• Forecast
  • News Tip
  • Categories
News Alert: APD confirms James Dale Ritchie as killer in 5 murders - Read More
Temperature Precipitation
Estimated read time
4m 15s

Changing password after “heartbleed” bug? Here’s what you need to know

By Chenda Ngak/CBS News 2:25 PM April 10, 2014
The “heartbleed” bug may have put millions of passwords, credit card details and sensitive information in the hands of nefarious hackers. Before you change your passwords, security experts suggest making sure the website is now secure, and provide tips for creating stronger passwords.Heartbleed is a bug that made services using OpenSSL encryption vulnerable to attack, including websites, instant messaging software and email accounts. It’s worth noting that not all website are affected by the heartbleed bug.According to data analysis website Datanyze, 17.3 percent of the top 1 million websites ranked by Alexa.com may have been exposed to heartbleed. Internet data company Netcraft reports that a recent survey found 17.5 percent of website that use secure socket layer (SSL) encryption. For many, it’s unclear which websites are still at risk, so it’s worth taking extra precaution.

“If the website is still vulnerable, changing the password will not accomplish anything. The hacker could potentially view your newly created password, too,” Dodi Glenn, director of security intelligence at ThreatTrack Security, told CBS News via email.

Glenn says there are websites to check whether or not a website has been patched, and suggested filippo.io/heartbleed or ssllabs.com/ssltest. Password management software maker LastPass also has a service that checks if a website is vulnerable. LastPass recommends users of websites like Yahoo, GitHub and Fitbit update their passwords right away. But if you have a Netflix, Airbnb or Quora account, wait to update.

Trend Micro vice president of security research Rik Ferguson told CBS News via email that if you update too early, not only are you putting your new password at risk, you could be exposing additional data that is requested during the password reset process. Ferguson suggests avoiding services that are not yet patched, until a security fix is released.

“If it is not possible to avoid logging in to a service then continue as normal, changing your password will not bring you any extra security until the server is patched,” Ferguson said.

But if you have the same password for several different websites or services, then changing your password right away. Ferguson adds, “any exposure of a shared password may have wider consequences.”

Ferguson says you should change your password once you’ve been notified or discover that a server has had a security update. He suggested avoiding these big mistakes when creating a new password: using words from the dictionary, names, dates of birth, ages, telephone numbers, pet’s names, football teams or anything related to you.

Don’t use the same password for different services and never share your password. Even words using numbers in place of letters is not secure enough. Ferguson says a word like “P455w0rd” can be cracked within minutes.

Ferguson shared an example of five steps for creating a more secure password.

1. Think of a phrase you can easily remember, for example:

“Motley Crue and Adam and the Ants were the soundtrack of my youth.”

2. Take the initial letter of each of those words:

MCAAATAWTSOMY

3. This will be the basis of the password, but we now need to make sure we use upper and lower case characters, numbers and “special characters” like !$&+ for example, let’s change cases first:

MCaAatAwtSomY

4. Now change some of those letters for numbers, maybe the letter O to a zero

MCaAatAwtS0mY

5. Now add the special characters, I’ll change the “and” into + and &

MC+A&tAwtS0mY

Ferguson suggests creating variations of the password for different websites, like adding the first and last letter of a website name at the beginning or end of a password. He adds that users also need to be aware of phishing scams that attempt to lure people to fake websites.

Mandiant security security expert William Ballenthin told CBS News in an interview that heartbleed compromises past and future communications with a server, like banking or email transactions. He adds that this bug has been “in the wild” for about two years, and was only recently discovered. At this point not much can be done about the past.

But Ballenthin says major websites like Google, Amazon and Yahoo have identified the issues and released a fix. According to tech website Mashable, several major banks are not affected because they do not use OpenSSL encryption software. The website released a list of major sites that were infected by the heartbleed bug and have since been updated, including Facebook, Pinterest, Tumblr, Gmail, Yahoo, Amazon and Dropbox.

© 2014 CBS Interactive Inc. All Rights Reserved.

Latest Stories

  • News

    Trump order seeks to limit federal role in K-12 education

    by Associated Press on Apr 26, 11:03

    WASHINGTON (AP) – President Donald Trump has signed an executive order that aims to reduce the federal government’s role in K-12 education. Trump is giving Education Secretary Betsy DeVos 300 days to identify where Washington has overstepped its legal authority in education issues. The secretary will then be able to modify and repeal regulations and […]

  • APD confirms James Dale Ritchie as killer in 5 Anchorage murders

    by KTVA CBS 11 News on Apr 26, 10:38

    More than five months after the public heard James Dale Ritchie’s name, the Anchorage Police Department confirmed Wednesday that he was responsible for the murders of five people in the summer of 2016. In November, Ritchie was killed in a downtown Anchorage shootout with police, following his solo attack against APD officer Arn Salao. It was a chance […]

  • Point Hope walrus hunters put on probation for violating Marine Mammal Protection Act

    by Davis Hovey / KNOM on Apr 26, 10:15

    Late last week, four point hope men were sentenced for the illegal taking of walruses that occurred near Cape Lisburne in 2015. According to a statement from the U.S. Attorney’s office on Thursday, Adam Sage, Jacob Lane, Guy Tuzroyluk, and Michael Tuzroyluk, Jr., pled guilty to violating the Marine Mammal Protection Act in two separate […]

  • Lifestyle

    Spacecraft flies between Saturn and rings in historic 1st

    by Associated Press on Apr 26, 7:19

    CAPE CANAVERAL, Fla. (AP) – NASA’s Cassini spacecraft has ventured into the never-before-explored region between Saturn and its rings. But flight controllers won’t know how everything went until Thursday when they are back in touch with the craft. Cassini was out of radio contact with Earth early Wednesday as it became the first spacecraft to […]

  • News

    Southeast Alaska hatchery to reopen with new owner

    by Associated Press on Apr 26, 6:58

    PETERSBURG, Alaska (AP) – A hatchery in a small southeast Alaska community that closed down under a mountain of debt in 2014 has been purchased by a nonprofit organization that plans to produce chum and Chinook salmon at the site. KFSK-FM reported he state foreclosed on the Gunnuk Creek hatchery’s $22 million debt and put […]

  • Lifestyle

    Pope warns powerful to act humbly or risk ruin in TED talk

    by Associated Press on Apr 26, 6:49

    VATICAN CITY (AP) – Pope Francis has warned the powerful to act humbly or risk ruin, in a TED talk urging the world to show more solidarity with the poor and weak. Francis delivered a videotaped talk to a TED conference in Vancouver on “The Future You,” the first by a pope. The Vatican released […]

  • Antarctica’s penguins are in trouble, new report shows

    by CBS News on Apr 25, 21:39

    In the rapidly warming Antarctic, two species of penguins are in dramatic decline. That’s the news out of a new study published by Oceanites, a nonprofit organization that closely monitors penguins and other Antarctic seabirds, in collaboration with researchers from NASA and Stony Brook University in New York. Relying on satellite photos and on-the-ground analysis […]

  • ‘Fearless’ feline hangs out with rattlesnake

    by KTVA Web Staff on Apr 25, 21:33

    Authorities in Texas are calling this feline “fearless” after it was pictured inches away from a rattlesnake. The Laguna Vista Police Department posted an image of the pair late last week on its Facebook page alongside a warning to residents of the South Texas town about rattlesnakes following a spotting. “LV Residents, earlier today Laguna […]