So far none of the companies are releasing any details about how their users' passwords got into the hands of hackers, but LinkedIn says that the passwords contained in the files are hashed with the SHA-1 algorithm, and no other data accompanies the passwords (i.e. user names or personal data), but security experts are strongly suggesting that people change their passwords immediately, eHarmony has reset the passwords of accounts it believes have been affected. Apparently many of the passwords that were published to the hacker forum had the term "LinkedIn" in them, i.e. "linkedin1234," or "linkedinabcd," this was a good indicator that these passwords were in fact LinkedIn passwords; it is assumed that many people use weak passwords such as the site name + a string of easy to remember characters.
Just because the password lists were posted without user names does not mean that the original poster doesn't have the user names list that goes along with the passwords. For this reason, anyone using any of these services should immediately change their password. This is an excellent reason why a common password should not be used across sites. If the hackers are able to crack a password and use it against your account, if all your accounts share the same log in information they essentially have a master key to your online life.
Simple passwords containing dictionary words and strings such as 123 or abc will be quite easy to crack, a strong password doesn't necessarily need to be filled with special characters and numbers, a long password with 4 random words such as: Chicago, hockey, cigar, and certification = Chicagohockeycigarcertification would take a brute force tool a very long time to crack, though changing a few characters to numbers or special characters wouldn't hurt if you can remember what characters you changed; for instance, changing all e's to the number 3, or all i's to the number 1.
Best practices would be to limit the amount of personal information you share online, use hard to guess/crack passwords, change your passwords frequently, and don't use the same password for multiple sites.
References:
Paul, I. (2012). Update: LinkedIn confirms account passwords hacked. Retrieved 10 June, 2012, from: http://www.pcworld.com/article/257045/update_linkedin_confirms_account_passwords_hacked.html
Last.fm Confirms They Were Hacked, Change Your Passwords Nowhttp://thehackernews.com/2012/06/lastfm-confirms-they-were-hacked-change.html
No comments:
Post a Comment