• Forecast
  • News Tip
  • Categories
Temperature Precipitation
Estimated read time
4m 15s

Changing password after “heartbleed” bug? Here’s what you need to know

By Chenda Ngak/CBS News 2:25 PM April 10, 2014
The “heartbleed” bug may have put millions of passwords, credit card details and sensitive information in the hands of nefarious hackers. Before you change your passwords, security experts suggest making sure the website is now secure, and provide tips for creating stronger passwords.Heartbleed is a bug that made services using OpenSSL encryption vulnerable to attack, including websites, instant messaging software and email accounts. It’s worth noting that not all website are affected by the heartbleed bug.According to data analysis website Datanyze, 17.3 percent of the top 1 million websites ranked by Alexa.com may have been exposed to heartbleed. Internet data company Netcraft reports that a recent survey found 17.5 percent of website that use secure socket layer (SSL) encryption. For many, it’s unclear which websites are still at risk, so it’s worth taking extra precaution.

“If the website is still vulnerable, changing the password will not accomplish anything. The hacker could potentially view your newly created password, too,” Dodi Glenn, director of security intelligence at ThreatTrack Security, told CBS News via email.

Glenn says there are websites to check whether or not a website has been patched, and suggested filippo.io/heartbleed or ssllabs.com/ssltest. Password management software maker LastPass also has a service that checks if a website is vulnerable. LastPass recommends users of websites like Yahoo, GitHub and Fitbit update their passwords right away. But if you have a Netflix, Airbnb or Quora account, wait to update.

Trend Micro vice president of security research Rik Ferguson told CBS News via email that if you update too early, not only are you putting your new password at risk, you could be exposing additional data that is requested during the password reset process. Ferguson suggests avoiding services that are not yet patched, until a security fix is released.

“If it is not possible to avoid logging in to a service then continue as normal, changing your password will not bring you any extra security until the server is patched,” Ferguson said.

But if you have the same password for several different websites or services, then changing your password right away. Ferguson adds, “any exposure of a shared password may have wider consequences.”

Ferguson says you should change your password once you’ve been notified or discover that a server has had a security update. He suggested avoiding these big mistakes when creating a new password: using words from the dictionary, names, dates of birth, ages, telephone numbers, pet’s names, football teams or anything related to you.

Don’t use the same password for different services and never share your password. Even words using numbers in place of letters is not secure enough. Ferguson says a word like “P455w0rd” can be cracked within minutes.

Ferguson shared an example of five steps for creating a more secure password.

1. Think of a phrase you can easily remember, for example:

“Motley Crue and Adam and the Ants were the soundtrack of my youth.”

2. Take the initial letter of each of those words:

MCAAATAWTSOMY

3. This will be the basis of the password, but we now need to make sure we use upper and lower case characters, numbers and “special characters” like !$&+ for example, let’s change cases first:

MCaAatAwtSomY

4. Now change some of those letters for numbers, maybe the letter O to a zero

MCaAatAwtS0mY

5. Now add the special characters, I’ll change the “and” into + and &

MC+A&tAwtS0mY

Ferguson suggests creating variations of the password for different websites, like adding the first and last letter of a website name at the beginning or end of a password. He adds that users also need to be aware of phishing scams that attempt to lure people to fake websites.

Mandiant security security expert William Ballenthin told CBS News in an interview that heartbleed compromises past and future communications with a server, like banking or email transactions. He adds that this bug has been “in the wild” for about two years, and was only recently discovered. At this point not much can be done about the past.

But Ballenthin says major websites like Google, Amazon and Yahoo have identified the issues and released a fix. According to tech website Mashable, several major banks are not affected because they do not use OpenSSL encryption software. The website released a list of major sites that were infected by the heartbleed bug and have since been updated, including Facebook, Pinterest, Tumblr, Gmail, Yahoo, Amazon and Dropbox.

© 2014 CBS Interactive Inc. All Rights Reserved.

Latest Stories

  • Sports

    Soldotna’s Gibbs grateful for another chance despite injury

    by Jake Edmonds on Jun 27, 7:52

    The recruiting process can pose a double-standard for some high school athletes. Colleges that offer scholarships receive verbal commitments from players before signing day and athletes are expected to honor that promise. But former Soldotna running back Drew Gibbs learned the hard way that some schools don’t always keep their word. On Aug. 14, 2015 […]

  • News

    Hundreds of dogs compete in annual Alaska Kennel Club dog show

    by Daniella Rivera on Jun 27, 7:30

    If you’re a dog owner, your dog is probably the best dog, to you. But this weekend, hundreds of dogs in all different shapes and sizes got to compete to earn the title, as the Alaska Kennel Club’s hosted their annual June dog show at Service High School. “We have these living pieces of art […]

  • News

    World Heavy Events Championships provides lighthearted fun at Scottish Highland Games

    by Eric Ruble on Jun 26, 19:35

    With temperatures in the 50s, low-hanging clouds and a steady mist, the Alaska State Fairgrounds were reminiscent of the Scottish highlands Sunday morning. It was the site of the 35th annual Alaska Scottish Highland Games. This year, the International Highland Games Federation held the World Heavy Events Championships in Alaska for the first time. Ten […]

  • News

    Blue Angels scheduled to make JBER appearance following fatal crash

    by KTVA CBS 11 News on Jun 26, 16:48

    The Blue Angels are coming to the annual Arctic Thunder open house and airshow at Joint Base Elmendorf-Richardson at the end of July, nearly two months after one of their pilots was killed in a plane crash during a practice session. Marine Capt. Jeff Kuss was killed when his Blue Angels jet crashed in Smyrna, […]

  • Crime

    Police: Man shot, hospitalized, no suspect in custody

    by KTVA CBS 11 News on Jun 26, 15:42

    Last updated at 8:26 a.m. on Monday, June 27 A man was taken to an Anchorage hospital after a shooting at Arctic/Benson Park Sunday afternoon, police said. In an email to KTVA, police spokeswoman Renee Oistad said the shooting was reported at 2:27 p.m. When police arrived at the park, located at 750 W. 31st […]

  • News

    Pope Francis says gays deserve apology from the Church

    by CBS News on Jun 26, 13:45

    ABOARD THE PAPAL PLANE – Pope Francis says gays — and all the other people the church has marginalized, such as the poor and the exploited — deserve an apology. Francis was asked Sunday en route home from Armenia if he agreed with one of his top advisers, German Cardinal Karl Marx, who told a conference […]

  • News

    APD concerned for well-being of 15-year-old missing since Friday

    by KTVA CBS 11 News on Jun 26, 11:11

    The Anchorage Police Department says there is concern for the well-being of 15-year-old boy who disappeared on his way to a sleepover at a friend’s home Friday night. Francisco Mena was last seen leaving his home on Crescent Moon Place to spend the night with a friend around 10 p.m. Friday. Later, that friend arrived […]

  • Lifestyle

    Grow Palmer project brings fresh, free food to the Valley

    by Eric Ruble on Jun 26, 10:21

    Along one of Palmer’s most popular walkways, 40 giant planters are bursting with fresh flowers and vegetables. They are a new installment as part of the Grow Palmer program, an effort to bring healthy, fresh food to people for free. Now in its fourth year, it is the first time Grow Palmer has a permanent […]