Tips for Creating a Strong Password
Correct risky password behavior and reduce your chances of being hacked.
I suppose by now you've heard about the LinkedIn breach, where 6.5 million passwords were posted to a Russian hacker site. According to Computerworld, 60 percent of the unique hashed passwords accessed have been cracked, despite the fact that the passwords were encrypted using SHA-1.
When I saw the first email alerting me of the breach, I didn't think much of it. I get a lot of emails alerting me about breaches, after all. Right after I got the LinkedIn news, I got an email telling me that Mitt Romney's email was hacked into (that someone allegedly guessed his password because it was his dog's name is a story for another day). But then, another LinkedIn alert came in, followed by another and eventually a dozen or so more, all within an hour. That in itself told me that this LinkedIn thing was pretty serious.
So what makes this a big deal? For one, it shows that passwords are becoming a weaker form of security as we become more and more dependent on the Internet for, well, just about everything we do. As Lawrence Reusing, Imation's general manager for mobile security, told me:
This breach highlights the fact that identity on the Internet has been vulnerable for years and password breaches are going to be a fundamental problem on the Internet for as long as service providers insist on having their own silos of identity. While there have been a number of standards trying to address the issue, what is needed is strong authentication options for users, access from anywhere, form any device, and relying parties to adopt the standard(s). Services that manage databases of user passwords should be continuously upgrading their protection mechanisms to newer technologies and stronger security in order to stay ahead of identity thieves.
Hitting LinkedIn passwords differs from other sites because, as the ESET Threat Blog pointed out, users tend to put real, professional and personal information about themselves on the site. It isn't just mindless chit-chat with pictures of your dinner or complaints about your favorite sports team, like you'd see on other social networking sites. The blog also pointed out:
Furthermore, every time one of your LinkedIn contacts updates their profile, you get updates from LinkedIn showing what's happening. This has the aggregate effect of a form of peer review on what you post about yourself, knowing that it is exposed to those business or career contacts that have a direct impact on your life. This causes people to tend toward being very accurate and honest on their LinkedIn profile. In other words, mess with somebody's professional profile on LinkedIn, and you're messing with their life, and their contacts know about it.
Of course, you should change your password. In fact, you should advise everyone in your company who uses LinkedIn to change their password. Then, they should plan to change a lot of other passwords; after all, even though we know we shouldn't, most of us re-use our passwords from site to site. And be prepared to change your password more than once, as Marcus Carey, security researcher at Rapid7, told me:
By all indications it doesn't appear that LinkedIn has contained the compromise yet, so everyone should be aware that they may have to change their passwords multiple times. You should still go ahead and change it straight away, but you may have to change it for a second time if it turns out the attackers are still entrenched in LinkedIn's systems.
For now, passwords are still our first defense in securing our data, and until something better comes along, we have to make sure our passwords work for us. Troy Gill, security analyst AppRiver, sent me these tips for creating strong passwords: