Information for SAS Students about the Heartbleed Vulnerablity

On Monday April 7, 2014 internet security officials began informing the public about the "Heartbleed Bug" - a vulnerability that can compromise the security of information transmitted to many web sites.

SAS and Penn IT staff have been working to identify and patch any affected students.  See this statement from Penn's security officials.

As a Penn student what do you need to do?

Do I need to change my PennKey password?  The central servers that maintain Penn's CoSign WebLogin service, the
primary web-based authentication method used by Penn websites, were not
vulnerable to this issue.  So, we are not recommending that all Penn users change their PennKeys.   However, as always, if you have any doubt about the security of your PennKey password, we encourage you to change it by visiting

Do I need to change my Google@SAS email password?  The GMail platform, which underlies the Google@SAS email system was patched soon after the vulernability was announced.  Google says that users do not need to reset their passwords, but users who want an extra level of assurance are encouraged to do so.  You can change your Google@SAS password by visting

What about passwords for other email services?  Many SAS students route their email to Yahoo and other email service providers.  You should check with your service provider for guidance concerning their services.

Beware of fraudulent emails!  Please be on the lookout for fraudulent email claiming to be from companies with which you do business (including Penn), as criminals may use this event to create phishing email messages designed to trick people into divulging their passwords. No legitimate party from Penn will ever ask you to share your password, and if a campaign to change PennKey passwords was ever initiated, it would be well-communicated and easily verifiable from SAS Computing.

Questions?  Please visit our Student Email Help form at