• Forecast
  • News Tip
  • Categories
Temperature Precipitation
Estimated read time
4m 15s

Changing password after “heartbleed” bug? Here’s what you need to know

By Chenda Ngak/CBS News 2:25 PM April 10, 2014
The “heartbleed” bug may have put millions of passwords, credit card details and sensitive information in the hands of nefarious hackers. Before you change your passwords, security experts suggest making sure the website is now secure, and provide tips for creating stronger passwords.Heartbleed is a bug that made services using OpenSSL encryption vulnerable to attack, including websites, instant messaging software and email accounts. It’s worth noting that not all website are affected by the heartbleed bug.According to data analysis website Datanyze, 17.3 percent of the top 1 million websites ranked by Alexa.com may have been exposed to heartbleed. Internet data company Netcraft reports that a recent survey found 17.5 percent of website that use secure socket layer (SSL) encryption. For many, it’s unclear which websites are still at risk, so it’s worth taking extra precaution.

“If the website is still vulnerable, changing the password will not accomplish anything. The hacker could potentially view your newly created password, too,” Dodi Glenn, director of security intelligence at ThreatTrack Security, told CBS News via email.

Glenn says there are websites to check whether or not a website has been patched, and suggested filippo.io/heartbleed or ssllabs.com/ssltest. Password management software maker LastPass also has a service that checks if a website is vulnerable. LastPass recommends users of websites like Yahoo, GitHub and Fitbit update their passwords right away. But if you have a Netflix, Airbnb or Quora account, wait to update.

Trend Micro vice president of security research Rik Ferguson told CBS News via email that if you update too early, not only are you putting your new password at risk, you could be exposing additional data that is requested during the password reset process. Ferguson suggests avoiding services that are not yet patched, until a security fix is released.

“If it is not possible to avoid logging in to a service then continue as normal, changing your password will not bring you any extra security until the server is patched,” Ferguson said.

But if you have the same password for several different websites or services, then changing your password right away. Ferguson adds, “any exposure of a shared password may have wider consequences.”

Ferguson says you should change your password once you’ve been notified or discover that a server has had a security update. He suggested avoiding these big mistakes when creating a new password: using words from the dictionary, names, dates of birth, ages, telephone numbers, pet’s names, football teams or anything related to you.

Don’t use the same password for different services and never share your password. Even words using numbers in place of letters is not secure enough. Ferguson says a word like “P455w0rd” can be cracked within minutes.

Ferguson shared an example of five steps for creating a more secure password.

1. Think of a phrase you can easily remember, for example:

“Motley Crue and Adam and the Ants were the soundtrack of my youth.”

2. Take the initial letter of each of those words:

MCAAATAWTSOMY

3. This will be the basis of the password, but we now need to make sure we use upper and lower case characters, numbers and “special characters” like !$&+ for example, let’s change cases first:

MCaAatAwtSomY

4. Now change some of those letters for numbers, maybe the letter O to a zero

MCaAatAwtS0mY

5. Now add the special characters, I’ll change the “and” into + and &

MC+A&tAwtS0mY

Ferguson suggests creating variations of the password for different websites, like adding the first and last letter of a website name at the beginning or end of a password. He adds that users also need to be aware of phishing scams that attempt to lure people to fake websites.

Mandiant security security expert William Ballenthin told CBS News in an interview that heartbleed compromises past and future communications with a server, like banking or email transactions. He adds that this bug has been “in the wild” for about two years, and was only recently discovered. At this point not much can be done about the past.

But Ballenthin says major websites like Google, Amazon and Yahoo have identified the issues and released a fix. According to tech website Mashable, several major banks are not affected because they do not use OpenSSL encryption software. The website released a list of major sites that were infected by the heartbleed bug and have since been updated, including Facebook, Pinterest, Tumblr, Gmail, Yahoo, Amazon and Dropbox.

© 2014 CBS Interactive Inc. All Rights Reserved.

Latest Stories

  • Crime

    Anchorage police: 1 confirmed dead in Russian Jack shooting

    by KTVA CBS 11 News on Jan 29, 1:02

    One person has been confirmed dead after an early Thursday night shooting in the Russian Jack neighborhood, police say. The Anchorage Police Department responded to the report of a shooting near the intersection of Bragaw Street and San Jeronimo Court at around 12:30 a.m. This is the fourth fatal shooting of 2015. This is a […]

  • News

    JBER: active-shooter drill will cause gate closures, loud noises

    by Shannon Kemp on Jan 28, 23:09

    An active-shooter drill will be held at Joint Base Elmendorf-Richardson starting Thursday, base officials say. Starting at 7 a.m. on Thursday, the drill will test the ability of base personnel to respond to a situation similar to those faced by the victims of the Ft. Hood shooting near Killeen, Texas on Nov. 5, 2009, during […]

  • News

    Event for Anchorage’s homeless connects hundreds to resources

    by Shannon Ballard on Jan 28, 22:32

    A major humanitarian event called Project Homeless Connect worked to help nearly 800 people take steps towards permanent housing in Anchorage today. James Guisgetti was one of those people. He says he has been in and out of homes for 10 years. “I lost my job and therefore I couldn’t pay my rent,” said Guisgetti. “I […]

  • News

    Lack of funds hinder intersection improvements in South Anchorage

    by Dave Leval on Jan 28, 22:11

    Alaska’s budget issues continue to throw up more roadblocks for construction projects around town, according to the Department of Transportation and Public Facilities. The DOT wants to improve nine intersections around South Anchorage, including the one at Rabbit Creek Road and Golden View Drive. The department says the intersection has more crashes than most, and it’s been […]

  • News

    Bean’s Cafe soup road show back in Anchorage

    by Heather Hintze on Jan 28, 19:00

    There’s a soup showdown in town, a bean brawl to see which of Bean’s Café’s four flavors is a favorite for 2015. “Some people really get into it,” said marketing outreach coordinator Laura Nelson. “This is our second year doing this, and people really enjoy trying them. They like to talk to their friends about […]

  • News

    Walmart stocks shelves with Alaskan seafood

    by Bonney Bowman on Jan 28, 18:51

    A retail giant is now offering a wider selection of Alaskan seafood products. Walmart originally planned to stop selling Alaskan salmon, because the industry decided to stop paying for an outside group to certify the fish as sustainable. Sen. Lisa Murkowski and former Sen. Mark Begich both lobbied the chain to reconsider, since sustainable harvest […]

  • News

    Alaska lawmakers wait for marijuana bill rewrite that ‘reflects the will of the voters’

    by Sierra Starks on Jan 28, 18:03

    Alaska lawmakers have tabled a bill on how to decriminalize small amounts of marijuana, saying they’re waiting for a bill rewrite that more accurately reflects what Alaskans asked for when they voted in November. After voters approved the ballot initiative to legalize marijuana in Alaska, the goal is now to pass a bill by Feb. […]

  • News

    APD seeking whereabouts of missing 14-year-old

    by KTVA CBS 11 News on Jan 28, 15:16

    The Anchorage Police Department is asking for the public’s help in locating a missing 14-year-old girl who is considered a runaway. Police say Janessa Rodrigo-Legarda was last seen leaving school at 12:30 p.m. Jan. 15. She is described as 4’5″ tall, weighing roughly 110 pounds. She was last seen wearing a black North Face fleece jacket, black […]