If you’re on the popular professional social network, LinkedIn, you really want to change your password immediately. Yes you do. LinkedIn suffered a hack yesterday whose payload was the leaking of some 6.5 million passwords onto a Russian hacking site. The security breach was confirmed by LinkedIn itself admitting that some passwords were indeed stolen from the website.
LinkedIn says it’s investigating the matter to establish how exactly the passwords were stolen and that in the meantime they have closed access to the compromised accounts until the owners of the accounts have changed them.You can also help yourself by changing the password, whether LinkedIn has closed access to your account or not. Just go to LinkedIn.com, log in, hover the mouse over your name (top right corner), click settings and you’ll be taken to a page where you can change your password.
One important thing to look out for is that the unscrupulous lot in cyberspace are taking full advantage of this Linked password scare by using phishing emails to fool unsuspecting members of the network into downloading malicious software, supposedly to help secure their accounts. You don’t want to fall victim to that so just avoid clicking on links in emails purporting to be from LinkedIn. LinkedIn has a specific way its dealing with compromised accounts
6 comments
Linkdin used sha-1 to secure its passwords and i dont thnk phishing was used Here’s what Imperva found: The
most common password used
was “123456,” followed by
“12345″ and “123456789.” All
in all, more than half a million
people chose passwords
composed of only consecutive
numbers. So, if a hacker tried to
log in to all RockYou accounts
with just one password
attempt–123456–every
hundred or so attempts would
yield a compromised account.
Dozens of attempts can be
scripted every second, so
Imperva estimates that using
this technique would only take
around 15 minutes to hack
1,000 accounts.
when is jumpstart. Happy people
Hey,
if you’re responding to the mention of Phishing in the article note that the article doesn’t say the passwords were compromised thorough phishing but that a new phishing threat is being visited on people by scammers claiming to be helping people secure their accounts in the face of the 6.5m leaked passwords.
Jumpstart is next week Wednesday. More here: http://www.jumpstart.co.zw/events/new-and-innovative-ways-to-fund-your-tech-start-up/
@lw@y$ u$3 $tr0ng p@$$w0rd$. th@t r 3@sy +0 r3m3mb3r bu+ d1ff1cul+ +0 cr@ck
Cute
aren’t we encouraged to change our passwords everyso often
It is worth pointing out that the passwords were leaked in a hashed form (with no corresponding username), However it appears they are not salted hashes which is quite concerning as salting means each password will need individual cracking to discover. For those who do not know a salted hash is when you take the password, append a set of random characters (also saved in the db) and hash (a non reversible type of encryption) the result is stored in the database. When a user enters their password the system pulls out their salt, appends, hashes and compares.
The bonus to a salted system (over just plain hashing) is that if a hacker gets a password list (in this case) they have to run hashes for each line with each salt as they cannot just compare the entire database to a dictionary of hashes. Hence making finding out the password a much slower process. It is being reported at the moment 200,000 of the 6.5 million passwords have been discovered, these are probably the most common ones like “password” or “12345”.
A good rule of thumb when coming up with passwords is to have at least three, one for unimportant sites like facebook / linked in etc where the biggest damage is maybe some dodgy messages (you should never have any important information on these sites like ID Numbers etc). The second password is for important sites like internet banking, applications with important private information etc. And a third to secure your email, this must be the most secure as with access to your email a hacker can reset any of your other accounts (generally).
Another good way of making passwords is to create a sentence in your head and then take the first letter of each word, and append numbers and a special character this results in a “random” string of letters but is easy for you to remember as you need only remember the sentence.