SEVERAL SECURITY BREACHES have been reported by various websites this week – LinkedIn, eHarmony, Last.fm – which prompted them to urge their users to change their passwords.
Users are also being urged not to use the same password for every site you visit; a pain of course, if you end up trying to remember ten, 15 or more passwords a day. But how can you make sure your password can’t be easily cracked? We’ve put together a rough guide to how to make your password as strong as possible.
Tips for making your password and browsing secure
- Choose a password that’s longer than six characters and contains a mixture of characters, and try not to use a word that’s found in a dictionary (in any language). Your best bet is to use a password that appears to be a random string of characters.
- Don’t use the same passwords for all of your online accounts. Security Week reports that a study by Internet security company BitDefender revealed that 75 per cent of people use their email passwords for social networking sites. Using the same password for sites where money is involved, like Amazon or PayPal could lead to all sorts of trouble.
- Make sure the browsers you use are up to date, and use more than one, like Chrome and Firefox. Security expert Jeremiah Grossman recommends using one for ‘important’ tasks like banking and checking email and using that browser to go directly to a website without surfing the web. That means if your other ‘everyday’ browser is attacked, there won’t be anything too important to find.
- Use a password manager if you’re (wisely) using a number of different strong passwords. A password manager like LastPass will store all of your important information, requiring you to remember only one ‘master’ password.
- Avoid using common sequences of letters or numbers, or personal information such as your birthday or your name.
What does all this mean for me?
If you are a LinkedIn, eHarmony or Last.fm user you should change your password, and you should ensure that you don’t use the same password for all of the major sites you use, such as your email account, banking, Facebook etc. It’s not yet known if user names along with passwords were stolen, but Ars Technica and CNET report that it’s likely that this information is in the hackers’ hands.
Be wary of any email purporting to be from one of the affected sites, especially if it contains a link. LinkedIn have already said that they are sending emails to affected users, but that these emails will not contain any links, and they’re warning users to watch out for phishing and spam emails requesting personal information. LinkedIn have also said that they have disabled the affected passwords.
What’s all this about ‘salting’ and ‘hashing’?
LinkedIn have been criticised this week for having their users’ passwords hashed, but not salted. Hashing a password is a way of encrypting a password in case it gets into the wrong hands. LinkedIn were using an algorithm called Secure Hashing Algorithm 1 (or SHA-1), which uses a mathematical process to create a string of letters and numbers based on the original password. Like this:
However, it seems that LinkedIn’s passwords weren’t ‘salted’, meaning that it was possible to crack some of the more common passwords. This is done by hackers using dictionaries, collections of (precomputed) encrypted/hashed words or common passwords that make it easy to search for leaked hashes.
Salting is carried out by adding another string of characters to the password before it is hashed, so that hackers have more difficulty matching the encrypted (leaked) passwords against their prebuilt dictionaries. For instance, the resulting hash for the password “monkey” and “monkey-saltstring” would be different and hackers would need to know which salt was used, the position of the salt (the salt can be added on any fixed position, like saltstring-monkey, or m-saltstring-onkey, etc.) and then rebuild their dictionaries taking that into account.
Who’s investigating the breach?
CNET reports that LinkedIn has contacted police about the security breach, while its possible that the Data Protection Commissioners here may also have a role in investigating the incident. The Irish Times has reported that because LinkedIn’s operations base for outside the US is here in Ireland, the Irish Data Protection Commissioner’s Office are now in contact with the company.
Meanwhile The Australian reports that Australia’s privacy commissioner has asked the Data Protection Commissioner’s Office to stay in touch with him. He’s contacted his Irish counterpart and asked to be kept “in the loop”.
Here’s Google’s guide to a strong password: