• Forecast
  • News Tip
  • Categories
Temperature Precipitation
Estimated read time
4m 15s

Changing password after “heartbleed” bug? Here’s what you need to know

By Chenda Ngak/CBS News 2:25 PM April 10, 2014
The “heartbleed” bug may have put millions of passwords, credit card details and sensitive information in the hands of nefarious hackers. Before you change your passwords, security experts suggest making sure the website is now secure, and provide tips for creating stronger passwords.Heartbleed is a bug that made services using OpenSSL encryption vulnerable to attack, including websites, instant messaging software and email accounts. It’s worth noting that not all website are affected by the heartbleed bug.According to data analysis website Datanyze, 17.3 percent of the top 1 million websites ranked by Alexa.com may have been exposed to heartbleed. Internet data company Netcraft reports that a recent survey found 17.5 percent of website that use secure socket layer (SSL) encryption. For many, it’s unclear which websites are still at risk, so it’s worth taking extra precaution.

“If the website is still vulnerable, changing the password will not accomplish anything. The hacker could potentially view your newly created password, too,” Dodi Glenn, director of security intelligence at ThreatTrack Security, told CBS News via email.

Glenn says there are websites to check whether or not a website has been patched, and suggested filippo.io/heartbleed or ssllabs.com/ssltest. Password management software maker LastPass also has a service that checks if a website is vulnerable. LastPass recommends users of websites like Yahoo, GitHub and Fitbit update their passwords right away. But if you have a Netflix, Airbnb or Quora account, wait to update.

Trend Micro vice president of security research Rik Ferguson told CBS News via email that if you update too early, not only are you putting your new password at risk, you could be exposing additional data that is requested during the password reset process. Ferguson suggests avoiding services that are not yet patched, until a security fix is released.

“If it is not possible to avoid logging in to a service then continue as normal, changing your password will not bring you any extra security until the server is patched,” Ferguson said.

But if you have the same password for several different websites or services, then changing your password right away. Ferguson adds, “any exposure of a shared password may have wider consequences.”

Ferguson says you should change your password once you’ve been notified or discover that a server has had a security update. He suggested avoiding these big mistakes when creating a new password: using words from the dictionary, names, dates of birth, ages, telephone numbers, pet’s names, football teams or anything related to you.

Don’t use the same password for different services and never share your password. Even words using numbers in place of letters is not secure enough. Ferguson says a word like “P455w0rd” can be cracked within minutes.

Ferguson shared an example of five steps for creating a more secure password.

1. Think of a phrase you can easily remember, for example:

“Motley Crue and Adam and the Ants were the soundtrack of my youth.”

2. Take the initial letter of each of those words:

MCAAATAWTSOMY

3. This will be the basis of the password, but we now need to make sure we use upper and lower case characters, numbers and “special characters” like !$&+ for example, let’s change cases first:

MCaAatAwtSomY

4. Now change some of those letters for numbers, maybe the letter O to a zero

MCaAatAwtS0mY

5. Now add the special characters, I’ll change the “and” into + and &

MC+A&tAwtS0mY

Ferguson suggests creating variations of the password for different websites, like adding the first and last letter of a website name at the beginning or end of a password. He adds that users also need to be aware of phishing scams that attempt to lure people to fake websites.

Mandiant security security expert William Ballenthin told CBS News in an interview that heartbleed compromises past and future communications with a server, like banking or email transactions. He adds that this bug has been “in the wild” for about two years, and was only recently discovered. At this point not much can be done about the past.

But Ballenthin says major websites like Google, Amazon and Yahoo have identified the issues and released a fix. According to tech website Mashable, several major banks are not affected because they do not use OpenSSL encryption software. The website released a list of major sites that were infected by the heartbleed bug and have since been updated, including Facebook, Pinterest, Tumblr, Gmail, Yahoo, Amazon and Dropbox.

© 2014 CBS Interactive Inc. All Rights Reserved.

Latest Stories

  • Lifestyle

    Make it Alaskan Festival kicks off holiday craft show season

    by Heather Hintze on Sep 30, 18:59

    Like its name suggests, everything you’ll find at the Make it Alaskan Festival is made in Alaska. While most of the 140 vendors came with a complete inventory to the show at the Sullivan Arena, artists like Sarah Chatfield continued to piece together products in their free time. “I try to stay busy while I’m […]

  • News

    UAA team works to find new ways to bring running water to rural Alaska

    by Lauren Maxwell on Sep 30, 18:55

    It’s something most people in Anchorage take for granted — running water. But according to the Department of Environmental Conservation (DEC), more than 3,300 homes in rural Alaska don’t have running water or a flush toilet. Several years ago the DEC started the Water and Sewer Challenge. Teams were challenged to find innovative ways to bring […]

  • News

    APD: 1 dead in West Anchorage industrial accident

    by KTVA CBS 11 News on Sep 30, 17:48

    A man was killed, Friday afternoon, when a wall he and another man were removing collapsed, the Anchorage Police Department (APD) wrote in a release. Few details were immediately available, but at 3:34 p.m. emergency responders were called to a four-plex on the 1500 block of W. 40 Avenue. Police said the men were removing […]

  • Lifestyle

    DOF: Alaska wraps up minor fire season

    by KTVA CBS 11 News on Sep 30, 15:40

    Alaska had an early start to the wildfire season, but the Division of Forestry (DOF) says the total number of acres burned this year were “well below normal level.” In a release from DOF, the agency wrote there were 558 fires, which burned 500,095 acres. In Interior Alaska, during the two summer months that typically […]

  • News

    UN appoints first expert on LGBT violence and discrimination

    by Associated Press on Sep 30, 15:09

    UNITED NATIONS (AP) – The Human Rights Council has appointed international human rights expert Vitit Muntarbhorn of Thailand as the first U.N. independent expert charged with investigating violence and discrimination based on sexual orientation and gender identity. John Fisher, Geneva director of Human Rights Watch, said his appointment on Friday “made history” and “will bring […]

  • News

    Berkowitz announces cuts to fill $40M budget gap, plans to increase police force

    by KTVA CBS 11 News on Sep 30, 13:35

    The Municipality of Anchorage faces an estimated $40 million budget gap, according to numbers released by Mayor Ethan Berkowitz at a meeting Friday. The municipality’s 2017 budget is $502 million, up from $497 million in 2016. “We are dealing with tough times in Anchorage and we are dealing with tough times because the state has […]

  • News

    Consumer demand for Alaska cruises growing again

    by Rachel D'Oro / AP on Sep 30, 13:28

    A growing consumer demand for Alaska cruises has put the state back in the million-passenger club as it rebounds after a leaner stretch. And next year is expected to be even better with larger capacity ships added to the Far North lineup. The millionth passenger was counted as the Alaska cruise industry’s season was nearing […]

  • Politics

    Alaska not changing voter registration deadline amid concern

    by Becky Bohrer / AP on Sep 30, 13:22

    A state election official says Alaska will not change its voter registration deadline amid concerns raised by two U.S. senators about Alaska’s deadline and that of several other states falling on a holiday weekend. Carol Thompson, with Alaska’s Division of Elections, said by email that division offices will be open the weekend of Oct. 8 […]