• Forecast
  • News Tip
  • Categories
Temperature Precipitation
Estimated read time
4m 15s

Changing password after “heartbleed” bug? Here’s what you need to know

By Chenda Ngak/CBS News 2:25 PM April 10, 2014
The “heartbleed” bug may have put millions of passwords, credit card details and sensitive information in the hands of nefarious hackers. Before you change your passwords, security experts suggest making sure the website is now secure, and provide tips for creating stronger passwords.Heartbleed is a bug that made services using OpenSSL encryption vulnerable to attack, including websites, instant messaging software and email accounts. It’s worth noting that not all website are affected by the heartbleed bug.According to data analysis website Datanyze, 17.3 percent of the top 1 million websites ranked by Alexa.com may have been exposed to heartbleed. Internet data company Netcraft reports that a recent survey found 17.5 percent of website that use secure socket layer (SSL) encryption. For many, it’s unclear which websites are still at risk, so it’s worth taking extra precaution.

“If the website is still vulnerable, changing the password will not accomplish anything. The hacker could potentially view your newly created password, too,” Dodi Glenn, director of security intelligence at ThreatTrack Security, told CBS News via email.

Glenn says there are websites to check whether or not a website has been patched, and suggested filippo.io/heartbleed or ssllabs.com/ssltest. Password management software maker LastPass also has a service that checks if a website is vulnerable. LastPass recommends users of websites like Yahoo, GitHub and Fitbit update their passwords right away. But if you have a Netflix, Airbnb or Quora account, wait to update.

Trend Micro vice president of security research Rik Ferguson told CBS News via email that if you update too early, not only are you putting your new password at risk, you could be exposing additional data that is requested during the password reset process. Ferguson suggests avoiding services that are not yet patched, until a security fix is released.

“If it is not possible to avoid logging in to a service then continue as normal, changing your password will not bring you any extra security until the server is patched,” Ferguson said.

But if you have the same password for several different websites or services, then changing your password right away. Ferguson adds, “any exposure of a shared password may have wider consequences.”

Ferguson says you should change your password once you’ve been notified or discover that a server has had a security update. He suggested avoiding these big mistakes when creating a new password: using words from the dictionary, names, dates of birth, ages, telephone numbers, pet’s names, football teams or anything related to you.

Don’t use the same password for different services and never share your password. Even words using numbers in place of letters is not secure enough. Ferguson says a word like “P455w0rd” can be cracked within minutes.

Ferguson shared an example of five steps for creating a more secure password.

1. Think of a phrase you can easily remember, for example:

“Motley Crue and Adam and the Ants were the soundtrack of my youth.”

2. Take the initial letter of each of those words:

MCAAATAWTSOMY

3. This will be the basis of the password, but we now need to make sure we use upper and lower case characters, numbers and “special characters” like !$&+ for example, let’s change cases first:

MCaAatAwtSomY

4. Now change some of those letters for numbers, maybe the letter O to a zero

MCaAatAwtS0mY

5. Now add the special characters, I’ll change the “and” into + and &

MC+A&tAwtS0mY

Ferguson suggests creating variations of the password for different websites, like adding the first and last letter of a website name at the beginning or end of a password. He adds that users also need to be aware of phishing scams that attempt to lure people to fake websites.

Mandiant security security expert William Ballenthin told CBS News in an interview that heartbleed compromises past and future communications with a server, like banking or email transactions. He adds that this bug has been “in the wild” for about two years, and was only recently discovered. At this point not much can be done about the past.

But Ballenthin says major websites like Google, Amazon and Yahoo have identified the issues and released a fix. According to tech website Mashable, several major banks are not affected because they do not use OpenSSL encryption software. The website released a list of major sites that were infected by the heartbleed bug and have since been updated, including Facebook, Pinterest, Tumblr, Gmail, Yahoo, Amazon and Dropbox.

© 2014 CBS Interactive Inc. All Rights Reserved.

Latest Stories

  • Lifestyle

    ‘Solar-powered skin’ could open new doors for prosthetics

    by Ashley Welch / CBS News on Mar 25, 12:58

    Engineers have developed a new way of harnessing the sun’s rays to power “synthetic skin” that they hope can be used to create advanced prosthetic limbs capable of returning the sense of touch to amputees. The researchers from the University of Glasgow had previously created “electronic skin” for prosthetic hands made from graphene, a highly […]

  • News

    London attacker Khalid Masood taught English in Saudi Arabia

    by CBS/AP on Mar 25, 12:49

    The British man who killed four people during a London rampage had made three trips to Saudi Arabia: He taught English there twice on a work visa and returned on a visa usually granted to those going on a religious pilgrimage. More details about attacker Khalid Masood’s travels, confirmed by the Saudi Arabian embassy in […]

  • Sports

    Alaska’s Hebard leads Oregon to another NCAA win

    by Dave Goldman on Mar 25, 12:21

    They did it again. West Valley High School’s Ruthy Hebard helped the 10th-seeded University of Oregon Ducks women’s basketball team to another upset win in the NCAA tournament. This time it was a 77-63 shocker over the third-seeded Maryland Terps at the regional in Bridgeport, Connecticut. The victory puts the Ducks into the Elite Eight […]

  • Lifestyle

    In lavish style, entourage of Chinese tourists and crew runs its own ‘Iditarod’

    by Tyler Stup / KNOM on Mar 25, 12:03

    Days before the Iditarod Trail Sled Dog Race finished, on Sunday, March 12, a group of Chinese tourists arrived at Nome’s burled arch after mushing the trail themselves. But unlike the competitive finishers of Iditarod 2017, these first-time mushers had been aided in their run by a large entourage of traveling trail staff, with a bevy […]

  • News

    Prince of Wales Island gets new courthouse in Klawock

    by Associated Press on Mar 25, 11:37

    Prince of Wales Island has a new courthouse in the community of Klawock. The Ketchikan Daily News reports that the new facility opened this month about six miles away from the former courthouse in Craig. Area Court Administrator Neal Nesheim says the new courthouse is more centrally located and can better serve the island’s needs. […]

  • News

    Pick.Click.Give. receiving fewer but larger donations

    by Daniella Rivera on Mar 25, 11:36

    Alaskans have one week left to apply for the Permanent Fund Dividend. The PFD Division says it expects this week to be its busiest yet, with around 80,000 more applications. By 6 a.m. Friday morning, a spokesperson said they had 469,774 applications, 500 more than they did at that time the previous year. Will the numbers translate […]

  • News

    Hilcorp, owner of leaking Alaska pipeline, to reduce natural gas flow for repair work

    by KTVA / AP on Mar 25, 11:12

    Hilcorp Alaska LLC says it will be taking steps to begin repairs on a natural gas pipeline that has been leaking into Cook Inlet for weeks. The pipeline is leaking an estimated 193,000 to 215,000 cubic feet of gas a day into Alaska’s Cook Inlet, which contains endangered beluga whales. Hilcorp says the leak hasn’t caused […]

  • On-Air

    Inside the Gates: Change of command for the Army’s 4/25

    by Lauren Maxwell on Mar 24, 20:55

    A change of command ceremony on JBER Friday morning welcomed a new leader to the nation’s only Arctic airborne combat brigade. Col. Paul Larson assumed command of the Army’s 4/25 Airborne Brigade Combat Team. It’s the first assignment in Alaska for Larson, who spent the last six months in Afghanistan. When asked about the challenges […]