• Forecast
  • News Tip
  • Categories
News Alert: DIRECTV Customers: Tell DIRECTV to bring back KTVA - Call 800-531-5000. - Read More
Temperature Precipitation
Estimated read time
4m 15s

Changing password after “heartbleed” bug? Here’s what you need to know

By Chenda Ngak/CBS News 2:25 PM April 10, 2014
The “heartbleed” bug may have put millions of passwords, credit card details and sensitive information in the hands of nefarious hackers. Before you change your passwords, security experts suggest making sure the website is now secure, and provide tips for creating stronger passwords.Heartbleed is a bug that made services using OpenSSL encryption vulnerable to attack, including websites, instant messaging software and email accounts. It’s worth noting that not all website are affected by the heartbleed bug.According to data analysis website Datanyze, 17.3 percent of the top 1 million websites ranked by Alexa.com may have been exposed to heartbleed. Internet data company Netcraft reports that a recent survey found 17.5 percent of website that use secure socket layer (SSL) encryption. For many, it’s unclear which websites are still at risk, so it’s worth taking extra precaution.

“If the website is still vulnerable, changing the password will not accomplish anything. The hacker could potentially view your newly created password, too,” Dodi Glenn, director of security intelligence at ThreatTrack Security, told CBS News via email.

Glenn says there are websites to check whether or not a website has been patched, and suggested filippo.io/heartbleed or ssllabs.com/ssltest. Password management software maker LastPass also has a service that checks if a website is vulnerable. LastPass recommends users of websites like Yahoo, GitHub and Fitbit update their passwords right away. But if you have a Netflix, Airbnb or Quora account, wait to update.

Trend Micro vice president of security research Rik Ferguson told CBS News via email that if you update too early, not only are you putting your new password at risk, you could be exposing additional data that is requested during the password reset process. Ferguson suggests avoiding services that are not yet patched, until a security fix is released.

“If it is not possible to avoid logging in to a service then continue as normal, changing your password will not bring you any extra security until the server is patched,” Ferguson said.

But if you have the same password for several different websites or services, then changing your password right away. Ferguson adds, “any exposure of a shared password may have wider consequences.”

Ferguson says you should change your password once you’ve been notified or discover that a server has had a security update. He suggested avoiding these big mistakes when creating a new password: using words from the dictionary, names, dates of birth, ages, telephone numbers, pet’s names, football teams or anything related to you.

Don’t use the same password for different services and never share your password. Even words using numbers in place of letters is not secure enough. Ferguson says a word like “P455w0rd” can be cracked within minutes.

Ferguson shared an example of five steps for creating a more secure password.

1. Think of a phrase you can easily remember, for example:

“Motley Crue and Adam and the Ants were the soundtrack of my youth.”

2. Take the initial letter of each of those words:

MCAAATAWTSOMY

3. This will be the basis of the password, but we now need to make sure we use upper and lower case characters, numbers and “special characters” like !$&+ for example, let’s change cases first:

MCaAatAwtSomY

4. Now change some of those letters for numbers, maybe the letter O to a zero

MCaAatAwtS0mY

5. Now add the special characters, I’ll change the “and” into + and &

MC+A&tAwtS0mY

Ferguson suggests creating variations of the password for different websites, like adding the first and last letter of a website name at the beginning or end of a password. He adds that users also need to be aware of phishing scams that attempt to lure people to fake websites.

Mandiant security security expert William Ballenthin told CBS News in an interview that heartbleed compromises past and future communications with a server, like banking or email transactions. He adds that this bug has been “in the wild” for about two years, and was only recently discovered. At this point not much can be done about the past.

But Ballenthin says major websites like Google, Amazon and Yahoo have identified the issues and released a fix. According to tech website Mashable, several major banks are not affected because they do not use OpenSSL encryption software. The website released a list of major sites that were infected by the heartbleed bug and have since been updated, including Facebook, Pinterest, Tumblr, Gmail, Yahoo, Amazon and Dropbox.

© 2014 CBS Interactive Inc. All Rights Reserved.

Latest Stories

  • Lifestyle

    Chugiak first responder thankful for community support after snowboarding accident

    by Daniella Rivera on Feb 27, 7:30

    A Chugiak first responder who’s used to rescuing other people found himself on the other side of an accident last week. Peter Casey works as a flight paramedic for LifeMed Alaska and helps out with Chugiak Volunteer Fire and Rescue. In his free time, the lifelong Alaskan enjoys the outdoors and spending time with his family. But […]

  • Poll: US teens disillusioned, divided by politics

    by KTVA CBS 11 News on Feb 27, 6:17

    PORTLAND, Ore. (AP) – A survey of children ages 13 to 17 finds that America’s teens are almost as politically disillusioned and pessimistic about the nation’s divisions as their parents. But they aren’t quite as quick to write off the future as adults. The poll from the Associated Press-NORC Center for Public Affairs Research finds […]

  • News

    Hostetler Park renovation project includes new plan for Alaska Victims Memorial

    by Eric Ruble on Feb 26, 18:45

    A small park in the northwest corner of downtown Anchorage will soon have a new look. Hostetler Park is located where Third Avenue becomes L Street. Since 1994, the eastern portion of the park has been occupied by the Alaska Victims Memorial. It includes the names of more than 350 Alaskans who died because of […]

  • Weather

    Alaska Weather Forecast – Feb. 26, 2017

    by KTVA Weather on Feb 26, 18:38

    Meteorologist Melissa Frey says most of the state will see some amount of snow, but Southeast will stay dry through Monday. Follow KTVA 11’s Weather Team on Facebook and Twitter. Got a weather-related photo or story idea? Email the team at weather@ktva.com.

  • News

    Officials readying for Eielson F-35s to spur housing crunch

    by Associated Press on Feb 26, 18:18

    Officials are preparing for a possible housing crunch in 2020 that is expected to coincide with an influx of servicemen tied to the two new F-35 squadrons coming to Eielson Air Force Base. The Fairbanks Daily News-Miner reports one part of the Fairbanks North Star Borough is estimated to need 800 units of housing by […]

  • Politics

    White House to propose slashing agency budgets

    by Associated Press on Feb 26, 18:07

    The White House is moving to propose slashing cuts to longtime Republican targets like the Environmental Protection Agency in a set of marching orders to agencies as it prepares its budget for the upcoming fiscal year. Capitol Hill aides say the White House budget office on Monday will send agencies proposed levels for the 2018 […]

  • Politics

    Agency publishes timetable for Mexico border wall

    by Associated Press on Feb 26, 18:04

    U.S. Customs and Border Protection says it plans to start awarding contracts by mid-April for President Donald Trump’s proposed border wall. The agency said Friday on a website for federal contactors that a request for bids would be published on or around March 6. Companies would have to submit “concept papers” to design and build […]

  • Lifestyle

    2017 Fur Rondy snow sculpture winners announced

    by KTVA CBS 11 News on Feb 26, 17:49

    One of the most popular events at Fur Rendezvous is the snow sculpture competition. On Sunday, Fur Rondy officials announced the winners of this year’s event. While the competition is over, the public will be able to see each of the snow sculptures through the end of Fur Rondy on March 5, weather permitting. They are […]