April 9, 2014 11:17 am

Heartbleed bug: How to create a more secure password

Watch video above: Websites worldwide scramble to update security in wake of Heartbleed vulnerability. Mark Carcasole reports. 

TORONTO – Cyber security experts are urging users to change all of their online passwords after the discovery of a serious bug in encryption technology used on a long list of sites.

Story continues below

The bug, called Heartbleed, may have exposed millions of passwords, credit card numbers, and other user data to hackers.

READ MORE: Security flaw in key encryption technology discovered

The breach involves SSL/TLS, an encryption technology marked by a small closed padlock and “https:” on Web browsers to signify that traffic is secure. With the Heartbleed flaw, traffic was subject to snooping even if the padlock had been closed.

Attackers can exploit the vulnerability without leaving any trace, so anything sent during that time has potentially been compromised. It’s not known, though, whether anyone has actually used it to conduct an attack.

Websites that appear to be affected include Yahoo and dating site OKCupid, though both said they have made the appropriate fixes to their websites.

According to a report by CNet, Yahoo has said that it has “successfully made appropriate corrections” to the Yahoo Homepage, Search, Mail, Finance, Sports, Food, Tech, Flickr and Tumblr. However, it is still working to make the fix across the rest of its sites.

Here is a list of other websites affected by Heartbleed.

Still, security researchers suggest that users change all of their online passwords as a precaution.

But users should be mindful when choosing a new password – especially in the case where their old password may have been exposed.

The majority of security experts feel that the average Internet user has poor judgement when it comes to picking a secure password.

READ MORE: How to protect yourself from security breaches on social media sites

Tamir Israel, cyber security expert and staff lawyer at the Canadian Internet Policy and Public Interest Clinic, notes that users should stay away from easy-to-guess passwords like “1,2,3,4″ or “Password” and easy to guess identifiers like your dog’s name.

Users should also try to have a different password for each of their online accounts.

According to the cyber security expert, passwords that use up to ten upper- and lower-case letters mixed with numbers are proven to be more secure – despite being hard to remember.

One tip is to construct a password from a sentence, mix in a few upper case letters and a number – for example, “There is no place like home,” would become “tiNOplh62.”

Numbers included in a password should never be something easy to guess based on the user.

That means your age, the current year, or your address are not good choices.

Similarly, the longer the password the better.

If you are having a hard time remembering your passwords, you could try using a password organizer app or program (one that is secure) to keep track of hard-to-remember passwords.

Another way to ensure better security on your online account is to enable two-step authentication on sites that allow it. Many websites allow users to set their accounts so that a text message containing a secondary login code is sent to their phone every time they log in to their account.

Services like Google, Microsoft and Apple also have help pages where users can learn about creating more secure passwords.

With files from the Associated Press

© Shaw Media, 2014

Comments