Millions of LinkedIn Passwords Compromised
Wednesday, 13. June 2012
Millions of LinkedIn, E-Harmony, and Last.fm password hashes posted on message board.
Well, if we have learned anything from the past, if it can go wrong, it will… Although this has been downplayed by the companies involved, there is no doubt in my mind that many people will be effected by this compromise. Once again, public networking sites storing user data on the internet, have failed to protect that data, and worse, have tried to hide the importance of this compromise. This is sad, but certainly is nothing new. We can take some comfort in the fact that these companies at least used sha1 hashing when storing the password data. Thing is, we don’t know what other information was compromised besides the passwords.
If the passwords are hashed, aren’t they safe?
Well, yes and no. Let’s look as an example of a hashed password:
Text Password: bellybuttons Hashed Password: $4$qfAUIIQS$yfZjhkwL4sw3O6BqXzJJTNM7zKs$
It works this way… Once a password is hashed, it can not be un-hashed. So, to match a password, you have to hash a string of text and compare it to the stored hash to verify it’s the same. This makes it difficult and time consuming to guess a well crafted password. Problem is, people use simple and common passwords. A person trying to crack passwords just hashes a bunch of dictionary words and common well known passwords, then compares them with what they have stolen. It’s believed that in excess of 200,000 passwords have been cracked already.
So they got my LinkedIn password. What should I do?
Well let’s start with the obvious. Log into LinkedIn, E-Harmony, and last.fm and CHANGE YOUR PASSWORD! And, while you are at it, do the same on any site that has the same password. Why? Well, they have your email address and the password you used on LinkedIn. You can bet the first place they hit will be your email account, and then any site that they think you might be a member of. As a matter of fact, when was the last time you changed all your passwords? Might be a good time to change them all!
How can we protect ourselves in the future?
Unfortunately, the only thing you and I can do to protect our accounts is to choose hard to guess passwords, and change those passwords often. It is sad that these sites had a flaw in their security model that allowed this to happen, but after all, we are all human. The trick for you is to stay ahead of the crackers.
— Stu