At the beginning of June, a large dump of around 6.5 million LinkedIn password hashes were posted on an online forum by a hacker requesting help in reversing the hashes into valid passwords. This was followed, apparently by the same hacker, by passwords from the dating website eHarmony. Then, in July, Formspring and Yahoo passwords were compromised. Is this a wake-up call for businesses to get serious about password security?
LinkedIn took hours to respond publicly to the event, wasting precious time determining if there was, in fact, a compromise or if it was simply a false alarm. Even after finally acknowledging the compromise, they still haven’t confirmed that they’ve determined when and how hackers accessed the account information of their users. More importantly, they haven't announced that the vulnerability that led to their compromise has been discovered and closed.
Formspring and Yahoo, on the other hand, confirmed their password breaches and applied fixes within 24 hours. Formspring went further and provided detail on how the breach was fixed.
Blogs, news agencies, and Internet resources everywhere responded by reporting these events and dispensing textbook advice about how to respond to a password compromise. Unfortunately, in their rush to publish these stories, they missed some important details. In the case of LinkedIn, only the password hashes were posted online. They weren't posted alongside the corresponding e-mail addresses. This means that even though a large list of encoded passwords was posted publicly, the information required to log in under those accounts is only available to the hacker(s) that posted the encoded passwords. Since these passwords were encrypted using the SHA-1 algorithm, they couldn’t be read without using time-consuming, password-cracking techniques. By now, hundreds of thousands of the passwords have been reversed by security researchers to help gain statistics about password complexity and use.
Most companies immediately sent internal e-mails to employees to change their LinkedIn or Yahoo passwords, which missed the real intent of the hack. Hackers never wanted the LinkedIn passwords, as access to those accounts simply isn't very valuable. So what were they after? E-mail addresses and account passwords. They hope you, like so many others, reuse the same password across many or all of the sites you use.
If you used the same password to log into LinkedIn as you do for your e-mail account, stop reading, and change your e-mail password now. Access to your e-mail provides a hacker with the ability to view all the other sites you’ve signed up for using that e-mail address. This means they can locate accounts like your online banking sites, online shopping (particularly sites where you've stored your credit card information), and online payment sites like Google Checkout or Paypal. Using the information they originally gained from accessing LinkedIn, they can then purchase goods and sell them for cash. Often, large compromises of username/e-mail and password combinations would be sold off on hacker sites leaving cyber criminals with smaller chunks of user data they could take advantage of in whatever way they see fit.
These breaches at large institutions will continue to occur, so where does that leave the end user? Vulnerable…but that vulnerability can be decreased by following these three tips:
- Use tiered passwords. Don’t use the same password for all sites. The key to your office door shouldn’t open the front door of your house or safe, so why should one password access different sites/systems? Just like you have different keys for different doors, you need to use different passwords for different sites (especially financial and e-mail sites).
- Change your passwords more frequently. When was the last time you changed your password for your online banking account or your Facebook account? Ideally, you should change passwords to sensitive accounts at least every 30 days.
- Set strong passwords. Setting long passwords that contains letters, numbers, and characters for numerous websites can be difficult to memorize. So what can a user do? Use paraphrases. For example “MyBirthDate?June15,90.” It’s long, it has all the letters, numbers, and characters, and it’s easy to remember.
These best practices are can be the difference between security and vulnerability.