LinkedIn Breach

As many of you have heard, LinkedIn and Eharmony were hacked this month. LinkedIn lost 6.4 million password hashes. The hash is the result of running your password through an encryption algorithm. This algorithm cannot be reversed, so you cannot take the hash and run it back through an algorithm to get the password. Hashing is one way only. However, because LinkedIn didn't salt the hash, their hash table was vulnerable to a standard dictionary attack, and within a few days over 60% of the table was decoded.

So, people could have access to your LinkedIn account. If the hackers can match those to email addresses, then expect those passwords to be used to try and get into gmail accounts, yahoo accounts, Amazon accounts, Paypal accounts, and any other major accounts. The full 6.4 million hash table was posted online for everyone to work on. Some experts expect 95% to get cracked eventually.

Rules to prevent you from being vulnerable

Do not use the same password on multiple sites.
Use long passwords using uppercase, lowercase, numerals and symbols if possible. My LinkedIn password uses all 4 types and is 46 characters long. This means there are 9,547,322,545,835,206,952,727,974,004,750,
409,264,445,731,775,600,206,895,816,911,
958,021,630,701,470,248,242,642,017,120
(9.55 x 10^90) possible passwords that would need to be tested to find mine. An offline attack which could test 100 billion passwords per second would take 30.36 billion trillion trillion trillion trillion trillion centuries to crack my password. I wasn't worried.
Use a password safe. Password safes will store all your passwords encrypted and will generate random passwords which you can use for websites. They will also make it easy to enter those passwords into websites. I recommend KeePass. So, to access my LinkedIn account with my impossible to crack password, I open Keepass and find the linkedIn entry. I double click on the URL in Keepass which launches the website. Then I press CTRL-ALT-A which fills in the username and password. That's it. I have no idea what the password is. Other good password safes are Lastpass and Roboform.

I've written about using secure passwords and password safes before. Here is an article on making good passwords. Here is one on making passwords that you can type in small form factor devices like phones, and here is using Keepass to make passwords. This article is an introduction to Keepass and this one shows you how to setup a Hotkey login with Keepass, so the username and password are entered automatically.

Date: June 2012

This article is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.

Keeping clients' computers safe and profitable for over 30 years

Home Forms About Current Newsletter subscribe Search All Articles Browse by Category Security Internet Mobile Business Hardware Fun		LinkedIn Breach As many of you have heard, LinkedIn and Eharmony were hacked this month. LinkedIn lost 6.4 million password hashes. The hash is the result of running your password through an encryption algorithm. This algorithm cannot be reversed, so you cannot take the hash and run it back through an algorithm to get the password. Hashing is one way only. However, because LinkedIn didn't salt the hash, their hash table was vulnerable to a standard dictionary attack, and within a few days over 60% of the table was decoded. So, people could have access to your LinkedIn account. If the hackers can match those to email addresses, then expect those passwords to be used to try and get into gmail accounts, yahoo accounts, Amazon accounts, Paypal accounts, and any other major accounts. The full 6.4 million hash table was posted online for everyone to work on. Some experts expect 95% to get cracked eventually. Rules to prevent you from being vulnerable Do not use the same password on multiple sites. Use long passwords using uppercase, lowercase, numerals and symbols if possible. My LinkedIn password uses all 4 types and is 46 characters long. This means there are 9,547,322,545,835,206,952,727,974,004,750, 409,264,445,731,775,600,206,895,816,911, 958,021,630,701,470,248,242,642,017,120 (9.55 x 10^90) possible passwords that would need to be tested to find mine. An offline attack which could test 100 billion passwords per second would take 30.36 billion trillion trillion trillion trillion trillion centuries to crack my password. I wasn't worried. Use a password safe. Password safes will store all your passwords encrypted and will generate random passwords which you can use for websites. They will also make it easy to enter those passwords into websites. I recommend KeePass. So, to access my LinkedIn account with my impossible to crack password, I open Keepass and find the linkedIn entry. I double click on the URL in Keepass which launches the website. Then I press CTRL-ALT-A which fills in the username and password. That's it. I have no idea what the password is. Other good password safes are Lastpass and Roboform. I've written about using secure passwords and password safes before. Here is an article on making good passwords. Here is one on making passwords that you can type in small form factor devices like phones, and here is using Keepass to make passwords. This article is an introduction to Keepass and this one shows you how to setup a Hotkey login with Keepass, so the username and password are entered automatically. Date: June 2012 This article is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.
		I attempt to provide reliable information, but make no warranty as to the accuracy or safety of these articles. I disclaim all legal responsibility for what following these instructions may do. Follow my advice at your own risk