Sunday, June 10, 2012

The Weakest Link

Last week was a bad week for three major Internet companies; LinkedIn, eHarmony, and Last.fm were all targeted and successfully breached by hackers.  Early in the week on a Russian hacker forum (InsidePro.com), a site which offers password-cracking tools, two files containing passwords was posted; one of the files contained 6.5 million passwords, and the other 1.5 million passwords.  The password files were posted by a user "dwdm" who asked others to help crack the passwords.  The forum thread has since been taken offline, and the passwords were not displayed in plain text, but rather they were obscured via hashing, though it is reported that more than 200,000 of the passwords have already been cracked.

So far none of the companies are releasing any details about how their users' passwords got into the hands of hackers, but LinkedIn says that the passwords contained in the files are hashed with the SHA-1 algorithm, and no other data accompanies the passwords (i.e. user names or personal data), but security experts are strongly suggesting that people change their passwords immediately, eHarmony has reset the passwords of accounts it believes have been affected.  Apparently many of the passwords that were published to the hacker forum had the term "LinkedIn" in them, i.e. "linkedin1234," or "linkedinabcd," this was a good indicator that these passwords were in fact LinkedIn passwords; it is assumed that many people use weak passwords such as the site name + a string of easy to remember characters.

Just because the password lists were posted without user names does not mean that the original poster doesn't have the user names list that goes along with the passwords.  For this reason, anyone using any of these services should immediately change their password.  This is an excellent reason why a common password should not be used across sites.  If the hackers are able to crack a password and use it against your account, if all your accounts share the same log in information they essentially have a master key to your online life.

Simple passwords containing dictionary words and strings such as 123 or abc will be quite easy to crack, a strong password doesn't necessarily need to be filled with special characters and numbers, a long password with 4 random words such as: Chicago, hockey, cigar, and certification = Chicagohockeycigarcertification would take a brute force tool a very long time to crack, though changing a few characters to numbers or special characters wouldn't hurt if you can remember what characters you changed; for instance, changing all e's to the number 3, or all i's to the number 1.

Best practices would be to limit the amount of personal information you share online, use hard to guess/crack passwords, change your passwords frequently, and don't use the same password for multiple sites.









References:

Mills, E. (2012).  What the password leaks mean to you (FAQ). Retrieved 10 June, 2012, from: http://news.cnet.com/8301-1009_3-57449325-83/what-the-password-leaks-mean-to-you-faq/?tag=epicStories


Paul, I. (2012).  Update: LinkedIn confirms account passwords hacked. Retrieved 10 June, 2012, from: http://www.pcworld.com/article/257045/update_linkedin_confirms_account_passwords_hacked.html


Last.fm Confirms They Were Hacked, Change Your Passwords Nowhttp://thehackernews.com/2012/06/lastfm-confirms-they-were-hacked-change.html

No comments:

Post a Comment