• Forecast
  • News Tip
  • Categories
Temperature Precipitation
Estimated read time
4m 15s

Changing password after “heartbleed” bug? Here’s what you need to know

By Chenda Ngak/CBS News 2:25 PM April 10, 2014
The “heartbleed” bug may have put millions of passwords, credit card details and sensitive information in the hands of nefarious hackers. Before you change your passwords, security experts suggest making sure the website is now secure, and provide tips for creating stronger passwords.Heartbleed is a bug that made services using OpenSSL encryption vulnerable to attack, including websites, instant messaging software and email accounts. It’s worth noting that not all website are affected by the heartbleed bug.According to data analysis website Datanyze, 17.3 percent of the top 1 million websites ranked by Alexa.com may have been exposed to heartbleed. Internet data company Netcraft reports that a recent survey found 17.5 percent of website that use secure socket layer (SSL) encryption. For many, it’s unclear which websites are still at risk, so it’s worth taking extra precaution.

“If the website is still vulnerable, changing the password will not accomplish anything. The hacker could potentially view your newly created password, too,” Dodi Glenn, director of security intelligence at ThreatTrack Security, told CBS News via email.

Glenn says there are websites to check whether or not a website has been patched, and suggested filippo.io/heartbleed or ssllabs.com/ssltest. Password management software maker LastPass also has a service that checks if a website is vulnerable. LastPass recommends users of websites like Yahoo, GitHub and Fitbit update their passwords right away. But if you have a Netflix, Airbnb or Quora account, wait to update.

Trend Micro vice president of security research Rik Ferguson told CBS News via email that if you update too early, not only are you putting your new password at risk, you could be exposing additional data that is requested during the password reset process. Ferguson suggests avoiding services that are not yet patched, until a security fix is released.

“If it is not possible to avoid logging in to a service then continue as normal, changing your password will not bring you any extra security until the server is patched,” Ferguson said.

But if you have the same password for several different websites or services, then changing your password right away. Ferguson adds, “any exposure of a shared password may have wider consequences.”

Ferguson says you should change your password once you’ve been notified or discover that a server has had a security update. He suggested avoiding these big mistakes when creating a new password: using words from the dictionary, names, dates of birth, ages, telephone numbers, pet’s names, football teams or anything related to you.

Don’t use the same password for different services and never share your password. Even words using numbers in place of letters is not secure enough. Ferguson says a word like “P455w0rd” can be cracked within minutes.

Ferguson shared an example of five steps for creating a more secure password.

1. Think of a phrase you can easily remember, for example:

“Motley Crue and Adam and the Ants were the soundtrack of my youth.”

2. Take the initial letter of each of those words:


3. This will be the basis of the password, but we now need to make sure we use upper and lower case characters, numbers and “special characters” like !$&+ for example, let’s change cases first:


4. Now change some of those letters for numbers, maybe the letter O to a zero


5. Now add the special characters, I’ll change the “and” into + and &


Ferguson suggests creating variations of the password for different websites, like adding the first and last letter of a website name at the beginning or end of a password. He adds that users also need to be aware of phishing scams that attempt to lure people to fake websites.

Mandiant security security expert William Ballenthin told CBS News in an interview that heartbleed compromises past and future communications with a server, like banking or email transactions. He adds that this bug has been “in the wild” for about two years, and was only recently discovered. At this point not much can be done about the past.

But Ballenthin says major websites like Google, Amazon and Yahoo have identified the issues and released a fix. According to tech website Mashable, several major banks are not affected because they do not use OpenSSL encryption software. The website released a list of major sites that were infected by the heartbleed bug and have since been updated, including Facebook, Pinterest, Tumblr, Gmail, Yahoo, Amazon and Dropbox.

© 2014 CBS Interactive Inc. All Rights Reserved.

Latest Stories

  • Lifestyle

    VIDEO: Rutting moose duke it out in Anchorage subdivision

    by Sierra Starks on Oct 03, 13:51

    The rut has begun. On Friday, Bill Tyra and his son, Josh, captured two moose duking it out in the Goldenview Park subdivision in South Anchorage. “My son and I had front row seats,” says Tyra, who first captured the video above from behind a vehicle then moved to a nearby ledge. The rut, the […]

  • Crime

    Anchorage police: Man killed in Fairview hit-and-run

    by KTVA CBS 11 News on Oct 03, 10:38

    Anchorage police are investigating a fatal hit-and-run incident that happened late Friday night in Fairview. At around 11:30 p.m., the Anchorage Police Department was contacted after Anchorage Safety Patrol found a male lying in the road at East 12th Avenue and Gambell Street. It was reported to police that the male “had severe injuries and […]

  • Sports

    West beats Bartlett, East clinches top CIC seed

    by KTVA Sports on Oct 02, 22:42

    After a wild final two weeks of the season, the East High School T-Birds have won the Cook Inlet Conference and clinched the top CIC seed heading into the state tournament. The T-Birds needed a West win over Bartlett and a win of their own to take the regular season conference crown. They defeated Dimond […]

  • News

    Remains found in Copper River ID’d as missing man

    by KTVA CBS 11 News on Oct 02, 22:03

    The body of a missing man was found by a hunter and a guide bear hunting near the Copper River. The hunting guide called Alaska State Trooper at 11:17 a.m. on Sept. 27, reporting that after his client shot a bear, the pair found a set of decomposed human remains roughly 25 miles downstream of […]

  • News

    Alaska Native Heritage Center hosts circumpolar music festival

    by Rhonda McBride on Oct 02, 21:37

    Two Inuit throat singers from Ottawa stood facing each other on the stage at the Alaska Native Heritage Center on Friday afternoon, preparing for their performance Saturday as part of the 2015 Circumpolar World Music Celebration. To the uninitiated, the sounds are exotic — rhythmic breaths, grunts and moans, primitive yet sophisticated. Kathy Kettler and […]

  • News

    GoFundMe account for Oregon campus shooting hero halfway to $1 million

    by KTVA CBS 11 News on Oct 02, 21:27

    A GoFundMe account set up for a survivor of the Umpqua Community College shooting on Thursday surpassed half a million dollars within 14 hours. Chris Mintz, a 30-year-old U.S. Army veteran, reportedly ran toward the UCC gunman, Chris Mercer, during the attack in an attempt to stop him, CBS News reported. Mintz was shot seven […]

  • Sports

    Eagle River cross country girls on the rise heading into state championships

    by Jake Edmonds on Oct 02, 21:21

    It took Eagle River cross country six seasons to represent the school at the Alaska high school state championships. From the time the school opened in 2005 to 2010, neither the boys or girls teams qualified, but with the 2015 season wrapped up, the girls team is headed to state for the fifth straight year. […]

  • News

    AKLNG project still a decade away, but community already feels impacts

    by KTVA CBS 11 News on Oct 02, 20:50

    The Alaska Liquefied Natural Gasline project (AKLNG) wants to put in a liquefaction plant in an industrial park on the edge of Nikiski. It will be the terminal for the planned 800-mile gas pipeline set to start transporting gas in 2025. The project has bought out more than 600 acres in Nikiski for the plant. […]