• Forecast
  • News Tip
  • Categories
Temperature Precipitation
Estimated read time
4m 15s

Changing password after “heartbleed” bug? Here’s what you need to know

By Chenda Ngak/CBS News 2:25 PM April 10, 2014
The “heartbleed” bug may have put millions of passwords, credit card details and sensitive information in the hands of nefarious hackers. Before you change your passwords, security experts suggest making sure the website is now secure, and provide tips for creating stronger passwords.Heartbleed is a bug that made services using OpenSSL encryption vulnerable to attack, including websites, instant messaging software and email accounts. It’s worth noting that not all website are affected by the heartbleed bug.According to data analysis website Datanyze, 17.3 percent of the top 1 million websites ranked by Alexa.com may have been exposed to heartbleed. Internet data company Netcraft reports that a recent survey found 17.5 percent of website that use secure socket layer (SSL) encryption. For many, it’s unclear which websites are still at risk, so it’s worth taking extra precaution.

“If the website is still vulnerable, changing the password will not accomplish anything. The hacker could potentially view your newly created password, too,” Dodi Glenn, director of security intelligence at ThreatTrack Security, told CBS News via email.

Glenn says there are websites to check whether or not a website has been patched, and suggested filippo.io/heartbleed or ssllabs.com/ssltest. Password management software maker LastPass also has a service that checks if a website is vulnerable. LastPass recommends users of websites like Yahoo, GitHub and Fitbit update their passwords right away. But if you have a Netflix, Airbnb or Quora account, wait to update.

Trend Micro vice president of security research Rik Ferguson told CBS News via email that if you update too early, not only are you putting your new password at risk, you could be exposing additional data that is requested during the password reset process. Ferguson suggests avoiding services that are not yet patched, until a security fix is released.

“If it is not possible to avoid logging in to a service then continue as normal, changing your password will not bring you any extra security until the server is patched,” Ferguson said.

But if you have the same password for several different websites or services, then changing your password right away. Ferguson adds, “any exposure of a shared password may have wider consequences.”

Ferguson says you should change your password once you’ve been notified or discover that a server has had a security update. He suggested avoiding these big mistakes when creating a new password: using words from the dictionary, names, dates of birth, ages, telephone numbers, pet’s names, football teams or anything related to you.

Don’t use the same password for different services and never share your password. Even words using numbers in place of letters is not secure enough. Ferguson says a word like “P455w0rd” can be cracked within minutes.

Ferguson shared an example of five steps for creating a more secure password.

1. Think of a phrase you can easily remember, for example:

“Motley Crue and Adam and the Ants were the soundtrack of my youth.”

2. Take the initial letter of each of those words:

MCAAATAWTSOMY

3. This will be the basis of the password, but we now need to make sure we use upper and lower case characters, numbers and “special characters” like !$&+ for example, let’s change cases first:

MCaAatAwtSomY

4. Now change some of those letters for numbers, maybe the letter O to a zero

MCaAatAwtS0mY

5. Now add the special characters, I’ll change the “and” into + and &

MC+A&tAwtS0mY

Ferguson suggests creating variations of the password for different websites, like adding the first and last letter of a website name at the beginning or end of a password. He adds that users also need to be aware of phishing scams that attempt to lure people to fake websites.

Mandiant security security expert William Ballenthin told CBS News in an interview that heartbleed compromises past and future communications with a server, like banking or email transactions. He adds that this bug has been “in the wild” for about two years, and was only recently discovered. At this point not much can be done about the past.

But Ballenthin says major websites like Google, Amazon and Yahoo have identified the issues and released a fix. According to tech website Mashable, several major banks are not affected because they do not use OpenSSL encryption software. The website released a list of major sites that were infected by the heartbleed bug and have since been updated, including Facebook, Pinterest, Tumblr, Gmail, Yahoo, Amazon and Dropbox.

© 2014 CBS Interactive Inc. All Rights Reserved.

Latest Stories

  • Lifestyle

    Apple will start letting you trade in a broken iPhone

    by Brian Mastroianni / CBS News on Feb 07, 17:32

    If you’ve dropped and cracked your iPhone and are looking to exchange it for a newer model, you will probably like the latest retail initiatives from Apple. The company is reportedly launching a more generous iPhone trade-in program at Apple Stores, as well as in-store installations of iPhone screen protectors, the tech site 9to5Mac reports. Right now, the […]

  • News

    MSU student from Anchorage dies on skiing trip

    by KTVA CBS 11 News on Feb 07, 15:56

    The body of 20-year-old Nathaniel “Alex” Wright was found in Hyalite Canyon in Montana after he was reported overdue from a skiing trip. Wright’s girlfriend notified authorities of his absence on Feb. 4 just before 11 p.m., according to Gallatin County Sheriff’s Office. Wright, who was from Anchorage, was studying at Montana State University. He […]

  • Crime

    Big Lake man arrested for burglary and assault

    by KTVA CBS 11 News on Feb 07, 15:30

    A man has been arrested for robbing some Big Lake residents and then assaulting them, according to an online Alaska State Trooper dispatch. Troopers responded to the couple’s Ronnie Court residence around 7:30 p.m. on Saturday to investigate a report of a disturbance. Their investigation revealed 25-year-old Jeremiah DeSilva broke into the home, stole some […]

  • Crime

    Washington man arrested for shooting death in Kodiak

    by KTVA CBS 11 News on Feb 07, 14:59

    The Kodiak Police Department is investigating a homicide that took place early Sunday morning. KPD was called to the scene of a shooting in Saint Herman Harbor shortly before 1 a.m., according to a statement from police. Responding officers found a 28-year-old man “bleeding from several gunshot wounds,” police said. The victim was taken to […]

  • News

    North Korea praises new rocket’s “fascinating vapor”

    by CBS/AP on Feb 07, 13:56

    For North Korea’s propaganda machine, the long-range rocket launch Sunday carved a glorious trail of “fascinating vapor” through the clear blue sky. For South Korea’s president, and other world leaders, it was a banned test of dangerous ballistic missile technology and yet another “intolerable provocation.” The rocket was launched from North Korea’s west coast only two hours […]

  • Lifestyle

    Alaska Natives discuss what ‘Eskimo’ means to them

    by Charles Enoch / KYUK on Feb 07, 11:19

    This story originates from KYUK Public Media and was published with permission.  BETHEL — After Alaska Airlines unveiled a new look for their airplanes and website many Alaska Natives took offense to a phrase in their new marketing campaign. The phrase has sparked a controversy and a new round of conversations about what the word “Eskimo” means […]

  • News

    AST: Snowmobile crash seriously injures Houston man

    by KTVA CBS 11 News on Feb 07, 10:32

    A 29-year-old Houston resident was seriously injured in a snowmobile crash on Saturday night, Alaska State Troopers say. Troopers responded to Backhaus Street in Houston at 11:38 p.m. after being notified of a collision, according to an online dispatch. They found Nickolas Eull, who had been riding his Ski Doo snowmobile when it struck an […]

  • Lifestyle

    Angoon officials worry about mercury in subsistence foods

    by Associated Press on Feb 07, 9:50

    The city and tribal government of Angoon want state health officials to look into mercury levels in seals and other subsistence foods near Hawk Inlet. KTOO-FM reports Angoon officials warned residents not to gather food from west Admiralty Island. Researchers have spotted high mercury levels in a seal that was shared in the village, as […]