• Forecast
  • News Tip
  • Categories
Temperature Precipitation
Estimated read time
4m 15s

Changing password after “heartbleed” bug? Here’s what you need to know

By Chenda Ngak/CBS News 2:25 PM April 10, 2014
The “heartbleed” bug may have put millions of passwords, credit card details and sensitive information in the hands of nefarious hackers. Before you change your passwords, security experts suggest making sure the website is now secure, and provide tips for creating stronger passwords.Heartbleed is a bug that made services using OpenSSL encryption vulnerable to attack, including websites, instant messaging software and email accounts. It’s worth noting that not all website are affected by the heartbleed bug.According to data analysis website Datanyze, 17.3 percent of the top 1 million websites ranked by Alexa.com may have been exposed to heartbleed. Internet data company Netcraft reports that a recent survey found 17.5 percent of website that use secure socket layer (SSL) encryption. For many, it’s unclear which websites are still at risk, so it’s worth taking extra precaution.

“If the website is still vulnerable, changing the password will not accomplish anything. The hacker could potentially view your newly created password, too,” Dodi Glenn, director of security intelligence at ThreatTrack Security, told CBS News via email.

Glenn says there are websites to check whether or not a website has been patched, and suggested filippo.io/heartbleed or ssllabs.com/ssltest. Password management software maker LastPass also has a service that checks if a website is vulnerable. LastPass recommends users of websites like Yahoo, GitHub and Fitbit update their passwords right away. But if you have a Netflix, Airbnb or Quora account, wait to update.

Trend Micro vice president of security research Rik Ferguson told CBS News via email that if you update too early, not only are you putting your new password at risk, you could be exposing additional data that is requested during the password reset process. Ferguson suggests avoiding services that are not yet patched, until a security fix is released.

“If it is not possible to avoid logging in to a service then continue as normal, changing your password will not bring you any extra security until the server is patched,” Ferguson said.

But if you have the same password for several different websites or services, then changing your password right away. Ferguson adds, “any exposure of a shared password may have wider consequences.”

Ferguson says you should change your password once you’ve been notified or discover that a server has had a security update. He suggested avoiding these big mistakes when creating a new password: using words from the dictionary, names, dates of birth, ages, telephone numbers, pet’s names, football teams or anything related to you.

Don’t use the same password for different services and never share your password. Even words using numbers in place of letters is not secure enough. Ferguson says a word like “P455w0rd” can be cracked within minutes.

Ferguson shared an example of five steps for creating a more secure password.

1. Think of a phrase you can easily remember, for example:

“Motley Crue and Adam and the Ants were the soundtrack of my youth.”

2. Take the initial letter of each of those words:

MCAAATAWTSOMY

3. This will be the basis of the password, but we now need to make sure we use upper and lower case characters, numbers and “special characters” like !$&+ for example, let’s change cases first:

MCaAatAwtSomY

4. Now change some of those letters for numbers, maybe the letter O to a zero

MCaAatAwtS0mY

5. Now add the special characters, I’ll change the “and” into + and &

MC+A&tAwtS0mY

Ferguson suggests creating variations of the password for different websites, like adding the first and last letter of a website name at the beginning or end of a password. He adds that users also need to be aware of phishing scams that attempt to lure people to fake websites.

Mandiant security security expert William Ballenthin told CBS News in an interview that heartbleed compromises past and future communications with a server, like banking or email transactions. He adds that this bug has been “in the wild” for about two years, and was only recently discovered. At this point not much can be done about the past.

But Ballenthin says major websites like Google, Amazon and Yahoo have identified the issues and released a fix. According to tech website Mashable, several major banks are not affected because they do not use OpenSSL encryption software. The website released a list of major sites that were infected by the heartbleed bug and have since been updated, including Facebook, Pinterest, Tumblr, Gmail, Yahoo, Amazon and Dropbox.

© 2014 CBS Interactive Inc. All Rights Reserved.

Latest Stories

  • News

    Tears, laughter and healing: Murdered teen remembered at Palmer vigil

    by Bonney Bowman on Dec 09, 22:23

    Hundreds of people braved single-digit temperatures to remember David Grunwald, the Palmer teen murdered almost one month ago. Family friends organized a candlelight vigil as a way to not just mourn the 16-year-old, but to take steps toward healing from the pain of his passing. “We just want to get back to the core of […]

  • News

    Troopers: Remains of passenger in plane crash near Fairbanks recovered

    by KTVA CBS 11 News on Dec 09, 22:09

    Alaska State Troopers were able to recover the body of the only passenger on a plane that crashed Wednesday near Fairbanks. The agency is waiting to provide positive identification of the passenger on board until after the autopsy. But Gov. Bill Walker identified the passenger as former Alaska lawmaker Mike Kelly earlier this week. In […]

  • Lifestyle

    Climate change film ‘An Inconvenient Truth’ gets a sequel

    by Associated Press on Dec 09, 21:56

    LOS ANGELES (AP) – Al Gore’s climate change documentary, “An Inconvenient Truth,” is getting a sequel. Paramount Pictures said Friday the follow-up to the Oscar-winning original will premiere at next January’s Sundance Film Festival. In the new documentary, former Vice President Gore examines global warming’s escalation and the solutions at hand, Paramount said. In a […]

  • News

    Father and children headed to Anchorage for volleyball tournament when plane disappeared

    by Lauren Maxwell on Dec 09, 21:20

    A statement released from family members of a father and two children, who likely died in a plane crash near Port Alsworth on Wednesday, said they were traveling to Anchorage to attend the Alaska State Volleyball Championships. The National Park Service has identified the pilot as 25-year-old Kyle Longerbeam. The passengers are identified as 45-year-old […]

  • Surveillance footage captures attempted break-in at Anchorage bike shop

    by Eric Ruble on Dec 09, 21:04

    The general manager of The Bicycle Shop, on Northern Lights Boulevard, said other local businesses should be on the lookout for a man who attempted to break into the shop Tuesday morning. Surveillance footage shows a man using a crowbar to try to pry open the front door of the business. “The doors looks like you […]

  • Colony Christmas brings community together after teen’s murder

    by Shannon Ballard on Dec 09, 20:33

    In the wake of Palmer teen David Grunwald’s murder, the mood around his hometown has been rather grim. Organizers of a longtime holiday tradition want to put a bit of hope back into the season. Colony Christmas kicked off Friday and continues through Sunday. Each year visitors and locals flock to downtown Palmer to enjoy […]

  • News

    National Park Service: Parts of missing plane bound for Anchorage recovered in lake

    by KTVA CBS 11 News on Dec 09, 18:43

    Last updated at 7:40 p.m. on Friday, Dec. 9 Parts of the missing plane were recovered Friday, according to Lake Clark National Park and Preserve chief of interpretation, Megan Richotte. Richotte said three wheels and a co-pilot seat were found in Upper Lake Clark, near where the family’s luggage was found and about 11 miles […]

  • 4 additional teens charged in connection to Grunwald murder

    by KTVA CBS 11 News on Dec 09, 17:45

    Last updated at 8:22 p.m. on Friday, Dec. 9 Four additional teenagers were charged Friday in the killing of 16-year-old Palmer teen David Grunwald. According to online court records, Dominic Johnson, 16, Devin Peterson, 18, and Austin Barrett, 19, and Bradley Renfro, 16, face multiple charges in connection with Grunwald’s kidnapping and murder. Johnson is charged […]