• Forecast
  • News Tip
  • Categories
News Alert: Latest updates on McHugh Creek Fire - Read More
Temperature Precipitation
Estimated read time
4m 15s

Changing password after “heartbleed” bug? Here’s what you need to know

By Chenda Ngak/CBS News 2:25 PM April 10, 2014
The “heartbleed” bug may have put millions of passwords, credit card details and sensitive information in the hands of nefarious hackers. Before you change your passwords, security experts suggest making sure the website is now secure, and provide tips for creating stronger passwords.Heartbleed is a bug that made services using OpenSSL encryption vulnerable to attack, including websites, instant messaging software and email accounts. It’s worth noting that not all website are affected by the heartbleed bug.According to data analysis website Datanyze, 17.3 percent of the top 1 million websites ranked by Alexa.com may have been exposed to heartbleed. Internet data company Netcraft reports that a recent survey found 17.5 percent of website that use secure socket layer (SSL) encryption. For many, it’s unclear which websites are still at risk, so it’s worth taking extra precaution.

“If the website is still vulnerable, changing the password will not accomplish anything. The hacker could potentially view your newly created password, too,” Dodi Glenn, director of security intelligence at ThreatTrack Security, told CBS News via email.

Glenn says there are websites to check whether or not a website has been patched, and suggested filippo.io/heartbleed or ssllabs.com/ssltest. Password management software maker LastPass also has a service that checks if a website is vulnerable. LastPass recommends users of websites like Yahoo, GitHub and Fitbit update their passwords right away. But if you have a Netflix, Airbnb or Quora account, wait to update.

Trend Micro vice president of security research Rik Ferguson told CBS News via email that if you update too early, not only are you putting your new password at risk, you could be exposing additional data that is requested during the password reset process. Ferguson suggests avoiding services that are not yet patched, until a security fix is released.

“If it is not possible to avoid logging in to a service then continue as normal, changing your password will not bring you any extra security until the server is patched,” Ferguson said.

But if you have the same password for several different websites or services, then changing your password right away. Ferguson adds, “any exposure of a shared password may have wider consequences.”

Ferguson says you should change your password once you’ve been notified or discover that a server has had a security update. He suggested avoiding these big mistakes when creating a new password: using words from the dictionary, names, dates of birth, ages, telephone numbers, pet’s names, football teams or anything related to you.

Don’t use the same password for different services and never share your password. Even words using numbers in place of letters is not secure enough. Ferguson says a word like “P455w0rd” can be cracked within minutes.

Ferguson shared an example of five steps for creating a more secure password.

1. Think of a phrase you can easily remember, for example:

“Motley Crue and Adam and the Ants were the soundtrack of my youth.”

2. Take the initial letter of each of those words:

MCAAATAWTSOMY

3. This will be the basis of the password, but we now need to make sure we use upper and lower case characters, numbers and “special characters” like !$&+ for example, let’s change cases first:

MCaAatAwtSomY

4. Now change some of those letters for numbers, maybe the letter O to a zero

MCaAatAwtS0mY

5. Now add the special characters, I’ll change the “and” into + and &

MC+A&tAwtS0mY

Ferguson suggests creating variations of the password for different websites, like adding the first and last letter of a website name at the beginning or end of a password. He adds that users also need to be aware of phishing scams that attempt to lure people to fake websites.

Mandiant security security expert William Ballenthin told CBS News in an interview that heartbleed compromises past and future communications with a server, like banking or email transactions. He adds that this bug has been “in the wild” for about two years, and was only recently discovered. At this point not much can be done about the past.

But Ballenthin says major websites like Google, Amazon and Yahoo have identified the issues and released a fix. According to tech website Mashable, several major banks are not affected because they do not use OpenSSL encryption software. The website released a list of major sites that were infected by the heartbleed bug and have since been updated, including Facebook, Pinterest, Tumblr, Gmail, Yahoo, Amazon and Dropbox.

© 2014 CBS Interactive Inc. All Rights Reserved.

Latest Stories

  • Crime

    Woman wanted on felony warrant following early morning fight involving multiple people

    by KTVA CBS 11 News on Jul 24, 14:53

    The Anchorage Police Department is actively searching for a woman for whom they’ve obtained a felony warrant following a fight involving multiple suspects on Russian Jack Drive. Multiple people called APD around 4:19 a.m. to report a fight on the 1600 block of Russian Jack Drive. When police arrived, they spoke with a woman who […]

  • News

    Search underway for California man missing in Denali National Park

    by KTVA CBS 11 News on Jul 24, 14:44

    About 40 people are helping the search for Mukunda Egen, a 42-year-old California man who was last seen on Friday night while hiking in Denali National Park and Preserve. Egen and a friend set up a campsite at the Teklanika Campground and decided to hike from that area Friday afternoon, according to a statement from […]

  • News

    ‘True friends’ help Hillside alpaca farm owner prepare for fire

    by Eric Ruble on Jul 24, 11:46

    On a street up Potter Valley Road, about a dozen houses enjoy a spectacular view of the Cook Inlet. However, they are also some of the closest homes to the McHugh Creek Fire. One of those houses is owned by Michelle Coburn, who also runs a small alpaca farm on her property. She said she […]

  • Crime

    Police search for halfway house inmate charged with assault

    by KTVA CBS 11 News on Jul 24, 11:28

    ANCHORAGE — The Anchorage Police Department is looking for 33-year-old Webster Leavitt, who escaped from the Cordova Center Saturday night. According to a statement from police, Leavitt kicked out his window at the halfway house and ran away. Leavitt was last seen wearing a gray shirt and blue jeans, police said. He is 5-feet-10-inches tall, […]

  • News

    Deadly bombing strikes demonstration in Kabul

    by CBS/AP on Jul 23, 17:39

    At least 80 people were killed and another 231 wounded in the Afghan capital on Saturday, when suicide bombers detonated their explosives-packed clothing among a large crowd of demonstrators, officials and witnesses said. In a statement issued by its news agency, Aamaq, the Islamic State of Iraq and Syria, or ISIS, claimed responsibility for the attack […]

  • News

    Firefighters on McHugh Creek Fire confident with progress

    by Eric Ruble on Jul 23, 17:27

    After nearly half an inch of rainfall, sunshine returned to the area of the McHugh Creek Fire Saturday. It remains roughly 815 acres in size, but is now 15 percent contained, according to officials. It was seven percent contained Friday. More than 300 firefighters have been working on the McHugh Creek Fire. Many of them […]

  • News

    Woman drove for days in Alaska with husband’s body in casket

    by Associated Press on Jul 23, 15:18

    A woman who drove her husband’s body on a days-long traveling wake in Alaska and used ice from canneries to keep him cold is not accused of breaking any laws. Officers responded to a call last week to find the body of a 78-year-old man inside an aluminum transport casket. Ketchikan Police Chief Alan Bengaard […]

  • News

    Police: Bicyclist injured in crash with vehicle

    by KTVA CBS 11 News on Jul 23, 13:35

    Updated at 3:25 p.m. on Saturday, July 23 A bicyclist was injured and transported to a nearby hospital after a collision with a vehicle Saturday afternoon. The incident was reported to police at the intersection of Eagle Street and 23rd Avenue around 12:48 p.m., according to an Anchorage dispatcher. The driver remained at the scene of the […]