Shared publicly  - 
 
Please help spread the word.  The LinkedIn password leak is far more dangerous than 99% of the people imagine...

http://geekbeat.tv/urgent-the-linkedin-password-leak-hack-is-much-worse-than-you-think/
28
41
Roger Benson's profile photoDrew Bryce's profile photoAllan Loveless's profile photoPhil K's profile photo
27 comments
 
Unless I'm mistaken, the LinkedIn leak was JUST passwords, with no associated usernames for those passwords.  If so, I don't see the major issue.

Though John's point about password security remains entirely viable.  If you want even more security, many sites, including PayPal, Google, and any site that lets you log into through Google, have options for two factor authentication (you have to enter a code off your phone or a keychain, not just your password), for those extra security conscious.
 
+Conor Schutzman They don't necessarily need the username. Instead of performing a dictionary based attack; a hacker can now use a dictionary of 6.5 million passwords.
 
John, I appreciate your efforts to warn the masses, but I have to say you post is a touch alarmist. And don't get me started on that the-sky-is-falling news story.
Yes, using the same password at multiple websites is risky in the case of a breach; we in the InfoSec field have been saying this for years. It's a common problem, but there's nothing special about this case. It's not 'far worse than 4 put of 5 geek squad technicians thought'. It's not the end of the net as we know it.
It's another reminder that users need to be smarter and work that little bit extra if they want to remain secure. 
 
I have forgotten my LinkedIn password, do you think the hackers can help me??
Ken M.
+
1
2
1
 
+Jeff Pettorino When those few people who pay attention hear that their LinkedIn password has been compromised, how many WON'T realize that this also means the hackers can access their banking information?

You're quite right that nothing has changed.  It's hardly alarmist, though, to point out that this is a concrete example of WHY using the same password everywhere is dumb and why people need to change their passwords immediately!
 
There are loads o' utilities available (many free) that can not only securely store yer passwords, but help create secure ones so ye don't have to. Highly recommended is the cross-platform LastPass https://lastpass.com/ which can replaced the insecure "browser password storage" and is available for Mobile Platforms of all kinds.
There are also many tutorials that show how to create simple, memorable, secure passwords - like this one http://uit.tufts.edu/?pid=232

Just FYI, here are the "password rules" for NASA
http://1.usa.gov/NMUeL6
 
I don't get it. Are these sites storing passwords in plain text or something?
 
So here's a question - why on earth were the passwords being stored at LinkedIn in plain text?? They should be storing a hash of your password, which should be much less of a problem if it falls into the wrong hands.
Phil K
 
glad i don't have much on my profile over there.
 
Passwords are normally encrypted (eg MD5 hash) and stored in a database (not the plain text). The surprising thing to me is that these could be decrypted which is not supposed to be possible (most of the time if you forget your password, you have to create a new password since they can't email you your original password).
 
Great write-up +John Pozadzides. That's why I use a different password for each site I subscribe to.

+Will Kriski As far as decryption is concerned I believe all that is required is to take a dictionary (for example) and MD5 encrypt that. Then compare each MD5 encrypted password to your MD5 encrypted dictionary words. If they match, you know what the plain text password is.
 
+Conor Schutzman  I'm afraid you're mistaken.  Only the passwords were posted, as proof that the attack occurred.  I guarantee they also took the matching username, and they are now selling the list on the black market to every wannabe hacker who will pony up the cash.

+Jeff Pettorino  You may have caught on to this, but 99% of the people I talk to about password security do not put 2 and 2 together to fully understand what the criminals will do with this information.

I would argue, strongly, that there is nothing alarmist about reminding anyone about the danger in this case.  If the consequences were trivial, then yes, it would be alarmist.  But people's entire lives can be absolutely ruined by a breach of all of this personal information.

I believe we should always ring the alarm whenever:
  - A minor issue will affect a large number of people
  - A major issue will affect a small number of people
 
I own my own domains so typically I keep a separate email address for each service I sign up for. Not only does this provide me with an additional layer of security but limits any spam I may receive as well as identify who sold my email address to a spamming agency. I never EVER use my gmail account for anything except as a sign in to Google Services.
 
@Dennis, No. They got a copy of the hashed database AND the accompanying hash keys.

I use a 3 level password scheme. For low level sites that I need to log into once (like an Android forum) and have no personal information; easy to remember (for me) passwords.

Next up, a more complicated password with upper/lowercase letters, numbers, and punctuation. Think the pig latin version of leet-speak.

Finally, a high level password set of 8 to 24 characters (sometimes more) consisting of randomly generated u/l letters, numbers, and punctuation that IS NOT used between sites AND is changed on a regular basis. At this point, I use a service like LastPass to help me out.

It's important to categorize things by levels of security to make it easier to keep track and not needlessly complicate things.
 
How much does having 2-step verification on your gmail account help prevent a hacker from gaining access to other websites? I would think it would be a big help, but I don't know if there is something I am missing?
 
+Brent Stewart - Forgot the last one; public and private emails. Create a dummy gmail account for all the throwaway sites and a real one for you. 
 
They should hunt these people down and find a nice place for them like Gitmo, only without tropical breezes and religious sensitive food.
 
+Jeffrey Pomranka - Two factor gives you a password AND a token generator that only you gave access to. Need to get in or prove you are you? Enter your password, followed by a time-synchronized key from the generator that only you have. It's usually a keyfob or an app on your phone, but not both. There can only be one instance of either used.
 
If you're using Google and have an iPhone or Android handset, look up two factor Google authentication, turn it on, and use it. It does far more than secure your password, it authenticates apps using Google. You end up with a list of apps that you can zap their access when you're through with them
 
Of course I'm concerned. Some Evil Hacker might make me look employable.
 
I'm changing my passwords now, because someday my banking information might actually be useful..... (I hope, I hope!)
 
+Roger Benson Thanks for the information. I should have been clear, I do use 2 factor authentication. So I'm fairly confident my email account is secure. However, I'm curious if this is being a little over confident. If a hacker has my email address, but not access, and a password from LinkedIn, can they do much? Thanks!
 
I have no idea but I have no money or secrets either
 
+Jeffrey Pomranka I'm pretty philosophical about the whole thing. I do everything I can, but I don't go crazy trying to secure it all 100%. If anonymous wants me, they're gonna get me, there's not much I can do about that. But I can deal with the bit trawlers pretty easily.
Add a comment...