• Forecast
  • News Tip
  • Categories
Temperature Precipitation
Estimated read time
4m 15s

Changing password after “heartbleed” bug? Here’s what you need to know

By Chenda Ngak/CBS News 2:25 PM April 10, 2014
The “heartbleed” bug may have put millions of passwords, credit card details and sensitive information in the hands of nefarious hackers. Before you change your passwords, security experts suggest making sure the website is now secure, and provide tips for creating stronger passwords.Heartbleed is a bug that made services using OpenSSL encryption vulnerable to attack, including websites, instant messaging software and email accounts. It’s worth noting that not all website are affected by the heartbleed bug.According to data analysis website Datanyze, 17.3 percent of the top 1 million websites ranked by Alexa.com may have been exposed to heartbleed. Internet data company Netcraft reports that a recent survey found 17.5 percent of website that use secure socket layer (SSL) encryption. For many, it’s unclear which websites are still at risk, so it’s worth taking extra precaution.

“If the website is still vulnerable, changing the password will not accomplish anything. The hacker could potentially view your newly created password, too,” Dodi Glenn, director of security intelligence at ThreatTrack Security, told CBS News via email.

Glenn says there are websites to check whether or not a website has been patched, and suggested filippo.io/heartbleed or ssllabs.com/ssltest. Password management software maker LastPass also has a service that checks if a website is vulnerable. LastPass recommends users of websites like Yahoo, GitHub and Fitbit update their passwords right away. But if you have a Netflix, Airbnb or Quora account, wait to update.

Trend Micro vice president of security research Rik Ferguson told CBS News via email that if you update too early, not only are you putting your new password at risk, you could be exposing additional data that is requested during the password reset process. Ferguson suggests avoiding services that are not yet patched, until a security fix is released.

“If it is not possible to avoid logging in to a service then continue as normal, changing your password will not bring you any extra security until the server is patched,” Ferguson said.

But if you have the same password for several different websites or services, then changing your password right away. Ferguson adds, “any exposure of a shared password may have wider consequences.”

Ferguson says you should change your password once you’ve been notified or discover that a server has had a security update. He suggested avoiding these big mistakes when creating a new password: using words from the dictionary, names, dates of birth, ages, telephone numbers, pet’s names, football teams or anything related to you.

Don’t use the same password for different services and never share your password. Even words using numbers in place of letters is not secure enough. Ferguson says a word like “P455w0rd” can be cracked within minutes.

Ferguson shared an example of five steps for creating a more secure password.

1. Think of a phrase you can easily remember, for example:

“Motley Crue and Adam and the Ants were the soundtrack of my youth.”

2. Take the initial letter of each of those words:

MCAAATAWTSOMY

3. This will be the basis of the password, but we now need to make sure we use upper and lower case characters, numbers and “special characters” like !$&+ for example, let’s change cases first:

MCaAatAwtSomY

4. Now change some of those letters for numbers, maybe the letter O to a zero

MCaAatAwtS0mY

5. Now add the special characters, I’ll change the “and” into + and &

MC+A&tAwtS0mY

Ferguson suggests creating variations of the password for different websites, like adding the first and last letter of a website name at the beginning or end of a password. He adds that users also need to be aware of phishing scams that attempt to lure people to fake websites.

Mandiant security security expert William Ballenthin told CBS News in an interview that heartbleed compromises past and future communications with a server, like banking or email transactions. He adds that this bug has been “in the wild” for about two years, and was only recently discovered. At this point not much can be done about the past.

But Ballenthin says major websites like Google, Amazon and Yahoo have identified the issues and released a fix. According to tech website Mashable, several major banks are not affected because they do not use OpenSSL encryption software. The website released a list of major sites that were infected by the heartbleed bug and have since been updated, including Facebook, Pinterest, Tumblr, Gmail, Yahoo, Amazon and Dropbox.

© 2014 CBS Interactive Inc. All Rights Reserved.

Latest Stories

  • Lifestyle

    Fewer U.S. teens are having babies; here’s why

    by CBS News on Apr 28, 18:39

    Birth rates among teens in the U.S. have dropped dramatically since 2006, according to a new report, and there are a lot of factors behind the trend, including a steep decline in births by black and Hispanic teens. Births to all American teenagers have plummeted by more than 40 percent, said Lisa Romero of the U.S. […]

  • Lifestyle

    Numbers don’t lie: Alaskans are crazy about their chickens

    by Carolyn Hall on Apr 28, 18:18

    A small tract of land can yield quite a crop for an ambitious backyard homesteader such as Mountain View resident Phil Cannon. His garden produces all the staples: carrots, potatoes, beets and lettuce. “We try to grow as much as we can for vegetables. This year we’re gonna let the kids grow their own sections […]

  • Politics

    Negotiators reach deal on excess power program earnings

    by Associated Press on Apr 28, 17:21

    JUNEAU, Alaska (AP) – House and Senate negotiators have reached agreement for use of any excess earnings from a fund set up to help rural areas faced with high electricity costs. A conference committee Thursday agreed to legislation that would allow for 70 percent of excess earnings from the Power Cost Equalization endowment fund to […]

  • On-Air

    Reality Check w/ John Tracy: Why the fiscal gap should be fixed now

    by John Tracy on Apr 28, 16:56

    Back in October, when I first began these commentaries, I said that lawmakers would be unlikely to levy an income tax, or use earnings from the Permanent Fund to help balance the budget. It didn’t take much of a crystal ball to make that prediction going into an election year, even though it was possible […]

  • Crime

    Anchorage man admits to stealing mail, credit cards from Hillside residents

    by KTVA CBS 11 News on Apr 28, 16:01

    An Anchorage man pleaded guilty to charges of mail theft and credit card fraud in federal court Wednesday, according to a release from the U.S. Attorney’s Office. Evan Mullen, 28, admitted to stealing mail and packages from multiple homes in Anchorage’s Hillside neighborhood from December 2015 until his arrest in February 2016. His main target […]

  • Lifestyle

    Living Alaska: A 360-degree view on Bodenburg Butte

    by Megan Edge on Apr 28, 15:34

    I just needed one minute, after I summitted, to take in every angle of the 360-degree view from atop Bodenburg Butte: the Matanuska River valley, the Talkeetna Mountains, the Knik River valley, Pioneer Peak and the Knik Glacier. I could see it all after an hour-long drive and a 1.5-mile traverse from the West Butte […]

  • DayBreak

    Homes for Heroes program now available in Alaska

    by Daybreak Staff on Apr 28, 15:11

    A program to thank heroes by making the home buying, selling or refinancing process a little easier has finally come to Alaska. The Homes for Heroes is a “hero saving” program that is now available in Anchorage. It offers discounts on agent fees and bank loans to those who serve our country and communities. Realtor […]

  • Weather

    Garden Report: Thyme to start growing herbs

    by Rachael Penton on Apr 28, 13:04

    It’s shaping up to be a record-setting year in Anchorage. Ten new record high temperatures have already been set, and eight additional record highs tied. With warmer than normal temperatures forecast through the summer months, 2016 could be the warmest year ever recorded in Anchorage. However, gardeners shouldn’t get overexcited about the warm weather. With […]