Daily Kos, but given the subject I felt a need to get the word out about this ASAP:
Cross-posted at ACA Signups
Earlier in the week I noted that Hawaii's Health Connector website was still vulnerable to the infamous Heartbleed OpenSSL bug. I'm happy to say that it has since been patched.

This naturally raised the question of whether the main Federal exchange website,, was also vulnerable. I checked the site the day that the Heartbleed story went public last Wednesday and it did not show up as being vulnerable. In addition, on that same day Mashable reported that was NOT one of the major sites impacted by the bug.

However, just to be certain (and because, frankly, it's a good idea to reset your password every six months or so anyway), the HHS Dept. has taken the precaution of doing a batch password reset for every account on the site:

Washington (CNN) - A cybersecurity scare is forcing Obamacare enrollees who used the site to sign up for an insurance plan to now change their passwords.

The Obama administration says that although there is no immediate threat to users, all enrollees have had their password reset and now must create a new password.

...The site has already reset users’ accounts. Now, when they sign in, they will be prompted to create a new, unique password. The site includes a step-by-step process on how to do so and provides a hotline for any users who experience difficulty.

As a website developer and system administer myself, who spent the good part of 2 days patching and then resetting my own servers and client accounts a week and a half ago, I can tell you that while the Heartbleed bug itself is definitely serious, there is absolutley nothing wrong with the administration doing what they've done, and in fact it's exactly what they should do under the circumstances.
To reiterate: They're pretty sure there was no vulnerability, but as a precaution they've already reset everyone's passwords. The only reason you need to reset yours is to allow you back into the system, not because someone else can get in.
OpenSSL is an encryption system which is used in something like half to 2/3 of the web servers around the world. Most of the largest and most technologically sophisticated companies around either were vulnerable (or may have been) to the Heartbleed bug and had to patch their own servers and issue password reset notices, either due to a known vulnerability or just as a precaution, including Facebook, Instagram, Pinterest, Tumblr, Google, Yahoo, Etsy, GoDaddy, Flickr, Netflix, Dropbox and WordPress.

While it's certainly worth taking seriously, no matter what FOX News says (and you just know they're gonna try to run with this), there is no reason to freak out about

So, the next time you go to and are told that you need to reset your password, just go ahead and follow the instructions. It should take all of 60 seconds including the confirmation response, and you should be good to go. For that matter, now that open enrollment is over, I suspect that most people won't even bother logging back into their accounts until/unless they have a major life change, some confirmation issue or until the 2nd open enrollment period opens this November.

So, what about the 15 state-run exchanges?

--California: ALL GOOD (either patched or never vulnerable)
--Colorado: ALL GOOD (either patched or never vulnerable)
--Connecticut: ALL GOOD (either patched or never vulnerable)
--District of Columbia: ALL GOOD (either patched or never vulnerable)
--Hawaii: (see above...ALL GOOD now, but do reset your password)
--Kentucky:  ALL GOOD (either patched or never vulnerable)
--Maryland: UNSURE (connection refused)
--Massachusetts: ALL GOOD (either patched or never vulnerable)
--Minnesota: ALL GOOD (either patched or never vulnerable)
--Nevada: UNSURE (connection refused)
--New York: ALL GOOD (either patched or never vulnerable)
--Oregon: ALL GOOD (either patched or never vulnerable)
--Rhode Island: UNSURE (connection refused)
--Vermont: UNSURE (connection refused)
--Washington: ALL GOOD (either patched or never vulnerable)

IMPORTANT: The ones noted "ALL GOOD" simply means that those exchange websites are secure now. It's still possible that one or more of them were vulnerable at some point in the past, so it's still a good idea to reset your passwords on those sites as well. I'd advise contacting the exchange directly if you have any questions or concerns about this issue.

As for the Maryland, Nevada, Rhode Island and Vermont exchanges, the fact that the connection was refused when I ran the test does not mean that they're vulnerable, it simply means that for one reason or another the Heartbleed test wasn't able to connect to those servers or had some other issue when attempting to do so. Again, I would strongly advise contacting those exchanges directly to confirm whether they're vulnerable or not, and whether you need to reset your passwords there as well.

One other thing: When you do reset your password, for the love of God do not make it something insanely obvious like any of these.

Your Email has been sent.
You must add at least one tag to this diary before publishing it.

Add keywords that describe this diary. Separate multiple keywords with commas.
Tagging tips - Search For Tags - Browse For Tags


More Tagging tips:

A tag is a way to search for this diary. If someone is searching for "Barack Obama," is this a diary they'd be trying to find?

Use a person's full name, without any title. Senator Obama may become President Obama, and Michelle Obama might run for office.

If your diary covers an election or elected official, use election tags, which are generally the state abbreviation followed by the office. CA-01 is the first district House seat. CA-Sen covers both senate races. NY-GOV covers the New York governor's race.

Tags do not compound: that is, "education reform" is a completely different tag from "education". A tag like "reform" alone is probably not meaningful.

Consider if one or more of these tags fits your diary: Civil Rights, Community, Congress, Culture, Economy, Education, Elections, Energy, Environment, Health Care, International, Labor, Law, Media, Meta, National Security, Science, Transportation, or White House. If your diary is specific to a state, consider adding the state (California, Texas, etc). Keep in mind, though, that there are many wonderful and important diaries that don't fit in any of these tags. Don't worry if yours doesn't.

You can add a private note to this diary when hotlisting it:
Are you sure you want to remove this diary from your hotlist?
Are you sure you want to remove your recommendation? You can only recommend a diary once, so you will not be able to re-recommend it afterwards.
Rescue this diary, and add a note:
Are you sure you want to remove this diary from Rescue?
Choose where to republish this diary. The diary will be added to the queue for that group. Publish it from the queue to make it appear.

You must be a member of a group to use this feature.

Add a quick update to your diary without changing the diary itself:
Are you sure you want to remove this diary?
(The diary will be removed from the site and returned to your drafts for further editing.)
(The diary will be removed.)
Are you sure you want to save these changes to the published diary?

Comment Preferences

Subscribe or Donate to support Daily Kos.

Click here for the mobile view of the site