• Forecast
  • News Tip
  • Categories
Temperature Precipitation
Estimated read time
4m 15s

Changing password after “heartbleed” bug? Here’s what you need to know

By Chenda Ngak/CBS News 2:25 PM April 10, 2014
The “heartbleed” bug may have put millions of passwords, credit card details and sensitive information in the hands of nefarious hackers. Before you change your passwords, security experts suggest making sure the website is now secure, and provide tips for creating stronger passwords.Heartbleed is a bug that made services using OpenSSL encryption vulnerable to attack, including websites, instant messaging software and email accounts. It’s worth noting that not all website are affected by the heartbleed bug.According to data analysis website Datanyze, 17.3 percent of the top 1 million websites ranked by Alexa.com may have been exposed to heartbleed. Internet data company Netcraft reports that a recent survey found 17.5 percent of website that use secure socket layer (SSL) encryption. For many, it’s unclear which websites are still at risk, so it’s worth taking extra precaution.

“If the website is still vulnerable, changing the password will not accomplish anything. The hacker could potentially view your newly created password, too,” Dodi Glenn, director of security intelligence at ThreatTrack Security, told CBS News via email.

Glenn says there are websites to check whether or not a website has been patched, and suggested filippo.io/heartbleed or ssllabs.com/ssltest. Password management software maker LastPass also has a service that checks if a website is vulnerable. LastPass recommends users of websites like Yahoo, GitHub and Fitbit update their passwords right away. But if you have a Netflix, Airbnb or Quora account, wait to update.

Trend Micro vice president of security research Rik Ferguson told CBS News via email that if you update too early, not only are you putting your new password at risk, you could be exposing additional data that is requested during the password reset process. Ferguson suggests avoiding services that are not yet patched, until a security fix is released.

“If it is not possible to avoid logging in to a service then continue as normal, changing your password will not bring you any extra security until the server is patched,” Ferguson said.

But if you have the same password for several different websites or services, then changing your password right away. Ferguson adds, “any exposure of a shared password may have wider consequences.”

Ferguson says you should change your password once you’ve been notified or discover that a server has had a security update. He suggested avoiding these big mistakes when creating a new password: using words from the dictionary, names, dates of birth, ages, telephone numbers, pet’s names, football teams or anything related to you.

Don’t use the same password for different services and never share your password. Even words using numbers in place of letters is not secure enough. Ferguson says a word like “P455w0rd” can be cracked within minutes.

Ferguson shared an example of five steps for creating a more secure password.

1. Think of a phrase you can easily remember, for example:

“Motley Crue and Adam and the Ants were the soundtrack of my youth.”

2. Take the initial letter of each of those words:

MCAAATAWTSOMY

3. This will be the basis of the password, but we now need to make sure we use upper and lower case characters, numbers and “special characters” like !$&+ for example, let’s change cases first:

MCaAatAwtSomY

4. Now change some of those letters for numbers, maybe the letter O to a zero

MCaAatAwtS0mY

5. Now add the special characters, I’ll change the “and” into + and &

MC+A&tAwtS0mY

Ferguson suggests creating variations of the password for different websites, like adding the first and last letter of a website name at the beginning or end of a password. He adds that users also need to be aware of phishing scams that attempt to lure people to fake websites.

Mandiant security security expert William Ballenthin told CBS News in an interview that heartbleed compromises past and future communications with a server, like banking or email transactions. He adds that this bug has been “in the wild” for about two years, and was only recently discovered. At this point not much can be done about the past.

But Ballenthin says major websites like Google, Amazon and Yahoo have identified the issues and released a fix. According to tech website Mashable, several major banks are not affected because they do not use OpenSSL encryption software. The website released a list of major sites that were infected by the heartbleed bug and have since been updated, including Facebook, Pinterest, Tumblr, Gmail, Yahoo, Amazon and Dropbox.

© 2014 CBS Interactive Inc. All Rights Reserved.

Latest Stories

  • News

    Officer struck by car in lot of South Anchorage Fred Meyer

    by KTVA CBS 11 News on Feb 28, 23:25

    The Anchorage Police Department has confirmed that an officer was struck by a car in the parking lot of Fred Meyer on Dimond Boulevard Saturday night. KTVA 11 News will have more details as they become available. Please check back for updates.

  • Sports

    Faeo, Quam win 2,000-mile Iron Dog race

    by Associated Press on Feb 28, 18:12

    Scott Faeo and Eric Quam crossed the finish line in downtown Fairbanks just after 12:30 p.m. Saturday to win the 2015 Iron Dog snowmachine race. The Fairbanks Daily News-Miner (http://ow.ly/JLUQU ) reports the duo claimed the title after leading much of the 2,000-mile course despite snowless conditions, open water and a coastal storm. Aaron Bartel […]

  • News

    Flights canceled in Nome, Bethel due to ash from Russian volcano eruption

    by KTVA CBS 11 News on Feb 28, 17:48

    The Alaska Volcano Observatory says there have been flight cancellations in Nome and Bethel, due to affected air travel after a volcanic eruption in Russia. Russia’s Kamchatka Volcanic Eruption Response Team notified the Alaska Observatory of the eruption just after 4 p.m. Friday afternoon. KVERT has issued an orange aviation color code after the Shiveluch Volcano […]

  • News

    AST: Man wanted after eluding troopers on Seward Highway, fleeing on foot

    by KTVA CBS 11 News on Feb 28, 13:28

    A Wanted Bulletin has been issued by Alaska State Troopers after an eluding incident on the Seward Highway. Troopers are also advising Seward Highway drivers not to pick up hitchhikers after a male driver failed to yield for a traffic stop and then fled on foot. Initially, the driver — identified as 32-year-old Andre Morris […]

  • News

    Mayor Sullivan: More funds needed to push SAP project forward

    by Lauren Maxwell on Feb 28, 11:31

    Anchorage’s troubled computer software system, known as SAP, needs more cash to get it going. Mayor Dan Sullivan’s administration asked the Anchorage Assembly Friday to spend $8.3 million to hire consultants who can help to push the project forward. Sullivan said the money will pay for contracts that would run through Sept. 30 and carry over […]

  • News

    Pedestrian running across Muldoon Road struck by SUV

    by KTVA CBS 11 News on Feb 28, 0:16

    A pedestrian running across Muldoon Road late Friday night was struck by an oncoming vehicle, police say. Just after 11 p.m., six units from the Anchorage Police Department responded to the scene of a collision involving a Toyota SUV and a male pedestrian near Duben Avenue. The driver remained on scene and was cooperating with […]

  • News

    2014 Alaska drug report shows increases in heroin and meth use

    by KTVA CBS 11 News on Feb 27, 22:42

    A report highlighting cases related to substance abuse in Alaska in 2014 was released by the Department of Public Safety Friday. The Statewide Drug Enforcement Unit’s 2014 annual drug report covered arrests and seizures of items ranging from alcohol and prescription medication to heroin and meth labs. Over $28 million worth of drugs — in street […]

  • News

    CANstruction raises hunger awareness

    by Bonney Bowman on Feb 27, 21:04

    Making art and raising awareness about hunger, all with cans of food — the 2015 CANstruction food drive kicked off Friday at University Mall. Teams have 12 hours to build large sculptures, using only canned food. This year’s theme is “Under the Sea.” Organizers say it’s a great way to bring the issue of hunger in […]