• Forecast
  • News Tip
  • Categories
Temperature Precipitation
Estimated read time
4m 15s

Changing password after “heartbleed” bug? Here’s what you need to know

By Chenda Ngak/CBS News 2:25 PM April 10, 2014
The “heartbleed” bug may have put millions of passwords, credit card details and sensitive information in the hands of nefarious hackers. Before you change your passwords, security experts suggest making sure the website is now secure, and provide tips for creating stronger passwords.Heartbleed is a bug that made services using OpenSSL encryption vulnerable to attack, including websites, instant messaging software and email accounts. It’s worth noting that not all website are affected by the heartbleed bug.According to data analysis website Datanyze, 17.3 percent of the top 1 million websites ranked by Alexa.com may have been exposed to heartbleed. Internet data company Netcraft reports that a recent survey found 17.5 percent of website that use secure socket layer (SSL) encryption. For many, it’s unclear which websites are still at risk, so it’s worth taking extra precaution.

“If the website is still vulnerable, changing the password will not accomplish anything. The hacker could potentially view your newly created password, too,” Dodi Glenn, director of security intelligence at ThreatTrack Security, told CBS News via email.

Glenn says there are websites to check whether or not a website has been patched, and suggested filippo.io/heartbleed or ssllabs.com/ssltest. Password management software maker LastPass also has a service that checks if a website is vulnerable. LastPass recommends users of websites like Yahoo, GitHub and Fitbit update their passwords right away. But if you have a Netflix, Airbnb or Quora account, wait to update.

Trend Micro vice president of security research Rik Ferguson told CBS News via email that if you update too early, not only are you putting your new password at risk, you could be exposing additional data that is requested during the password reset process. Ferguson suggests avoiding services that are not yet patched, until a security fix is released.

“If it is not possible to avoid logging in to a service then continue as normal, changing your password will not bring you any extra security until the server is patched,” Ferguson said.

But if you have the same password for several different websites or services, then changing your password right away. Ferguson adds, “any exposure of a shared password may have wider consequences.”

Ferguson says you should change your password once you’ve been notified or discover that a server has had a security update. He suggested avoiding these big mistakes when creating a new password: using words from the dictionary, names, dates of birth, ages, telephone numbers, pet’s names, football teams or anything related to you.

Don’t use the same password for different services and never share your password. Even words using numbers in place of letters is not secure enough. Ferguson says a word like “P455w0rd” can be cracked within minutes.

Ferguson shared an example of five steps for creating a more secure password.

1. Think of a phrase you can easily remember, for example:

“Motley Crue and Adam and the Ants were the soundtrack of my youth.”

2. Take the initial letter of each of those words:

MCAAATAWTSOMY

3. This will be the basis of the password, but we now need to make sure we use upper and lower case characters, numbers and “special characters” like !$&+ for example, let’s change cases first:

MCaAatAwtSomY

4. Now change some of those letters for numbers, maybe the letter O to a zero

MCaAatAwtS0mY

5. Now add the special characters, I’ll change the “and” into + and &

MC+A&tAwtS0mY

Ferguson suggests creating variations of the password for different websites, like adding the first and last letter of a website name at the beginning or end of a password. He adds that users also need to be aware of phishing scams that attempt to lure people to fake websites.

Mandiant security security expert William Ballenthin told CBS News in an interview that heartbleed compromises past and future communications with a server, like banking or email transactions. He adds that this bug has been “in the wild” for about two years, and was only recently discovered. At this point not much can be done about the past.

But Ballenthin says major websites like Google, Amazon and Yahoo have identified the issues and released a fix. According to tech website Mashable, several major banks are not affected because they do not use OpenSSL encryption software. The website released a list of major sites that were infected by the heartbleed bug and have since been updated, including Facebook, Pinterest, Tumblr, Gmail, Yahoo, Amazon and Dropbox.

© 2014 CBS Interactive Inc. All Rights Reserved.

Latest Stories

  • News

    Pentagon says it mistakenly shipped live anthrax to numerous labs and to US base in Korea

    by Associated Press on May 27, 17:41

    The Centers for Disease Control and Prevention says it’s investigating what the Pentagon calls an inadvertent shipment of live anthrax spores to government and commercial laboratories. Those labs had expected to receive dead spores. The CDC says, right now, it does not suspect there’s a risk to the general public. However, a U.S. official says […]

  • Sports

    Bartlett headed to state soccer tournament for the first time

    by Dave Leval on May 27, 15:50

    The Bartlett High School Golden Bears have unfinished business to take care of. The boys’ soccer team is headed to the state tournament for the first time. “I can’t even describe it in words, because it feels so good,” said midfielder Lorenzo Froeale. Some members of the Golden Bears admitted that thoughts of the tournament […]

  • News

    Gov. Walker tours Shell drill rig in Seattle

    by Associated Press on May 27, 15:28

    Alaska Gov. Bill Walker toured a massive oil drill rig parked on Seattle’s waterfront Wednesday before meeting with Gov. Jay Inslee to tell him that Washington’s position on future Arctic drilling will hurt his state’s economy. Walker says he was impressed by crew members and the safety features aboard the 400-foot-long Polar Pioneer, which Royal […]

  • Sports

    Asphalt track coming to Alaska Raceway Park

    by Dave Leval on May 27, 13:51

    Alaska Raceway Park will soon give drivers a chance to go in circles. Construction continues on a new one-third mile asphalt track. It will be the only one of its kind in Alaska since the old Northstar Speedway in Wasilla closed in 2012. “We need an asphalt venue here in the state,” said the track’s […]

  • DayBreak

    Russell Davis of ‘Bar Rescue’ tests the waters in Anchorage

    by Daybreak Staff on May 27, 12:48

    He’s a professional mixologist and bartender who has mixed his way to the top. Russell Davis can be seen on Spike TV’s show “Bar Rescue” helping people create cocktails worth drinking. Wednesday, Davis joined Daybreak to talk about what brings him to the 49th state. “So I’m actually here with my team, Unlimited Liabilities,” Davis […]

  • Sports

    East High School moves closer to hosting football on campus

    by Dave Leval on May 27, 10:52

    East High School has played its football games at Anchorage Football Stadium, but that could change. The Thunderbirds are a step closer to playing on campus, possibly this fall. Earlier this spring, boosters sought to raise $143,000 for a new scoreboard. Ads would be sold on it that would raise money for the school. The scoreboard […]

  • News

    Judge to hear arguments in Pebble case

    by Associated Press on May 27, 10:32

    A federal judge is scheduled to hear arguments Thursday in a case alleging the U.S. Environmental Protection Agency worked with critics of the proposed Pebble Mine with a predetermined goal to block the project. The lawsuit was brought by the Pebble Limited Partnership, which is seeking to advance the project near the headwaters of a […]

  • News

    Alaska National Guard welcomes new commander

    by Shannon Ballard on May 27, 10:00

    The new leader of the Alaska National Guard is starting her job with healing. Scandal rocked the Guard after a scathing report found serious problems in the ranks, including favoritism, lack of trust and allegations of sexual assault. Adjutant Gen. Laurie Hummel says her first priority is regaining that trust. Steps have to be taken […]