11 June 2012
Password protection isn’t a subject that we would normally cover, but we use LinkedIn extensively and many of our contacts also do so. I’ve been a keen follower of computer security for many years and last week’s news that at least part of LinkedIn’s internal password database had been misappropriated, published on the net and was in the process of being ‘decrypted’ was, frankly, a real shock.
LinkedIn have reacted by publishing updates on their blog (this entry is probably the most useful), by locking the accounts of those immediately affected and requiring a password change, by providing an easy general password change process for all users and by improving their internal password security.
My own account wasn’t compromised but I have still changed my password and would suggest that all users do the same:
- Change your password to a random selection of at least ten to twelve upper and lower case letters, numbers and special characters (e.g. %, &, !)
- Check that the old password is NOT used for any other websites (particularly email and financials). If this is the case, then change those passwords as well
Why all the fuss?
Regular password changes and not reusing them across websites is consistent with industry best practice and with LinkedIn’s own advice.
Whilst only approx 6.5m encrypted passwords out of perhaps 150m users have been published, there is no guarantee that the hackers haven’t got more hidden and it would seem prudent to assume a worst case scenario.
We understand from news reports that over half of these passwords are likely to have been decrypted already and are therefore compromised. There are websites that claim to be able to crack 99% of 8 character simple lowercase letter / number password combinations within 3 minutes !
The format of the misappropriated LinkedIn database provides an incentive for hackers to continue work on decrypting. Their endgame is to find passwords that are re-used on Webmail accounts or bank accounts and exploit these. Most of us will know someone who has had an email account hijacked and will sympathise that it is a really embarassing, uncomfortable and dangerous experience.
LinkedIn’s blog announces an improvement in security using an approach called “salting”. This works by ensuring that, where multiple users set up their account with the same password, then that password is stored differently in each instance. Without salting, the encrypted representation of the password would be the same for all user: me, you, or a user in New York, Paris or Sydney. This leads to a considerable operational efficiency for the hackers who can attack one password but compromise many accounts simultaneously.
With salting, there is no duplication of encrypted password entries and so the bad guys have to attack each password individually : obviously a much less attractive proposition : and the publication and hacker ‘crowd-sourcing’ initiative we saw last week is very much less effective.
LinkedIn deserve credit in publicly and openly responding to this problem and in improving their handling of sensitive information. However, I did not hesitate to change my password and would do the same if it happened again.