• Forecast
  • News Tip
  • Categories
Temperature Precipitation
Estimated read time
4m 15s

Changing password after “heartbleed” bug? Here’s what you need to know

By Chenda Ngak/CBS News 2:25 PM April 10, 2014
The “heartbleed” bug may have put millions of passwords, credit card details and sensitive information in the hands of nefarious hackers. Before you change your passwords, security experts suggest making sure the website is now secure, and provide tips for creating stronger passwords.Heartbleed is a bug that made services using OpenSSL encryption vulnerable to attack, including websites, instant messaging software and email accounts. It’s worth noting that not all website are affected by the heartbleed bug.According to data analysis website Datanyze, 17.3 percent of the top 1 million websites ranked by Alexa.com may have been exposed to heartbleed. Internet data company Netcraft reports that a recent survey found 17.5 percent of website that use secure socket layer (SSL) encryption. For many, it’s unclear which websites are still at risk, so it’s worth taking extra precaution.

“If the website is still vulnerable, changing the password will not accomplish anything. The hacker could potentially view your newly created password, too,” Dodi Glenn, director of security intelligence at ThreatTrack Security, told CBS News via email.

Glenn says there are websites to check whether or not a website has been patched, and suggested filippo.io/heartbleed or ssllabs.com/ssltest. Password management software maker LastPass also has a service that checks if a website is vulnerable. LastPass recommends users of websites like Yahoo, GitHub and Fitbit update their passwords right away. But if you have a Netflix, Airbnb or Quora account, wait to update.

Trend Micro vice president of security research Rik Ferguson told CBS News via email that if you update too early, not only are you putting your new password at risk, you could be exposing additional data that is requested during the password reset process. Ferguson suggests avoiding services that are not yet patched, until a security fix is released.

“If it is not possible to avoid logging in to a service then continue as normal, changing your password will not bring you any extra security until the server is patched,” Ferguson said.

But if you have the same password for several different websites or services, then changing your password right away. Ferguson adds, “any exposure of a shared password may have wider consequences.”

Ferguson says you should change your password once you’ve been notified or discover that a server has had a security update. He suggested avoiding these big mistakes when creating a new password: using words from the dictionary, names, dates of birth, ages, telephone numbers, pet’s names, football teams or anything related to you.

Don’t use the same password for different services and never share your password. Even words using numbers in place of letters is not secure enough. Ferguson says a word like “P455w0rd” can be cracked within minutes.

Ferguson shared an example of five steps for creating a more secure password.

1. Think of a phrase you can easily remember, for example:

“Motley Crue and Adam and the Ants were the soundtrack of my youth.”

2. Take the initial letter of each of those words:

MCAAATAWTSOMY

3. This will be the basis of the password, but we now need to make sure we use upper and lower case characters, numbers and “special characters” like !$&+ for example, let’s change cases first:

MCaAatAwtSomY

4. Now change some of those letters for numbers, maybe the letter O to a zero

MCaAatAwtS0mY

5. Now add the special characters, I’ll change the “and” into + and &

MC+A&tAwtS0mY

Ferguson suggests creating variations of the password for different websites, like adding the first and last letter of a website name at the beginning or end of a password. He adds that users also need to be aware of phishing scams that attempt to lure people to fake websites.

Mandiant security security expert William Ballenthin told CBS News in an interview that heartbleed compromises past and future communications with a server, like banking or email transactions. He adds that this bug has been “in the wild” for about two years, and was only recently discovered. At this point not much can be done about the past.

But Ballenthin says major websites like Google, Amazon and Yahoo have identified the issues and released a fix. According to tech website Mashable, several major banks are not affected because they do not use OpenSSL encryption software. The website released a list of major sites that were infected by the heartbleed bug and have since been updated, including Facebook, Pinterest, Tumblr, Gmail, Yahoo, Amazon and Dropbox.

© 2014 CBS Interactive Inc. All Rights Reserved.

Latest Stories

  • News

    Plane forced to land on Seward Highway; no injuries reported

    by KTVA CBS 11 News on Jul 04, 20:28

    No injuries were reported after a plane was forced to land on the Seward Highway near Potter Marsh Saturday evening. The successful landing took place at around 7:45 p.m. The highway was closed for a short period of time while the plane was removed from the roadway. The plane was forced to land due to […]

  • Weather

    Weekend weather forecast

    by KTVA Weather on Jul 04, 17:12

    Anchorage Expect partly sunny skies with a slight chance of showers. Highs will top out in the upper-60s. Kenai Peninsula & Prince William Sound Expect a mix of sun and clouds. An isolated shower can’t be ruled out. Highs will be in the mid-60s. Southeast Alaska Partly to mostly cloudy skies is in the forecast […]

  • Mt. Marathon Race

    WATCH: 2015 Mount Marathon men’s race

    by KTVA Sports on Jul 04, 16:59

    Try Ustream Pro!     Kilian Jornet nabbed a record-breaking finish in the Mount Marathon men’s race with a time of 41 minutes, 48 seconds. The Spanish speedster beat the former record held by Eric Strabel by more than one minute. Strabel, who won back-to-back Mount Marathon races in 2013 and 2014, finished in fourth this […]

  • Crime

    Fairbanks man threatens ex-girlfriend with samurai sword, drives drunk

    by Associated Press on Jul 04, 14:15

    A 38-year-old Fairbanks man is in jail after troopers say he threatened his ex-girlfriend with a samurai sword before driving drunk and rolling his vehicle. The Fairbanks Daily News Miner reports (http://bit.ly/1LKmX2H ) that the man faces several charges, including felony assault. Alaska State Troopers say the man was drinking with his ex-girlfriend early Thursday […]

  • Mt. Marathon Race

    2015 Mount Marathon women’s race: Emelie Forsberg, Allie Ostrander finish 1st, 2nd

    by KTVA Sports on Jul 04, 13:44

    Emelie Forsberg finished with a record-breaking time in the 2015 Mount Marathon women’s race. With her time of 47 minutes, 48 seconds, the seasoned trail runner broke a 25-year-old record of 50 minutes, 30 seconds set by Nancy Pease. In her first women’s Mount Marathon race, Allie Ostrander finished second in 50 minutes, 28 seconds — […]

  • Mt. Marathon Race

    Luke Jager, Riana Boonstra come out on top in Mount Marathon Juniors Race

    by KTVA Sports on Jul 04, 12:02

    Anchorage’s Luke Jager won the Juniors Mount Marathon Race with a time of 27 minutes, 39 seconds. The first girl to cross the finish line was Ninilchik’s Riana Boonstra. She finished 17th overall with a time of 32 minutes, 38 seconds. Junior Division Girls Riana Boonstra — 32:38 Molly Gellert — 34:00 Ruby Lindquist — 34:12 Hannah […]

  • News

    Fireworks patrol starts in Anchorage

    by Kate McPherson on Jul 04, 1:51

    Anchorage Police Department Sgt. Josh Nolder is on the fireworks beat for the Fourth of July holiday. It’s not his usual focus, but the conditions forecasted over the weekend aren’t usual. “Fireworks are generally a nuisance more than anything but now this year, with the lack of snowfall and rainfall, it’s gone from a nuisance […]

  • News

    Homeless camp sets fire to Chester Creek Greenbelt Park

    by KTVA CBS 11 News on Jul 03, 21:47

    A dozen units from the Anchorage Fire Department responded to a fire in Chester Creek Greenbelt Park Friday night. According to AFD dispatchers, the blaze originated in a homeless camp near Ingra Street and E. 20th Avenue just after 9 p.m. and quickly spread to 40 trees. A hotshot crew from the Alaska Division of Forestry […]