Latest Password Breach Reminds Us to Update Passwords

Related Articles

• Privacy and Social Networks; LinkedIn Almost Doubles in a Year
• Some Thoughts on Short Attention Spans
• Account Takeovers Estimated in 100s of Thousands a Day

Subscription Options

Subscribe Newswire

Widgets & RSS Feeds

Last week security researchers were buzzing with news and opinions about possible (and soon after confirmed) stolen LinkedIn passwords. Whenever security breaches such as this one happen—and in the online world in which we find ourselves intrusions to our online privacy is not uncommon—it serves as a reminder that we need to proactively protect ourselves, as we would walking down a darkened street, by staying alert and taking steps to prevent negative situations.

A key social media site for professionals, LinkedIn’s network (as of March this year) has 161 million members in over 200 countries and territories. The news of the breach of over 6 million password hashes was caught not by LinkedIn, but steadfast security experts vigilantly on patrol looking for activity such as this. Called to LinkedIn’s attention, the company quickly sprung into action with blogs notices, internal investigations into the compromised accounts and direct communication with those affected by the breach. The recommendations sent from LinkedIn to those breached account holders are good for all of us to hear - again, as they are not new best practices. Their recommendations appear at the end of this post and are worth sharing with your users.

Others also had advice to share, like Cisco’s Seth Hanford, one of the first to report on the suspected breach. Hanford noted safety tips that users should do, as well as things not to do, such as: do not input passwords into sites on the Internet offering to compute hashes or check for exposure, saying “Determining if your password hash was exposed is interesting, but giving your password away to strangers is never a good idea.” He also recommends that users not rely on common patterns in an effort to improve password security. As evidence, Hanford offered recent research (PDF) that suggests sets like possible day / month combinations (4 digits starting with “19″ or “20″, or combinations which can be interpreted as day/month values like 0501) are particularly weak.

Close to a year ago today, I wrote a piece, National Internet Safety (and Security?) Month, MAAWG, and Passwords, that passed along a theory of how to make a strong, memorable password. Seems like a good time to repeat that portion. Here is what I wrote after hearing a talk by Dr. Markus Jakobsson, principal scientist, consumer security with PayPal:

“A key point Dr. Jakobsson makes is that users should make passwords from what he calls “fastwords” that boil down a story into three words. These words on the surface seem very random, but to the user these select words are meaningful because they tell a tale, which aids in password recall success.

Another password memory recommendation, similar to Dr. Jakobsson’s advice of telling a story, is to come up with a password with which you can make clear associations or phrases. Traditionally, a strong password is one that contains both uppercase and lowercase letters, numbers and symbols. So the example would be if you have this password: Hmkw?Aba4g! A user could remember it by: How many kids won? A boy and 4 girls! These kinds of tricks make remembering passwords much easier, as Dr. Jakobsson points out people hate passwords, mostly because good passwords are hard to remember.”

An almost unanimously agreed upon password tip: don’t use the same password in multiple places, even strong passwords are weakened through over use and if compromised, can open up even more information to thieves. One of the priory points given to the compromised LinkedIn members is if the same password used on the social media site is being used elsewhere, change it right away.

While the damage of the breach is not fully certain at this point, one thing is known, damage has been done to LinkedIn’s reputation.

Password Recommendations from LinkedIn:

Here are some account security and privacy best practices that we recommend for our members:

Changing Your Password:

• Never change your password by following a link in an email that you did not request, since those links might be compromised and redirect you to the wrong place.
• You can change your password from the LinkedIn Settings <http://www.linkedin.com/settings> page.
• If you don’t remember your password, you can get password help <http://help.linkedin.com/app/answers/global/id/1167/ft/eng>  by clicking on the Forgot password? <http://www.linkedin.com/passwordReset?>  link on the Sign in <file://localhost/secure/login>  page.
• In order for passwords to be effective, you should aim to update your online account passwords every few months or at least once a quarter. 

Creating a Strong Password:

• Variety—Don’t use the same password on all the sites you visit. 
• Don’t use a word from the dictionary.
• Length—Select strong passwords that can’t easily be guessed with 10 or more characters.
• Think of a meaningful phrase, song or quote and turn it into a complex password using the first letter of each word.
• Complexity—Randomly add capital letters, punctuation or symbols.
• Substitute numbers for letters that look similar (for example, substitute “0″ for “o” or “3″ for “E”.
• Never give your password to others or write it down. 

A few other account security and privacy best practices to keep in mind are:

• Sign out of your account after you use a publicly shared computer.
• Manage your account information and privacy settings <http://help.linkedin.com/app/answers/global/id/66/ft/eng>  from the Profile and Account sections of your Settings <http://www.linkedin.com/settings> page.
• Keep your antivirus software up to date.
• Don’t put your email address, address or phone number in your profile’s Summary.
• Only connect to people you know and trust.
• Report any privacy issues to Customer Service <http://help.linkedin.com/app/ask/path/pi> .