• Forecast
  • News Tip
  • Categories
Temperature Precipitation
Estimated read time
4m 15s

Changing password after “heartbleed” bug? Here’s what you need to know

By Chenda Ngak/CBS News 2:25 PM April 10, 2014
The “heartbleed” bug may have put millions of passwords, credit card details and sensitive information in the hands of nefarious hackers. Before you change your passwords, security experts suggest making sure the website is now secure, and provide tips for creating stronger passwords.Heartbleed is a bug that made services using OpenSSL encryption vulnerable to attack, including websites, instant messaging software and email accounts. It’s worth noting that not all website are affected by the heartbleed bug.According to data analysis website Datanyze, 17.3 percent of the top 1 million websites ranked by Alexa.com may have been exposed to heartbleed. Internet data company Netcraft reports that a recent survey found 17.5 percent of website that use secure socket layer (SSL) encryption. For many, it’s unclear which websites are still at risk, so it’s worth taking extra precaution.

“If the website is still vulnerable, changing the password will not accomplish anything. The hacker could potentially view your newly created password, too,” Dodi Glenn, director of security intelligence at ThreatTrack Security, told CBS News via email.

Glenn says there are websites to check whether or not a website has been patched, and suggested filippo.io/heartbleed or ssllabs.com/ssltest. Password management software maker LastPass also has a service that checks if a website is vulnerable. LastPass recommends users of websites like Yahoo, GitHub and Fitbit update their passwords right away. But if you have a Netflix, Airbnb or Quora account, wait to update.

Trend Micro vice president of security research Rik Ferguson told CBS News via email that if you update too early, not only are you putting your new password at risk, you could be exposing additional data that is requested during the password reset process. Ferguson suggests avoiding services that are not yet patched, until a security fix is released.

“If it is not possible to avoid logging in to a service then continue as normal, changing your password will not bring you any extra security until the server is patched,” Ferguson said.

But if you have the same password for several different websites or services, then changing your password right away. Ferguson adds, “any exposure of a shared password may have wider consequences.”

Ferguson says you should change your password once you’ve been notified or discover that a server has had a security update. He suggested avoiding these big mistakes when creating a new password: using words from the dictionary, names, dates of birth, ages, telephone numbers, pet’s names, football teams or anything related to you.

Don’t use the same password for different services and never share your password. Even words using numbers in place of letters is not secure enough. Ferguson says a word like “P455w0rd” can be cracked within minutes.

Ferguson shared an example of five steps for creating a more secure password.

1. Think of a phrase you can easily remember, for example:

“Motley Crue and Adam and the Ants were the soundtrack of my youth.”

2. Take the initial letter of each of those words:

MCAAATAWTSOMY

3. This will be the basis of the password, but we now need to make sure we use upper and lower case characters, numbers and “special characters” like !$&+ for example, let’s change cases first:

MCaAatAwtSomY

4. Now change some of those letters for numbers, maybe the letter O to a zero

MCaAatAwtS0mY

5. Now add the special characters, I’ll change the “and” into + and &

MC+A&tAwtS0mY

Ferguson suggests creating variations of the password for different websites, like adding the first and last letter of a website name at the beginning or end of a password. He adds that users also need to be aware of phishing scams that attempt to lure people to fake websites.

Mandiant security security expert William Ballenthin told CBS News in an interview that heartbleed compromises past and future communications with a server, like banking or email transactions. He adds that this bug has been “in the wild” for about two years, and was only recently discovered. At this point not much can be done about the past.

But Ballenthin says major websites like Google, Amazon and Yahoo have identified the issues and released a fix. According to tech website Mashable, several major banks are not affected because they do not use OpenSSL encryption software. The website released a list of major sites that were infected by the heartbleed bug and have since been updated, including Facebook, Pinterest, Tumblr, Gmail, Yahoo, Amazon and Dropbox.

© 2014 CBS Interactive Inc. All Rights Reserved.

Latest Stories

  • News

    Appeals court affirms conviction of woman in hot sauce case

    by Associated Press on Jul 31, 13:17

    An Alaska appeals court has affirmed the conviction of an Anchorage woman whom prosecutors said used a videotape of herself punishing her son to try to get on the “Dr. Phil” show. Jessica Beagley in 2011 was convicted of misdemeanor child abuse for punishing her adopted Russian son by putting hot sauce into his mouth. […]

  • Sports

    Alaskans help Special Olympics athletes hear at World Games

    by Megan Mazurek on Jul 31, 13:05

    An Alaskan doctor and her daughter are helping some Special Olympics athletes hear for the first time. Joyce Sexton, an audiologist from Anchorage, and her daughter Irene are volunteering at the World Games in the Healthy Athletes program. In the past week, volunteers have given free medical exams to more than 4,000 athletes from around […]

  • News

    UPDATE: One confirmed dead in Portage area crash

    by KTVA CBS 11 News on Jul 31, 12:51

    Update: 2:45 p.m. A nurse at the scene of a multi-vehicle wreck near Mile 80 of the Seward Highway has confirmed that at least one person has died. Three people were reportedly transported from the scene with critical injuries, according to Alaska State Trooper spokeswoman Megan Peters. “There are multiple people on scene that are injured […]

  • News

    Some Alaska Natives allowed visa-free travel to Russian area

    by Associated Press on Jul 31, 12:16

    Some western Alaska Natives can travel back and forth to a Russian region without a visa under a 1989 agreement that was recently revived. Vera Metcalf, a Native leader who works part time with the State Department, said Friday that the program allows indigenous residents from both sides of the Bering Strait to visit for […]

  • News

    Authorities report 2 arrests in Portland’s Arctic drilling protest

    by Associated Press on Jul 31, 11:24

    The Multnomah County Sheriff’s Office says it made one arrest during an effort by protesters to block a Royal Dutch Shell icebreaker from leaving Portland for an Arctic drilling operation. Lt. Harry Smith says 19-year-old Christian Pence refused to leave the Willamette River after being told the waterway was closed Thursday afternoon, and then assaulted […]

  • Sports

    Anchorage dentist provides free exams at Special Olympics World Games

    by Megan Mazurek on Jul 31, 11:08

    An Anchorage dentist has peered into more than 300 mouths a day for the past week at the Special Olympics World Games. “I saw some patients yesterday where I almost wanted to start to cry because they were still smiling,” said Dr. Lara Mabry, a volunteer dentist for Healthy Athletes. “When I saw the condition […]

  • DayBreak

    Mic Check in the Morning: Marty Raney

    by Daybreak Staff on Jul 31, 10:44

    Marty Raney is a mountain climber and musician who you might recognize from the National Geographic show “Ultimate Survival Alaska.” His fame started thanks to Mount McKinley. “I do guide on Mount McKinley and that turned into films on Mount McKinley,” Raney said. “I think the first film I worked on was 1988. It’s still […]

  • Crime

    Police seek more information after woman killed in apparent hit-and-run

    by KTVA CBS 11 News on Jul 31, 10:28

    Anchorage police are asking the public for information after a pedestrian was killed in an apparent hit-and-run in Mountain View early Friday morning. Around 1:40 a.m., the Anchorage Police Department responded to the intersection of Mountain View Drive and North Park Street following reports of a female in the roadway. When police arrived at the […]