Heartbleed Bug: How to Create Strong Passwords

A massive breakdown in Internet security, known as the Heartbleed bug, may have compromised millions of websites — including such prominent services as Yahoo, Flickr and Tumblr — potentially exposing users' passwords and other personal information.

The Heartbleed bug affects the encryption technology used by a number of Web and email servers, making it possible for intruders to access important and sensitive data on what were supposedly secure sites. This latest scourge of the Internet went undetected for more than two years, and because attacks that exploit the Heartbleed bug leave no trace, the extent of the damage caused by the security flaw is not yet known.

Because the Heartbleed bug targets Web and email servers, there is not a lot that regular Internet users can do to fix the problem, but experts are urging people to change the passwords for their various accounts and online services to beef up their security. [The 10 Worst Computer Viruses in History ]

To create a strong password that can stand up to hackers and malicious software, experts recommend using at least 12 characters, selected at random from all the numbers, letters and symbols on the keyboard.

"If eight characters is all you use, and if you restrict your characters to only alphabetic letters, it can be cracked in minutes," said Richard Boyd, a senior research scientist at the Georgia Tech Research Institute in Atlanta. "I would say a password should be as long as you can reasonably remember, but 10 to 12 at least."

Hackers typically use two different techniques to gain unauthorized access. One trick involves matching the password against a dictionary of names, dates and other commonly used security phrases. If, for example, your password is your pet's name, this method could figure out that password easily.

The second technique used by hackers is called a "brute force" attack. This involves trying every possible combination of letters and numbers until the right one is stumbled upon. While this method is time-consuming, faster computers have sped the process up significantly, according to security experts.

The School of Computer Science at Carnegie Mellon University in Pittsburgh offers the following tips for creating new passwords:

  • Do NOT choose a password based upon personal data like your name, your username, or other information that one could easily discover about you from such sources as searching the Internet.
  • Do NOT choose a password that is a word (English or otherwise), proper name, name of a TV show, keyboard sequence, or anything else that one would expect a clever person to put in a "dictionary" of passwords.

Carnegie Mellon professors suggest making up a sentence that can be easily remembered, and then taking the first letter of every word in the sentence (including the punctuation). Extra punctuation marks and numbers can also be thrown in for variety.

For instance, "I have two kids: Jack and Jill." could be turned into the following password: "Ih2k:JaJ."

"In general, the longer a password is, the harder it is for somebody to guess or brute-force it," Carnegie Mellon professors wrote in a detailed guide. "Password selection trades off security with convenience and the ability to remember it."

Live Science contributor Stuart Fox contributed reporting to this article.

Follow Denise Chow on Twitter @denisechow. Follow Live Science @livescience, Facebook & Google+. Original article on Live Science.

Denise Chow
Live Science Contributor

Denise Chow was the assistant managing editor at Live Science before moving to NBC News as a science reporter, where she focuses on general science and climate change. Before joining the Live Science team in 2013, she spent two years as a staff writer for Space.com, writing about rocket launches and covering NASA's final three space shuttle missions. A Canadian transplant, Denise has a bachelor's degree from the University of Toronto, and a master's degree in journalism from New York University.