• Forecast
  • News Tip
  • Categories
Temperature Precipitation
Estimated read time
4m 15s

Changing password after “heartbleed” bug? Here’s what you need to know

By Chenda Ngak/CBS News 2:25 PM April 10, 2014
The “heartbleed” bug may have put millions of passwords, credit card details and sensitive information in the hands of nefarious hackers. Before you change your passwords, security experts suggest making sure the website is now secure, and provide tips for creating stronger passwords.Heartbleed is a bug that made services using OpenSSL encryption vulnerable to attack, including websites, instant messaging software and email accounts. It’s worth noting that not all website are affected by the heartbleed bug.According to data analysis website Datanyze, 17.3 percent of the top 1 million websites ranked by Alexa.com may have been exposed to heartbleed. Internet data company Netcraft reports that a recent survey found 17.5 percent of website that use secure socket layer (SSL) encryption. For many, it’s unclear which websites are still at risk, so it’s worth taking extra precaution.

“If the website is still vulnerable, changing the password will not accomplish anything. The hacker could potentially view your newly created password, too,” Dodi Glenn, director of security intelligence at ThreatTrack Security, told CBS News via email.

Glenn says there are websites to check whether or not a website has been patched, and suggested filippo.io/heartbleed or ssllabs.com/ssltest. Password management software maker LastPass also has a service that checks if a website is vulnerable. LastPass recommends users of websites like Yahoo, GitHub and Fitbit update their passwords right away. But if you have a Netflix, Airbnb or Quora account, wait to update.

Trend Micro vice president of security research Rik Ferguson told CBS News via email that if you update too early, not only are you putting your new password at risk, you could be exposing additional data that is requested during the password reset process. Ferguson suggests avoiding services that are not yet patched, until a security fix is released.

“If it is not possible to avoid logging in to a service then continue as normal, changing your password will not bring you any extra security until the server is patched,” Ferguson said.

But if you have the same password for several different websites or services, then changing your password right away. Ferguson adds, “any exposure of a shared password may have wider consequences.”

Ferguson says you should change your password once you’ve been notified or discover that a server has had a security update. He suggested avoiding these big mistakes when creating a new password: using words from the dictionary, names, dates of birth, ages, telephone numbers, pet’s names, football teams or anything related to you.

Don’t use the same password for different services and never share your password. Even words using numbers in place of letters is not secure enough. Ferguson says a word like “P455w0rd” can be cracked within minutes.

Ferguson shared an example of five steps for creating a more secure password.

1. Think of a phrase you can easily remember, for example:

“Motley Crue and Adam and the Ants were the soundtrack of my youth.”

2. Take the initial letter of each of those words:

MCAAATAWTSOMY

3. This will be the basis of the password, but we now need to make sure we use upper and lower case characters, numbers and “special characters” like !$&+ for example, let’s change cases first:

MCaAatAwtSomY

4. Now change some of those letters for numbers, maybe the letter O to a zero

MCaAatAwtS0mY

5. Now add the special characters, I’ll change the “and” into + and &

MC+A&tAwtS0mY

Ferguson suggests creating variations of the password for different websites, like adding the first and last letter of a website name at the beginning or end of a password. He adds that users also need to be aware of phishing scams that attempt to lure people to fake websites.

Mandiant security security expert William Ballenthin told CBS News in an interview that heartbleed compromises past and future communications with a server, like banking or email transactions. He adds that this bug has been “in the wild” for about two years, and was only recently discovered. At this point not much can be done about the past.

But Ballenthin says major websites like Google, Amazon and Yahoo have identified the issues and released a fix. According to tech website Mashable, several major banks are not affected because they do not use OpenSSL encryption software. The website released a list of major sites that were infected by the heartbleed bug and have since been updated, including Facebook, Pinterest, Tumblr, Gmail, Yahoo, Amazon and Dropbox.

© 2014 CBS Interactive Inc. All Rights Reserved.

Latest Stories

  • News

    Deadly earthquake rattles central Italy

    by CBS/AP on Aug 23, 21:27

    ROME — A magnitude 6.1 earthquake struck central Italy early Wednesday, leveling buildings in several towns as residents slept. The mayor of one hard-hit town said a large part of it simply “isn’t here anymore.” Two people were confirmed dead in the village of Pescara del Tronto, near Amatrice, Italian state broadcaster RAI reported, and the mayor of nearby Accumoli told the […]

  • News

    Wasilla man dies in crash near Chickaloon

    by KTVA CBS 11 News on Aug 23, 21:21

    A Wasilla man died Monday afternoon after his vehicle collided with another vehicle on the Glenn Highway. Alaska State Troopers arrived at the scene of the crash at mile 94 near Chickaloon around 4 p.m. Matanuska-Susitna Borough EMS also responded, and pronounced one of the drivers involved, 31-year-old Joshua Campbell, dead at the scene, according […]

  • News

    Smashburger adds to South Anchorage development

    by Heather Hintze on Aug 23, 21:10

    Not one, but two new burger joints opened in Anchorage in just one week. BurgerFi expanded to a second location in East Anchorage on Monday. Alaska’s first Smashburger will host its grand opening on Wednesday. Owner Mark Larson said he chose the location across from Cabela’s on 100th Avenue and C Street because he wants […]

  • News

    State considers whether to privatize Alaska Psychiatric Institute

    by Lauren Maxwell on Aug 23, 20:52

    It’s no secret that the State of Alaska is looking to save money any way it can. One question legislators are asking is whether it would be cheaper for a private company to run the Alaska Psychiatric Institute (API), the state’s only public psychiatric hospital. Randall Burns, the director of behavioral health for the Alaska Department […]

  • News

    Advocacy groups concerned after lawmaker shows support for convicted child molester

    by Liz Raines on Aug 23, 20:45

    Child advocacy groups are responding to one lawmaker’s perceived support for a man convicted of sexually abusing his 11-year-old foster daughter. Juneau Rep. Cathy Muñoz has asked a Superior Court judge to reconsider sentencing in the case of Thomas Jack Jr, who Muñoz describes as a family friend. The state has requested a sentence of 49 […]

  • News

    Disaster mitigation begins along Matanuska River

    by Shannon Ballard on Aug 23, 19:54

    Disaster mitigation work began on Tuesday for a stretch of the Matanuska River facing a severe, ongoing erosion problem. Truckloads of rock came between the rushing river’s eroding bank and the busy Old Glenn Highway. When Gov. Bill Walker issued a disaster declaration on Monday night, the Department of Transportation and Public Facilities (DOT) immediately initiated […]

  • Crime

    Charging documents reveal possible gang affiliations in recent kidnapping case

    by KTVA CBS 11 News on Aug 23, 17:29

    When the third and likely final suspect in a kidnapping and assault case was arraigned Tuesday afternoon, the charging documents against him and other suspects were unsealed and made public. Within the pages, the victim says her alleged kidnappers have gang affiliations and may be involved in recent Anchorage homicides. Serge Azede II, 24, turned […]

  • Lifestyle

    Orphaned bear cub finds permanent home at the Alaska Wildlife Conservation Center

    by KTVA CBS 11 News on Aug 23, 13:58

    Last updated at 2:35 p.m. on Tuesday, Aug. 23 A black bear cub orphaned in Valdez has been permanently adopted by the Alaska Wildlife Conservation Center (AWCC), according to an email sent Tuesday by the center’s founder, Mike Miller. The cub, named Kobuk, was orphaned in June after its mother was chased off by two […]