• Forecast
  • News Tip
  • Categories
Temperature Precipitation
Estimated read time
4m 15s

Changing password after “heartbleed” bug? Here’s what you need to know

By Chenda Ngak/CBS News 2:25 PM April 10, 2014
The “heartbleed” bug may have put millions of passwords, credit card details and sensitive information in the hands of nefarious hackers. Before you change your passwords, security experts suggest making sure the website is now secure, and provide tips for creating stronger passwords.Heartbleed is a bug that made services using OpenSSL encryption vulnerable to attack, including websites, instant messaging software and email accounts. It’s worth noting that not all website are affected by the heartbleed bug.According to data analysis website Datanyze, 17.3 percent of the top 1 million websites ranked by Alexa.com may have been exposed to heartbleed. Internet data company Netcraft reports that a recent survey found 17.5 percent of website that use secure socket layer (SSL) encryption. For many, it’s unclear which websites are still at risk, so it’s worth taking extra precaution.

“If the website is still vulnerable, changing the password will not accomplish anything. The hacker could potentially view your newly created password, too,” Dodi Glenn, director of security intelligence at ThreatTrack Security, told CBS News via email.

Glenn says there are websites to check whether or not a website has been patched, and suggested filippo.io/heartbleed or ssllabs.com/ssltest. Password management software maker LastPass also has a service that checks if a website is vulnerable. LastPass recommends users of websites like Yahoo, GitHub and Fitbit update their passwords right away. But if you have a Netflix, Airbnb or Quora account, wait to update.

Trend Micro vice president of security research Rik Ferguson told CBS News via email that if you update too early, not only are you putting your new password at risk, you could be exposing additional data that is requested during the password reset process. Ferguson suggests avoiding services that are not yet patched, until a security fix is released.

“If it is not possible to avoid logging in to a service then continue as normal, changing your password will not bring you any extra security until the server is patched,” Ferguson said.

But if you have the same password for several different websites or services, then changing your password right away. Ferguson adds, “any exposure of a shared password may have wider consequences.”

Ferguson says you should change your password once you’ve been notified or discover that a server has had a security update. He suggested avoiding these big mistakes when creating a new password: using words from the dictionary, names, dates of birth, ages, telephone numbers, pet’s names, football teams or anything related to you.

Don’t use the same password for different services and never share your password. Even words using numbers in place of letters is not secure enough. Ferguson says a word like “P455w0rd” can be cracked within minutes.

Ferguson shared an example of five steps for creating a more secure password.

1. Think of a phrase you can easily remember, for example:

“Motley Crue and Adam and the Ants were the soundtrack of my youth.”

2. Take the initial letter of each of those words:

MCAAATAWTSOMY

3. This will be the basis of the password, but we now need to make sure we use upper and lower case characters, numbers and “special characters” like !$&+ for example, let’s change cases first:

MCaAatAwtSomY

4. Now change some of those letters for numbers, maybe the letter O to a zero

MCaAatAwtS0mY

5. Now add the special characters, I’ll change the “and” into + and &

MC+A&tAwtS0mY

Ferguson suggests creating variations of the password for different websites, like adding the first and last letter of a website name at the beginning or end of a password. He adds that users also need to be aware of phishing scams that attempt to lure people to fake websites.

Mandiant security security expert William Ballenthin told CBS News in an interview that heartbleed compromises past and future communications with a server, like banking or email transactions. He adds that this bug has been “in the wild” for about two years, and was only recently discovered. At this point not much can be done about the past.

But Ballenthin says major websites like Google, Amazon and Yahoo have identified the issues and released a fix. According to tech website Mashable, several major banks are not affected because they do not use OpenSSL encryption software. The website released a list of major sites that were infected by the heartbleed bug and have since been updated, including Facebook, Pinterest, Tumblr, Gmail, Yahoo, Amazon and Dropbox.

© 2014 CBS Interactive Inc. All Rights Reserved.

Latest Stories

  • News

    AFD calls Div. of Forestry, JBER for assistance with wildfire near East Anchorage

    by KTVA CBS 11 News on May 29, 18:01

    The Anchorage Fire Department is responding to a wildfire just less than a mile from an East Anchorage neighborhood. The fire was first reported at 5:25 p.m., according to fire dispatchers. AFD Fire Chief Denis LeBlanc said the fire was located on military land and was difficult to reach, so the department has reached out […]

  • News

    Dead whale found stuck on cruise ship docking in Seward

    by KTVA CBS 11 News on May 29, 17:26

    A dead humpback whale was found on the bow of a Holland America cruise ship Sunday morning in Seward. The Seward City News reported the Zaandam arrived at the Alaska Railroad terminal with what was initially believed to be juvenile humpback whale on the bulbous, lower bow. The whale has since been tentatively identified as […]

  • News

    DOF battles two wildfires near McGrath, one covers roughly 100 acres

    by KTVA CBS 11 News on May 29, 17:05

    The Alaska Division of Forestry is battling two wildfires near McGrath, including one that has grown to nearly 100 acres. The larger fire, known as the Medfra fire, was reported at 10:25 a.m. and “started in an old burn area and spread into an unburned area with fresh fuel.” The Alaska Interagency Coordination Center reports […]

  • News

    Firefighter: Grass fire at Glenn Highway ramp may have been started by cigarette

    by KTVA CBS 11 News on May 29, 15:20

    An Anchorage firefighter at the scene of a small grass fire near the Glenn Highway Sunday told KTVA it may have been started by a cigarette butt thrown out of a passing vehicle. The fire was first reported to the fire department at 2:25 p.m., according to fire dispatchers. The fire was out less than […]

  • News

    Missing girl may be with her mother, who has no legal custody

    by KTVA CBS 11 News on May 29, 14:53

    The Anchorage Police Department is searching for an 8-year-old girl whose mother has warrants for her arrest and doesn’t have legal custody of the girl. Nayla Demings was last seen at her father’s house on E Fifth Avenue around 1:30 a.m. on Sunday. Her father has full legal custody of Nayla and police said in […]

  • News

    Park Service considers visitor caps, expects record crowds

    by Associated Press on May 29, 14:15

    As the National Park Service kicks off a centennial summer expected to draw record crowds, the agency is seriously considering caps on how many people pass through some of the country’s most iconic landscapes and historical sites each day. Park managers have begun looking at whether, when and how best to manage the impact of […]

  • News

    Czech Republic man dies on Denali after 1,500-foot fall

    by KTVA CBS 11 News on May 29, 12:02

    A Czech Republic man died Saturday evening while skiing on Denali, according to the National Park Service. Pavel Michut, 45, “fell roughly 1,500 feet from an elevation of 17,000 feet” on the Messner Couloir route, NPS spokeswoman Maureen Gualtieri said in a statement Sunday. “The event was witnessed by multiple parties at the 14,200-foot camp […]

  • Lifestyle

    As Arctic Ocean gets spicier, hunting may be more dangerous

    by Emily Russell / KNOM on May 29, 11:42

    The Arctic Ocean is getting spicier. A new study published in the Journal of Physical Oceanography suggests that rising temperatures in the far north could result in spicier water, or warmer water whose density is more affected by temperature than salinity. This could make marine mammal hunting off Alaska’s coast more dangerous. Mary-Louise Timmermans is a […]