• Forecast
  • News Tip
  • Categories
Temperature Precipitation
Estimated read time
4m 15s

Changing password after “heartbleed” bug? Here’s what you need to know

By Chenda Ngak/CBS News 2:25 PM April 10, 2014
The “heartbleed” bug may have put millions of passwords, credit card details and sensitive information in the hands of nefarious hackers. Before you change your passwords, security experts suggest making sure the website is now secure, and provide tips for creating stronger passwords.Heartbleed is a bug that made services using OpenSSL encryption vulnerable to attack, including websites, instant messaging software and email accounts. It’s worth noting that not all website are affected by the heartbleed bug.According to data analysis website Datanyze, 17.3 percent of the top 1 million websites ranked by Alexa.com may have been exposed to heartbleed. Internet data company Netcraft reports that a recent survey found 17.5 percent of website that use secure socket layer (SSL) encryption. For many, it’s unclear which websites are still at risk, so it’s worth taking extra precaution.

“If the website is still vulnerable, changing the password will not accomplish anything. The hacker could potentially view your newly created password, too,” Dodi Glenn, director of security intelligence at ThreatTrack Security, told CBS News via email.

Glenn says there are websites to check whether or not a website has been patched, and suggested filippo.io/heartbleed or ssllabs.com/ssltest. Password management software maker LastPass also has a service that checks if a website is vulnerable. LastPass recommends users of websites like Yahoo, GitHub and Fitbit update their passwords right away. But if you have a Netflix, Airbnb or Quora account, wait to update.

Trend Micro vice president of security research Rik Ferguson told CBS News via email that if you update too early, not only are you putting your new password at risk, you could be exposing additional data that is requested during the password reset process. Ferguson suggests avoiding services that are not yet patched, until a security fix is released.

“If it is not possible to avoid logging in to a service then continue as normal, changing your password will not bring you any extra security until the server is patched,” Ferguson said.

But if you have the same password for several different websites or services, then changing your password right away. Ferguson adds, “any exposure of a shared password may have wider consequences.”

Ferguson says you should change your password once you’ve been notified or discover that a server has had a security update. He suggested avoiding these big mistakes when creating a new password: using words from the dictionary, names, dates of birth, ages, telephone numbers, pet’s names, football teams or anything related to you.

Don’t use the same password for different services and never share your password. Even words using numbers in place of letters is not secure enough. Ferguson says a word like “P455w0rd” can be cracked within minutes.

Ferguson shared an example of five steps for creating a more secure password.

1. Think of a phrase you can easily remember, for example:

“Motley Crue and Adam and the Ants were the soundtrack of my youth.”

2. Take the initial letter of each of those words:

MCAAATAWTSOMY

3. This will be the basis of the password, but we now need to make sure we use upper and lower case characters, numbers and “special characters” like !$&+ for example, let’s change cases first:

MCaAatAwtSomY

4. Now change some of those letters for numbers, maybe the letter O to a zero

MCaAatAwtS0mY

5. Now add the special characters, I’ll change the “and” into + and &

MC+A&tAwtS0mY

Ferguson suggests creating variations of the password for different websites, like adding the first and last letter of a website name at the beginning or end of a password. He adds that users also need to be aware of phishing scams that attempt to lure people to fake websites.

Mandiant security security expert William Ballenthin told CBS News in an interview that heartbleed compromises past and future communications with a server, like banking or email transactions. He adds that this bug has been “in the wild” for about two years, and was only recently discovered. At this point not much can be done about the past.

But Ballenthin says major websites like Google, Amazon and Yahoo have identified the issues and released a fix. According to tech website Mashable, several major banks are not affected because they do not use OpenSSL encryption software. The website released a list of major sites that were infected by the heartbleed bug and have since been updated, including Facebook, Pinterest, Tumblr, Gmail, Yahoo, Amazon and Dropbox.

© 2014 CBS Interactive Inc. All Rights Reserved.

Latest Stories

  • Weather

    Records fall as snow accumulates across Southcentral

    by Melissa Frey on Jan 22, 13:40

    The latest round of snow across southcentral Alaska is setting new records. The snow started falling in Anchorage around 6 p.m. Friday and continued to fall through Saturday night. As of 9 p.m., 12 inches of snow had fallen at the National Weather Service office in west Anchorage, with more on the way. Most of […]

  • Politics

    Consultant raises concerns about Alaska gas project

    by Associated Press on Jan 22, 12:34

    A legislative consultant is raising red flags about Alaska taking the lead on a major proposed liquefied natural gas project, even as Gov. Bill Walker has said he’s comfortable with it. Legislators are scheduled to hear a project update Monday. In a recent report to lawmakers, consultant Nikos Tsafos outlined challenges threatening the project’s potential […]

  • Sports

    Pete Kaiser wins third consecutive Kuskokwim 300

    by Anna Rose MacArthur/Ben Matheson on Jan 22, 12:24

    Pete Kaiser made it three in a row Sunday morning, winning the 2017 Kuskokwim 300 Sled Dog Race. Kaiser crossed the finish line in Bethel at 10:37 a.m. to loud cheers from his hometown crowd, according to a story published by KYUK Public Media. His leader, Palmer, brought home the nine-dog team. Brent Sass, who […]

  • Sports

    Soldotna hockey captain suspended for racist Twitter posts

    by KTVA Sports on Jan 22, 12:21

    Racist comments posted on Twitter recently by the captain of the Soldotna Stars hockey team created a firestorm on social media and have cost the player his spot on the team. Soldotna High School student Ethan Brown used his personal Twitter account to denigrate Alaska Natives and homosexuals while also making a racist remark about former first family, […]

  • News

    4 more survivors pulled out of Italy’s avalanche-hit hotel

    by CBS/AP on Jan 22, 11:57

    Emergency crews pulled out four more survivors from the rubble of a hotel crushed by an avalanche and were searching Saturday for more who may still be alive as family members awaited word if their relatives were among the lucky ones. The overnight operations raised to at least nine the number of people found alive […]

  • News

    Alaska National Guardsmen take part in presidential inauguration

    by Bonney Bowman on Jan 22, 11:30

    Forty-seven Alaska National Guardsmen took part in Friday’s presidential inauguration, representing our state on the national stage. Capt. Jason Walter, area security force protection officer with the 297th Regional Support Group, told KTVA it was a long day for the Guardsmen. They started at 1 a.m. and were on duty until after the parade. The […]

  • Weather

    Dangerous avalanche conditions for southern, western Kenai Mountains

    by Melissa Frey on Jan 22, 10:30

    Dangerous avalanche conditions are expected Saturday evening through Monday in the southern and western portions of the Kenai Mountains. That includes areas like Summit Lake, Carter Lake, Lost Lake Snug Harbor and Bear Creek. The Chugach National Forest Avalanche Information Center in Girdwood says the two to five feet of snow that fell on mountain […]

  • Lifestyle

    Can breakfast help keep us thin? Nutrition science is tricky.

    by Associated Press on Jan 21, 18:45

    Cereal makers have happily encouraged the belief that eating breakfast can help keep us thin and bring other benefits, partly by paying for studies that seem to support the idea. So, does that mean breakfast is bad for you? Not that either. What it does show is how difficult it can be to sort the […]