On Thursday, LinkedIn announced that over 6.5 million of its members’ passwords were taken and posted on a Russian hacker’s site. If you were one of the 6.5 million (I was apparently one, according to the sites LeakedIn and Lastpass), you should know that ComputerWorld is reporting that more than 60% of the unique hashed passwords that were accessed and posted online this week have already been cracked, according to security firm Sophos. They have also been posted online for other hackers to exploit.
What happened? LinkedIn’s user credentials were apparently compromised because it stored log-in information on its main Web servers instead of isolating those files on separate, secure machines whose only function would have been to verify log-in details. As ComputerWorld’s report on the LinkedIn attack explains, there are multiple steps for hackers seeking to snatch and reveal users’ passwords. First, they must gain access to the passwords on a company’s computers. Once a hacker has gained access, he or she must overcome the next obstacle — encryption, as most companies encrypt their passwords using protocols designed to protect users’ passwords from hackers’ incursions.
That said, programs designed to defeat these protocols are ubiquitous. Once a hacker has his or her hands on the encrypted password bank, he or she merely uses the encryption breaking program to reveal the plain text of the passwords.
In order to defend against hackers and the encryption-defeating programs, organizations have developed a process known as “salting,” which strengthens the passwords before they are encrypted (by adding characters, for example), thus effectively creating a second layer of protection. It is at this stage that LinkedIn’s security methods are being criticized for being lax; rather than “salt” their passwords, LinkedIn apparently relied on a well-known encryption protocol that offered little resistance once the hackers had gained access to the passwords.
This leak is not the first time that LinkedIn has been criticized for this kind of laxity. According to The Daily Mail, the LinkedIn mobile application was sending calendar entries, including phone numbers and passwords (when contained in the entry), to the LinkedIn servers without encrypting the data.
Not suprisingly, criticism of LinkedIn continues to come from all quarters. For example, as a sign that LinkedIn does not take these security issues seriously enough, LinkedIn has been criticized because it does not have a C-level executive in charge of information or information security (it does have a Senior Vice-President, Operations).
Unfortunately, the perceived problem of weak corporate protection of users’ passwords is not unique to LinkedIn. According to the UK’s International Business Times, the problem is endemic, particularly in softer targets like social networks. Throw in the rise of spearphishing and whaling (i.e., targeted cyberattacks that use social media and other publicly available information to deceive unwary users) and you have the proverbial witch’s brew over the Internet.
What Should You Do? If you are one of the 6.5 million:
1. Change your LinkedIn password immediately.
2. Change all of your other passwords. Yes, I know it is a hassle, but I began doing it after learning that my password was leaked. In fact, if you have used your LinkedIn password or a simple variation of that password for other accounts or sites, you can bet that someone has or will try to access that account using that password.
What Can You Do to Protect Yourself and Your Company? Even if your password was not breached, the LinkedIn incident serves as an important reminder of password protection. Here are some basic steps that we all should be taking:
1. Change your passwords every three months. Make it part of your quarterly routine.
2. Don’t use the same password for sensitive accounts, for the reasons noted above.
3. Don’t use the dictionary for passwords and avoid simplicity. Avoid favorite sports teams, pet names and other information that might be easily gleaned from social media. Slate has a nice article detailing techniques for coming up with hard-to-crack phrases and ideas for passwords.
4. Choose your security questions wisely. As I noted last fall, cyberthieves are willing to spend the time trolling through your social media pages and if you have revealed information (anniversary dates, high school mascot, etc.), the answers to typical security questions can be provided through this publicly-available information.
5. Store your passwords safely, preferably through a password manager. With all this password activity, it will be tough to keep track of all of your ever-changing passwords, so you should consider using a password manager, which is password-protected software that enables you to store all your usernames and passwords in a single place. The New York Times Bits Blog article on the LinkedIn attack identifies a number of password managers that work across platforms, including Splash Data, which offers password-management software for Windows, Macs and mobile devices, and Agile Bits with its 1Password software. Also, see Top Ten Reviews which has reviews of password managers for PCs.
6. For employers, encourage your employees to follow these guidelines and have your IT staff force employees to change their passwords quarterly or face getting locked out.
A special thanks to my colleague Michael Shoenfelt, who helped me assemble this information quickly for this post.