Sunday, June 10, 2012

The LinkedIn password hack and what it really means for your password security

Like 6.5 million (or so) others, my password was in the list recently taken from LinkedIn.

I somewhat naively used one of my "better" passwords on LinkedIn.  Silly me for assuming that a site like that would actually use strong encryption and the latest security practices. 

That they did not has me rather puzzled.  Encryption is not hard to buy, is it?  IT security practices - well, ok, there always seems to be another exploit out there, and the possibility of compromising a login will never really go away. 

But why use anything other than the best possible encryption?  I really don't know.  Cost?  Probably.

Still, I had a minor advantage in that thanks to a previous hack on a different site, I had learned to use different passwords around the net.  So theoretically, I should be mostly covered.

But that does not really save you.  Or, at least, not to the extent that you might assume.

6,500,000 passwords is a lot.  More than enough for duplicates.  Chances are that, unless you are massively creative, somebody else is using the same password as you are.

As several technology sites correctly pointed out, the probability that this (rather large) database of passwords is going to be incorporated into brute-force hack tools is rather high.  These databases are out there, and probably already fairly extensive.  Given that English has, at most, a million or so words in it, it would seem that most any simple password is now insecure.  Thanks to LinkedIn and the people who hacked it, many strong passwords are also no longer any good.

The computing power to run such an attack is cheaper by the day - well within the budget of a bunch of kids with nothing much else to do.  Even an old hand-me-down machine could be effective if it has nothing else to do but try logins 24 hours a day.

So the problem is no longer what your password was on LinkedIn.  The problem is how many of your other passwords are in that list?  All it takes is one other person out of 6-1/2 million having used the same password, and that password is no longer secure.

Worse, this isn't the only instance.  Previous releases of information, such as from LulzSec,  may have data such as email addresses and passwords.  At maybe 200 thousand, it pales in comparison to the LinkedIn hack, but it all adds up.

For myself, I checked all of my passwords against the LeakedIn database.  Not surprisingly, three of my passwords were in the list.

One could have come from me - probably did, in fact.  But the other ones could not have.  Somebody else was using them too, and on LinkedIn.  Again, hardly surprising.

This means these passwords are no longer secure, and should be put out of circulation.  So I will still have to go around and change all the instances where I used any of three passwords.

Now, technically, the passwords are only useful when paired with email addresses or login names.  But email addresses are more or less freely circulated, and are often not hard to deduce.  The password is where the security is supposed to be.

This is an important point missed by most of the mainstream media:  your passwords may no longer be secure, even if you didn't use them on LinkedIn (or another hacked site).  The hacked database may contain your password from another user.

The only way around this mess is to stop using any of your compromised passwords, on any accounts.  Which brings us back to square one, changing most of your passwords on most of your sites.  I should have just stuck with one password.

Still, most people can rest the blame squarely on the shoulders of LinkedIn. 

Thanks, LinkedIn, for poisoning half of my passwords with a zero-salt diet!  I hope you get slammed, morons.

No comments:

Post a Comment