LinkedIn Breach Serves as Reminder for Strong Password Security

Slide Show

Tips for Creating a Strong Password

Correct risky password behavior and reduce your chances of being hacked.

I suppose by now you've heard about the LinkedIn breach, where 6.5 million passwords were posted to a Russian hacker site. According to Computerworld, 60 percent of the unique hashed passwords accessed have been cracked, despite the fact that the passwords were encrypted using SHA-1.


When I saw the first email alerting me of the breach, I didn't think much of it. I get a lot of emails alerting me about breaches, after all. Right after I got the LinkedIn news, I got an email telling me that Mitt Romney's email was hacked into (that someone allegedly guessed his password because it was his dog's name is a story for another day). But then, another LinkedIn alert came in, followed by another and eventually a dozen or so more, all within an hour. That in itself told me that this LinkedIn thing was pretty serious.


So what makes this a big deal? For one, it shows that passwords are becoming a weaker form of security as we become more and more dependent on the Internet for, well, just about everything we do. As Lawrence Reusing, Imation's general manager for mobile security, told me:

This breach highlights the fact that identity on the Internet has been vulnerable for years and password breaches are going to be a fundamental problem on the Internet for as long as service providers insist on having their own silos of identity. While there have been a number of standards trying to address the issue, what is needed is strong authentication options for users, access from anywhere, form any device, and relying parties to adopt the standard(s). Services that manage databases of user passwords should be continuously upgrading their protection mechanisms to newer technologies and stronger security in order to stay ahead of identity thieves.

Hitting LinkedIn passwords differs from other sites because, as the ESET Threat Blog pointed out, users tend to put real, professional and personal information about themselves on the site. It isn't just mindless chit-chat with pictures of your dinner or complaints about your favorite sports team, like you'd see on other social networking sites. The blog also pointed out:

Furthermore, every time one of your LinkedIn contacts updates their profile, you get updates from LinkedIn showing what's happening. This has the aggregate effect of a form of peer review on what you post about yourself, knowing that it is exposed to those business or career contacts that have a direct impact on your life. This causes people to tend toward being very accurate and honest on their LinkedIn profile. In other words, mess with somebody's professional profile on LinkedIn, and you're messing with their life, and their contacts know about it.

I've heard from friends that they are already beginning to see an influx of spam pretending to be a LinkedIn link. ESET also warned of the spam messages alerting users to "click here" to change their password.


Of course, you should change your password. In fact, you should advise everyone in your company who uses LinkedIn to change their password. Then, they should plan to change a lot of other passwords; after all, even though we know we shouldn't, most of us re-use our passwords from site to site. And be prepared to change your password more than once, as Marcus Carey, security researcher at Rapid7, told me:

By all indications it doesn't appear that LinkedIn has contained the compromise yet, so everyone should be aware that they may have to change their passwords multiple times. You should still go ahead and change it straight away, but you may have to change it for a second time if it turns out the attackers are still entrenched in LinkedIn's systems.

For now, passwords are still our first defense in securing our data, and until something better comes along, we have to make sure our passwords work for us. Troy Gill, security analyst AppRiver, sent me these tips for creating strong passwords:


  • The first step in creating a secure password is to think length. For each character or symbol you add, the security of that password rises exponentially. A basic rule to keep in mind: Avoid selecting a password of less than seven characters.
  • Another step is to make the password appear as nothing more than a random string of characters to someone else that may see it. You can do this with what appears to be a random selection of letters - in both upper- and lowercase - numbers and punctuation from all over the keyboard. Another rule to keep in mind: Try to avoid sequential or repeating instances.
  • One good method is to use look-alike characters in substitution for other letters in your password. For example, use @ for "a," "$" for "s," "1" for "I," zeros for "o," or the like. However, be aware that there is a slight risk if you use only this technique in an attempt to obfuscate your password. There are many password-guesser programs that are well equipped to be aware of these rather simple substitutions and will try to replace the symbols with letters themselves. Therefore, if you're still using common words as a basis for your password, such as "cH0c0!@t3" for the word "chocolate," you may not be any more secure.
  • To avoid this, a good trick to try is to create a long acronym or partial words from a phrase to throw off any sort of dictionary based attack. For example, take a long sentence that you'll remember, such as "I hate making up new passwords," and turn it into "!h8MunP@$s."