Unscrewing Security

RSSSubscribe to this blog
About Author

Alec Muffett is a veteran security geek who believes strongly in common sense, full disclosure, defence in depth, privacy, integrity, simplicity and open source. He is an independent consultant, writer, and speaker specialising in security education.

Contact Author

Email Alec

Twitter Profile

Linked-in Profile

If it turns out that LinkedIn passwords have leaked...

...here's what you should do

Article comments

Rumours are circulating on the net that a database of hashes of LinkedIn passwords has been published on a Russian hacker site.

I cannot confirm this but if the article referred to above is correct then there is a risk to LinkedIn users; password cracking software such as Hashcat can be brought to bear on the problem, and passwords that are derived from common words and phrases - or which are just too short - can and will be broken.

I'll write more soon, but in the meantime:

  1. Choose a new password - a short phrase, make it twelve or more characters long; don't worry too much about making it look random but instead make it long-and-memorable and use proper spacing and (perhaps) punctuation.

  2. See this famous cartoon for techical explanation, but don't reuse the password it suggests.

  3. Change your LinkedIn password to the new password.

  4. IMPORTANT: Finally, think of all the other accounts you have - e-mail, Gmail, Instant Messenger, Skype... which use the same password. Change all of them, too - ideally use different new passwords for each one.

The reason for the final step is that someone can easily cross-correlate your e-mail address from your LinkedIn login to (say) Skype, and use the (assuming this is all true) old LinkedIn password database to break into that.

This would be very unfortunate, but quite easy to achieve.

We now return you to your natural state of paranoia; updates will be posted here as/when events warrant.

Follow me as @alecmuffett on Twitter and this blog via the RSS feed.

Email this to a friend

* indicates mandatory field

ComputerWorldUK Webcast