In response to the Heartbleed bug, I took the following actions:
- Closed the vulnerability in OpenSSL by applying the patch
- Obtained and installed a re-issued SSL certificate
- Rolled the Linux passwords
- Forced all Drupal users with Admin, Editor, and/or Elections Official privileges to reset their passwords.
The latter step was accomplished by installing the Force Password Change module and setting its configuration options. Unfortunately there's apparently a bug in this module that marks all passwords as expired whenever you tell it to expire the passwords for a single role. I fixed the problem with the following SQL statement:
UPDATE force_password_change_users SET last_force = NULL WHERE uid NOT IN (SELECT DISTINCT uid FROM users_roles WHERE rid IN (3,4,8));
In plain English, this query turns off the forced password expiration for all users except those with IDs with Admin, Editor, and/or Elections Official privileges.
