FLASH: LinkedIn and eHarmony passwords stolen

As you’re likely aware, there were two major players who had their systems compromised by hackers and they were able to collect the hashed versions of the passwords collected, 6 million from LinkedIn and 1.5 million from eHarmony.  As most media is reporting, these breaches are serious and will provide the ‘bad guys’ yet more data to help them steal data and personal identities.

I can hear you now: I’m totally freaking out here, I’ve bared my professional soul on LinkedIn and use that password for on-line access to my account at Shifting Sands Bank! 

OK … take some deep breaths … Let’s take a minute and look at this rationally:

  • The list posted is a fraction of the total number of password hashes available from each site.  6 million from LinkedIn that has 100 million accounts (and passwords), with eHarmony with 1.5 million against 20 million accounts.  BTW: This is no guarantee that more weren’t stolen, but they haven’t been posted.
  • What the hackers have is the encrypted version of these passwords, not the clear-text version.   LinkedIn passwords are encrypted with what is known as a hashing technique called SHA-1, which was designed by the US National Security Agency, but has proven to be a weak cypher which was first proven to be breakable in 2008.  eHarmony passwords are encrypted with a hashing technique called MD5, which is also a weak-cypher and was proven to be breakable in 2005.
  • The hackers posted the hashes to elicit others to attempt to break the individual hashes into clear text versions of the passwords, which it is presumed they will use to populate dictionaries to be used to guess passwords for future attempts to access various social networking, financial and e-commerce accounts.
  • The hackers don’t have other account information for LinkedIn and eHarmony, so that even if they figure out your password, they don’t have the login name/email address to use with the passwords, so it’s unlikely that the immediate concern are these accounts.

Great, what does that mean for me?

There are a couple short-term actions to take NOW, then some longer term actions to consider.  The short-term actions to take now include:

  • Check to see if your LinkedIn or eHarmony password hash is one of the 7.5 million that have been posted.  The password manager LastPass has created tools that will allow you to enter a random password, it will hash it with the appropriate algorithm on your computer (using Javascript), then pass that hash onto the LassPass servers to be compared to the posted lists.  See the following tools: LinkenIn or eHarmony.  If it is on either list, then the urgency is ramped up and you need to act immediately, else I’d still strongly recommend you take these short term actions.
  • If you or members of your family have LinkedIn and/or eHarmony accounts, change the passwords.  Also, I’d recommend doing this for Facebook, Google and any other social media sites since these sites have also been having issues with hackers and there is no reason to believe they aren’t targeted for the same hack.
  • If you use your LinkIn or eHarmony password for other on-line accounts, retire them, changing all accounts that use them.

Longer term, you might need to rethink your password strategy.  Here are some thoughts:

  • Ideally, you should have a different password for every account, it should be difficult for a computer to figure out and it should be changed frequently.  However, since this isn’t practical, I have the following thoughts:
    • You need at least 3 “classes” of passwords:
      • Very secure that are only used for access to bank and brokerage accounts.  Each should have a a different password and they should be complex and changed periodically.
      • Secure passwords for other secure connections (e.g., “https:// prefix in the URL).  Again, they should be complex and changed periodically, but you can probably use a smaller number of passwords.
      • Non-secure passwords — It’s amazing to me how many sites do not use secure connections (e.g., “http:// prefix in the URL).  Personally, I think it’s highly irresponsible since it’s not that difficult or expensive to offer secure connections.  I’d recommend either you not create accounts on these sites or if you do, have a completely different set of passwords to use.
    • At the bottom of my post Primer on Security Issues, you’ll find more information on now to form a good password.
  • You might want to consider using a password manager like LastPass or 1Password to generate and manage passwords that are very difficult to crack and change periodically.  I’m planning to devote a future post to this topic.
  • A cyber-colleage of mine Paul Lubic who authors a similar blog has written an excellent post about passwords, including information about how to develop good passwords and what needs to be done to maintain them.  I’d highly recommend having a look.

Post updated on June 12, 2012 to add Paul Lubic’s blog post on password creation and maintenance.

1 Comment

    Trackbacks

    1. Help!! Is there anyone out there??? « The Family HelpDesk

    Leave a Reply

    Fill in your details below or click an icon to log in:

    WordPress.com Logo

    You are commenting using your WordPress.com account. Log Out / Change )

    Twitter picture

    You are commenting using your Twitter account. Log Out / Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out / Change )

    Google+ photo

    You are commenting using your Google+ account. Log Out / Change )

    Connecting to %s

    %d bloggers like this: