• Forecast
  • News Tip
  • Categories
Temperature Precipitation
Estimated read time
4m 15s

Changing password after “heartbleed” bug? Here’s what you need to know

By Chenda Ngak/CBS News 2:25 PM April 10, 2014
The “heartbleed” bug may have put millions of passwords, credit card details and sensitive information in the hands of nefarious hackers. Before you change your passwords, security experts suggest making sure the website is now secure, and provide tips for creating stronger passwords.Heartbleed is a bug that made services using OpenSSL encryption vulnerable to attack, including websites, instant messaging software and email accounts. It’s worth noting that not all website are affected by the heartbleed bug.According to data analysis website Datanyze, 17.3 percent of the top 1 million websites ranked by Alexa.com may have been exposed to heartbleed. Internet data company Netcraft reports that a recent survey found 17.5 percent of website that use secure socket layer (SSL) encryption. For many, it’s unclear which websites are still at risk, so it’s worth taking extra precaution.

“If the website is still vulnerable, changing the password will not accomplish anything. The hacker could potentially view your newly created password, too,” Dodi Glenn, director of security intelligence at ThreatTrack Security, told CBS News via email.

Glenn says there are websites to check whether or not a website has been patched, and suggested filippo.io/heartbleed or ssllabs.com/ssltest. Password management software maker LastPass also has a service that checks if a website is vulnerable. LastPass recommends users of websites like Yahoo, GitHub and Fitbit update their passwords right away. But if you have a Netflix, Airbnb or Quora account, wait to update.

Trend Micro vice president of security research Rik Ferguson told CBS News via email that if you update too early, not only are you putting your new password at risk, you could be exposing additional data that is requested during the password reset process. Ferguson suggests avoiding services that are not yet patched, until a security fix is released.

“If it is not possible to avoid logging in to a service then continue as normal, changing your password will not bring you any extra security until the server is patched,” Ferguson said.

But if you have the same password for several different websites or services, then changing your password right away. Ferguson adds, “any exposure of a shared password may have wider consequences.”

Ferguson says you should change your password once you’ve been notified or discover that a server has had a security update. He suggested avoiding these big mistakes when creating a new password: using words from the dictionary, names, dates of birth, ages, telephone numbers, pet’s names, football teams or anything related to you.

Don’t use the same password for different services and never share your password. Even words using numbers in place of letters is not secure enough. Ferguson says a word like “P455w0rd” can be cracked within minutes.

Ferguson shared an example of five steps for creating a more secure password.

1. Think of a phrase you can easily remember, for example:

“Motley Crue and Adam and the Ants were the soundtrack of my youth.”

2. Take the initial letter of each of those words:

MCAAATAWTSOMY

3. This will be the basis of the password, but we now need to make sure we use upper and lower case characters, numbers and “special characters” like !$&+ for example, let’s change cases first:

MCaAatAwtSomY

4. Now change some of those letters for numbers, maybe the letter O to a zero

MCaAatAwtS0mY

5. Now add the special characters, I’ll change the “and” into + and &

MC+A&tAwtS0mY

Ferguson suggests creating variations of the password for different websites, like adding the first and last letter of a website name at the beginning or end of a password. He adds that users also need to be aware of phishing scams that attempt to lure people to fake websites.

Mandiant security security expert William Ballenthin told CBS News in an interview that heartbleed compromises past and future communications with a server, like banking or email transactions. He adds that this bug has been “in the wild” for about two years, and was only recently discovered. At this point not much can be done about the past.

But Ballenthin says major websites like Google, Amazon and Yahoo have identified the issues and released a fix. According to tech website Mashable, several major banks are not affected because they do not use OpenSSL encryption software. The website released a list of major sites that were infected by the heartbleed bug and have since been updated, including Facebook, Pinterest, Tumblr, Gmail, Yahoo, Amazon and Dropbox.

© 2014 CBS Interactive Inc. All Rights Reserved.

Latest Stories

  • On-Air

    Event offers free wedding gowns to military brides

    by KTVA CBS 11 News on Oct 30, 11:00

    Getting married? It’s no secret that wedding gowns can break the bank. But if you’re a soon-to-be military wife, it could come at no cost. Star Boushell with Anderson’s Bride and Brides Across America joined Daybreak on the couch with all the details on “Operation Wedding Gown.” Anderson’s Bride and Brides Across America are collaborating […]

  • Weather

    Daybreak weather, Oct. 30

    by Brett Shepard on Oct 30, 8:36

    More of the same in Southcentral with partly cloudy skies and cool conditions. In the Southeast rain gear will be needed with rain on and off throughout the day. In the Interior skies will be mostly cloudy with flurries possible. On the North Slope skies will be mostly cloudy with a few show showers. Out […]

  • News

    Former Guard commander describes working with ‘the three-headed monster’

    by Emily Carlson on Oct 30, 7:24

    They are the documents that led to local schools banning military recruiters from campus. Now, the four men named in those documents are suing the U.S. Army after their confidential investigations were leaked to the media. Lt. Col. Joseph Lawendowski, Sgt. Shannon Tallant, Master Sgt. John Nieves and Master Sgt. Jarrett Carson say they are […]

  • News

    After blaze in Bethel, alcohol addiction counselors soldier on

    by Kate McPherson on Oct 29, 23:10

    Reaching out for help to overcome alcohol addiction can be hard. Experts in Bethel say finding someone who can help can be even harder, especially in rural Alaska. People travel to Bethel from all over Alaska for treatment at the Phillips Ayagnirvik (or Alcoholism) Treatment Center, whose renovated building went down in flames on Monday […]

  • Lifestyle

    Families in Alaska concerned over proposed Medicaid reforms

    by Bonney Bowman on Oct 29, 21:05

    One year ago, Gov. Sean Parnell announced Alaska would not accept billions in federal dollars to expand the state’s Medicaid system. Instead, he set up a committee to reform it and make it sustainable and easy to use for providers and recipients. In a meeting with the committee today, dozens of Medicaid recipients and service […]

  • News

    Mountain View revitalization continues with another new restaurant

    by Heather Hintze on Oct 29, 19:10

    The smell of fresh sauerkraut and schnitzel wafts in the air at West Berlin. The new restaurant, located at the corner of Mountain View Drive and North Park Street, just opened for business on Monday. Owner Bill Hoopai is no stranger to the restaurant world; he’s operated the three Hula Hands locations since 2000 but is […]

  • Sports

    UAA Volleyball No. 2 in division rankings

    by KTVA Sports on Oct 29, 18:29

    After splitting its matches last week, the UAA volleyball squad entered the season’s initial Division II West rankings in second place. The Seawolves came into the week with a 17-4 overall record (11-2 GNAC). Northwest Nazarene, who, so far, beat UAA twice this season, sits at the top of the standings. Along with the Seawolves […]

  • Lifestyle

    Self-expression through art helps student veterans at UAA

    by Hope Miller on Oct 29, 18:24

    Two counselors at the University of Alaska Anchorage are using an unconventional method to help student veterans who may be having a tough time. It’s called “Operation: Self Expression” and the mission is to use art to get student veterans to open up about their emotions. “It’s theraputic, but we’re not trying to push it […]