• Forecast
  • News Tip
  • Categories
Temperature Precipitation
Estimated read time
4m 15s

Changing password after “heartbleed” bug? Here’s what you need to know

By Chenda Ngak/CBS News 2:25 PM April 10, 2014
The “heartbleed” bug may have put millions of passwords, credit card details and sensitive information in the hands of nefarious hackers. Before you change your passwords, security experts suggest making sure the website is now secure, and provide tips for creating stronger passwords.Heartbleed is a bug that made services using OpenSSL encryption vulnerable to attack, including websites, instant messaging software and email accounts. It’s worth noting that not all website are affected by the heartbleed bug.According to data analysis website Datanyze, 17.3 percent of the top 1 million websites ranked by Alexa.com may have been exposed to heartbleed. Internet data company Netcraft reports that a recent survey found 17.5 percent of website that use secure socket layer (SSL) encryption. For many, it’s unclear which websites are still at risk, so it’s worth taking extra precaution.

“If the website is still vulnerable, changing the password will not accomplish anything. The hacker could potentially view your newly created password, too,” Dodi Glenn, director of security intelligence at ThreatTrack Security, told CBS News via email.

Glenn says there are websites to check whether or not a website has been patched, and suggested filippo.io/heartbleed or ssllabs.com/ssltest. Password management software maker LastPass also has a service that checks if a website is vulnerable. LastPass recommends users of websites like Yahoo, GitHub and Fitbit update their passwords right away. But if you have a Netflix, Airbnb or Quora account, wait to update.

Trend Micro vice president of security research Rik Ferguson told CBS News via email that if you update too early, not only are you putting your new password at risk, you could be exposing additional data that is requested during the password reset process. Ferguson suggests avoiding services that are not yet patched, until a security fix is released.

“If it is not possible to avoid logging in to a service then continue as normal, changing your password will not bring you any extra security until the server is patched,” Ferguson said.

But if you have the same password for several different websites or services, then changing your password right away. Ferguson adds, “any exposure of a shared password may have wider consequences.”

Ferguson says you should change your password once you’ve been notified or discover that a server has had a security update. He suggested avoiding these big mistakes when creating a new password: using words from the dictionary, names, dates of birth, ages, telephone numbers, pet’s names, football teams or anything related to you.

Don’t use the same password for different services and never share your password. Even words using numbers in place of letters is not secure enough. Ferguson says a word like “P455w0rd” can be cracked within minutes.

Ferguson shared an example of five steps for creating a more secure password.

1. Think of a phrase you can easily remember, for example:

“Motley Crue and Adam and the Ants were the soundtrack of my youth.”

2. Take the initial letter of each of those words:

MCAAATAWTSOMY

3. This will be the basis of the password, but we now need to make sure we use upper and lower case characters, numbers and “special characters” like !$&+ for example, let’s change cases first:

MCaAatAwtSomY

4. Now change some of those letters for numbers, maybe the letter O to a zero

MCaAatAwtS0mY

5. Now add the special characters, I’ll change the “and” into + and &

MC+A&tAwtS0mY

Ferguson suggests creating variations of the password for different websites, like adding the first and last letter of a website name at the beginning or end of a password. He adds that users also need to be aware of phishing scams that attempt to lure people to fake websites.

Mandiant security security expert William Ballenthin told CBS News in an interview that heartbleed compromises past and future communications with a server, like banking or email transactions. He adds that this bug has been “in the wild” for about two years, and was only recently discovered. At this point not much can be done about the past.

But Ballenthin says major websites like Google, Amazon and Yahoo have identified the issues and released a fix. According to tech website Mashable, several major banks are not affected because they do not use OpenSSL encryption software. The website released a list of major sites that were infected by the heartbleed bug and have since been updated, including Facebook, Pinterest, Tumblr, Gmail, Yahoo, Amazon and Dropbox.

© 2014 CBS Interactive Inc. All Rights Reserved.

Latest Stories

  • Weather

    Evening News weather, Nov. 26

    by KTVA Weather on Nov 26, 19:36

    Kenai Peninsula and Prince William Sound Skies will be partly sunny for Thanksgiving, but expect to wake up to early morning fog. Southeast Expect clouds to move out as clearing happens from the north to the south. Interior and North Slope In the Interior, skies will be mostly clear with temperatures dramatically cooling off. North […]

  • News

    Farmer’s market in Anchorage offers Thanksgiving alternatives to turkey

    by Lauren Maxwell on Nov 26, 19:29

    Alaskans who want to eat local this holiday season will find plenty to fill their holiday tables. That’s especially true if they are open to some alternatives for the main course. At the Center Market, a year-round farmer’s market inside the Sears Mall, shoppers could be found on the day before Thanksgiving picking up produce […]

  • News

    Anchorage students learn about the godmother of Thanksgiving

    by Alexis Fernandez on Nov 26, 19:23

    Food and family are two of the symbols most associated with Thanksgiving. On the eve of the national holiday, one group of local sixth-graders decided to dig a little deeper. Word-by-word, sixth-grade students at College Gate Elementary School relived history and learned about the past. They put together a presentation about well-known author Sarah Hale, known as […]

  • News

    Injured musher, dogs recovering after being struck by car in Willow

    by Shannon Ballard on Nov 26, 19:14

    Willow, Alaska is musher country, a place where residents joke that there are more dogs than people. Dog sled trails weave through the trees right up against the Parks Highway. Six-time Iditarod finisher Karin Hendrickson is familiar with the curve near mile marker 91. It’s where she and her sled dog team were stuck by […]

  • News

    Anchorage Animal Control: dogs seized from Girdwood regaining health

    by KTVA CBS 11 News on Nov 26, 18:10

    A dozen emaciated dogs taken from a Girdwood kennel are getting healthier, says Anchorage Animal Care and Control. Two weeks after Animal Control seized the dogs from Girdwood, the center released photos of two of the huskies. “Per Dr. Myra Wilson, Anchorage Animal Care and Control veterinarian and director, the 12 huskies in AACCC’s custody […]

  • Crime

    13-year-old sets fire in Juneau’s Merchants Wharf building

    by KTVA CBS 11 News on Nov 26, 17:01

    A 13-year-old in Juneau has been found responsible for starting a fire at the Merchants Wharf building Monday night. At around 9:40 p.m., Capital City Fire and Rescue and two Juneau Police Department officers responded to a fire at the building, which has been victim to recurring arson activity. In a release, JPD says five […]

  • Crime

    Alaskan actor found guilty of attempted murder of 2 brothers

    by KTVA CBS 11 News on Nov 26, 15:56

    A jury has found a 47-year-old Kiana man, known for his role in the film “On the Ice,” guilty of shooting two brothers and stealing their boat in September 2012, authorities say. Tuesday, Teddy K. Smith was found guilty of two counts of first-degree attempted murder, two counts of first-degree robbery, two counts of second-degree theft and […]

  • Crime

    Humane Society offers reward in Anchorage animal cruelty case

    by KTVA CBS 11 News on Nov 26, 13:39

    The Humane Society of the United States is offering a reward up to $5,000 for information in connection with a dog’s death in which the pit bull was found hanging from a tree with his throat slashed. The dog, named Snoop, was discovered in the woods near East 20th Avenue and Rosemary Street Oct. 10 after […]