Yesterday, password databases from two popular websites were leaked in an underground forum popular with computer hackers. 6.5 million passwords from LinkedIn and a further 1.5 million passwords from internet dating site eHarmony were divulged following attacks on these sites.
LinkedIn has already acknowledged the leak, and have said they are changing the algorithm for storing sensitive data and will email users instructions on how to reset password.
eHarmony has also admitted a hack and has said it members will receive an email with instructions on how to reset their passwords.
Based on previous incidents, this is likely to provoke phishers that will attempt to trick users with fake LinkedIn and eHarmony password changing email. We would recommend that concerned users manually change password. To do this, on LinkedIn, just click your name in the upper right corner, select Settings and then Password Change in your profile:
It is also worth following a simple 5 step procedure for creating new passwords:
Avoid anything ‘personal’ such as names and birth dates – see this list for examples of passwords to avoid
Avoid overly complex passwords as you don’t want to write them down
Don’t reuse passwords anywhere – leaks will happen in the future and you don’t want a single leak giving the bad guys keys to all the online services you use
Longer passwords are always better
Beware the phishers: always ensure you’re doing sensitive operation on the legitimate site, under a secure and verified connection. I’d also recommend never clicking on links in emails to update sensitive information Instead, manually enter the site and make changes.
Of course the whole situation is complicated by the fact that various services may have their own policies which sometimes contradict these rules. For example, password length is limited by the service and some web sites force you to use upper and lowercase and a mix of characters which often impose some unnecessary complications on users. We’ve also seen that some services limiting the use of characters. For example, the popular game Diablo ignores case sensitivity, which severely limits the password’s strength.
The current password cracking software packages use brute force to test hundreds of millions of passwords combinations a second using powerful compute engines found on modern graphics cards. So even if you use a 96 character alphabet including lowercase, uppercase, numbers, punctuation in your password, it’s the length that matters. In the time of writing this blog, half of the passwords from the LinkedIn leak were already cracked. Partially, this is fault of LinkedIn, because although their databases used a cryptographic hash function SHA-1, they were not using salting so probably rainbow tables were used to speed up the hacking computations.