Last week, on or about June 6th, LinkedIn reported a security breach in which 6.5 million passwords were stolen and posted to a Russian hackers website. The internet is abuzz with talk about this hack, including this article on Rapid7.com that lists the 30 most common passwords found in the 6.5 million entry list. According to Rapid7, "link" was the number one password found in the list followed by "1234" as the second most common. The sixth most common was "12345". These passwords are so easy to break they are not really passwords at all.
The file that was posted on the Russian website contained only SHA1 hash values of passwords alone, it did not contain the LinkedIn user id's. The password alone is of no real value unless you know the user id of the account it is associated with. Having said that, it is assumed the hackers have the user ID's for each password, they simply chose not to publish them. As stated above, the passwords are not stored in human readable form, they have been hashed using the SHA1 algorithm. The problem with the SHA1 algorithm, as that of any hash or encryption technique eventually, is it can be broken. SHA1 is easily cracked through various programs readily available to the public, but suffice it to say that the longer and more complicated your password the harder it is to crack.
This hack should serve as a wake up call to everyone about using stronger passwords. I suggest using passwords no shorter than 8 in length with a mixture of letters, numbers and special characters. Also, avoid using words and phrases since they are easier to crack via brute force techniques. Take the time to read these ten password tips posted by Rapid7.com even if you think you are savvy about security.
It is not important if your password was included in the list of 6.5 million posted on the Russian hacker's site. At this time it is unknown if the hacker posted the entire list they have in their possession. For all we know the hacker simply chose to post the 6.5 million but managed to steal all the passwords from LinkedIn. Therefore you should take precautions and change your LinkedIn password regardless if you find yours in this 6.5 million or not.
Ensure Email Password is Unique
Many people use the same password for multiple accounts, including their email account. LinkedIn uses your email address as its user ID. If you had the same password for LinkedIn as you do for your email account it is imperative that you not only change your password on LinkedIn, but on your email account as well.
You should never re-use a password across multiple websites, but we all know it is a common practice. It is of utmost importance, however, that your email account's password be unique. Many sites have a "forgot my password" option that simply emails a reset link to the address on file. If the hacker has your email password they can simply access high value websites that use email addresses as the user ID and click the "I forgot my password" link. If the site in question sends a reset password link to your email account, the hacker can now change the password on the new site as well. Therefore if you were using the same password for LinkedIn and your email, you are in a position of extreme risk right now. Not only are your email and LinkedIn accounts at risk, but every account you have that uses your email address as the user ID is also at risk.
Keeping your email password unique reduces the chances of it falling into the wrong hands via another compromised web site such as this LinkedIn hack. Make this change immediately regardless if you believe your password was included in the 6.5 million stolen from LinkedIn.
No comments:
Post a Comment