• Forecast
  • News Tip
  • Categories
Temperature Precipitation
Estimated read time
4m 15s

Changing password after “heartbleed” bug? Here’s what you need to know

By Chenda Ngak/CBS News 2:25 PM April 10, 2014
The “heartbleed” bug may have put millions of passwords, credit card details and sensitive information in the hands of nefarious hackers. Before you change your passwords, security experts suggest making sure the website is now secure, and provide tips for creating stronger passwords.Heartbleed is a bug that made services using OpenSSL encryption vulnerable to attack, including websites, instant messaging software and email accounts. It’s worth noting that not all website are affected by the heartbleed bug.According to data analysis website Datanyze, 17.3 percent of the top 1 million websites ranked by Alexa.com may have been exposed to heartbleed. Internet data company Netcraft reports that a recent survey found 17.5 percent of website that use secure socket layer (SSL) encryption. For many, it’s unclear which websites are still at risk, so it’s worth taking extra precaution.

“If the website is still vulnerable, changing the password will not accomplish anything. The hacker could potentially view your newly created password, too,” Dodi Glenn, director of security intelligence at ThreatTrack Security, told CBS News via email.

Glenn says there are websites to check whether or not a website has been patched, and suggested filippo.io/heartbleed or ssllabs.com/ssltest. Password management software maker LastPass also has a service that checks if a website is vulnerable. LastPass recommends users of websites like Yahoo, GitHub and Fitbit update their passwords right away. But if you have a Netflix, Airbnb or Quora account, wait to update.

Trend Micro vice president of security research Rik Ferguson told CBS News via email that if you update too early, not only are you putting your new password at risk, you could be exposing additional data that is requested during the password reset process. Ferguson suggests avoiding services that are not yet patched, until a security fix is released.

“If it is not possible to avoid logging in to a service then continue as normal, changing your password will not bring you any extra security until the server is patched,” Ferguson said.

But if you have the same password for several different websites or services, then changing your password right away. Ferguson adds, “any exposure of a shared password may have wider consequences.”

Ferguson says you should change your password once you’ve been notified or discover that a server has had a security update. He suggested avoiding these big mistakes when creating a new password: using words from the dictionary, names, dates of birth, ages, telephone numbers, pet’s names, football teams or anything related to you.

Don’t use the same password for different services and never share your password. Even words using numbers in place of letters is not secure enough. Ferguson says a word like “P455w0rd” can be cracked within minutes.

Ferguson shared an example of five steps for creating a more secure password.

1. Think of a phrase you can easily remember, for example:

“Motley Crue and Adam and the Ants were the soundtrack of my youth.”

2. Take the initial letter of each of those words:

MCAAATAWTSOMY

3. This will be the basis of the password, but we now need to make sure we use upper and lower case characters, numbers and “special characters” like !$&+ for example, let’s change cases first:

MCaAatAwtSomY

4. Now change some of those letters for numbers, maybe the letter O to a zero

MCaAatAwtS0mY

5. Now add the special characters, I’ll change the “and” into + and &

MC+A&tAwtS0mY

Ferguson suggests creating variations of the password for different websites, like adding the first and last letter of a website name at the beginning or end of a password. He adds that users also need to be aware of phishing scams that attempt to lure people to fake websites.

Mandiant security security expert William Ballenthin told CBS News in an interview that heartbleed compromises past and future communications with a server, like banking or email transactions. He adds that this bug has been “in the wild” for about two years, and was only recently discovered. At this point not much can be done about the past.

But Ballenthin says major websites like Google, Amazon and Yahoo have identified the issues and released a fix. According to tech website Mashable, several major banks are not affected because they do not use OpenSSL encryption software. The website released a list of major sites that were infected by the heartbleed bug and have since been updated, including Facebook, Pinterest, Tumblr, Gmail, Yahoo, Amazon and Dropbox.

© 2014 CBS Interactive Inc. All Rights Reserved.

Latest Stories

  • Man robs Juneau Petco at gunpoint

    by KTVA Web Staff on Jun 27, 18:05

    Tuesday afternoon, Juneau Police say a man robbed a Petco at gunpoint. Officers were called to the store around 3:30 Tuesday and began an investigation and search for the suspect. The suspect, who police say should be considered armed and dangerous, is still on the lam. He’s described as a white male between 25- and […]

  • News

    ‘If you’re ever going to take bear safety seriously, do it this year’

    by Lauren Maxwell on Jun 27, 17:57

    Fish and Game biologist Dave Battle says the agency is getting more reports of bear activity in the Anchorage Bowl than usual, and they are warning people to take precautions. “We hope people always take bear safety seriously,” said Battle. “But, if you were ever going to take bear safety seriously, do it this year.” […]

  • 5-year-old girl’s dying wish to ‘marry’ her best friend comes true

    by CBS News on Jun 27, 17:13

    With a sparkly crown, pink tulle skirt and rhinestone-lined silk top, 5-year-old Eileidh Paterson felt like a princess as she walked down the aisle to meet her future “husband.” It was a fairy tale the terminally ill girl dreamed up with her mom after she was diagnosed with stage 4 neuroblastoma — a cancer that […]

  • News

    Bogoslof erupts twice in two days

    by KTVA / AP on Jun 27, 17:09

    ANCHORAGE, Alaska (AP) – The Alaska Volcano Observatory says seismic activity at an Aleutians Island volcano has diminished following two eruptions in two days. Bogoslof (BOH-gohs-lawf) Volcano about 850 miles (1,400 kilometers) southwest of Anchorage erupted at 3:17 a.m. Tuesday and sent an ash cloud to 30,000 feet (9,100 meters). The eruption lasted 14 minutes. […]

  • Lifestyle

    Alaskans rally downtown, urge lawmakers to vote ‘no’ on GOP healthcare bill

    by Steffi Lee on Jun 27, 16:55

    Senate Republican leaders announced Tuesday they would delay a vote on the health care bill until after the July 4 recess, according to CBS News. Meanwhile, Alaskans are continuing to voice their concerns. A crowd gathered in front of Sen. Lisa Murkowski’s (R-AK) office in downtown Anchorage, holding signs and chanting about their opposition to […]

  • News

    Aliy Zirkle’s retired Iditarod sled dog missing in Anchorage

    by Heather Hintze on Jun 27, 16:46

    One of Aliy Zirkle’s retired Iditarod sled dogs is on the loose in Anchorage. Barbara Swenson has been sponsoring “Scruggs” for years and adopted the dog from Zirkle over the weekend. Scruggs had only been at her home for a day before a loud lawnmower spooked him and he took off on Sunday. “Sled dogs […]

  • News

    Bear attack victims seek community support

    by KTVA Web Staff on Jun 27, 16:33

    The rash of bear attacks in Alaska this season has left a string of injured victims, devastated families and medical expenses. In response, some of the families affected have set up fundraising pages to help shoulder some of the financial burdens and set up memorials for their lost loved ones. Jack Cooper Memorial Fund Jack […]

  • News

    Brothers endeavor to name Alaska mountain ridge

    by Associated Press on Jun 27, 15:47

    MOOSE PASS, Alaska (AP) – Two mountaineering brothers who lived in Alaska briefly in the late 1960s have asked the state Historical Commission to formally name three peaks and a ridge. The Peninsula-Clarion reports that if the request is granted, the ridge in Moose Pass will be named Locomotive Ridge, with peaks named the Engine, the […]