SEVERAL SECURITY BREACHES have been reported by various websites this week – LinkedIn, eHarmony, Last.fm – which prompted them to urge their users to change their passwords.
Users are also being urged not to use the same password for every site you visit; a pain of course, if you end up trying to remember ten, 15 or more passwords a day. But how can you make sure your password can’t be easily cracked? We’ve put together a rough guide to how to make your password as strong as possible.
Tips for making your password and browsing secure
What does all this mean for me?
If you are a LinkedIn, eHarmony or Last.fm user you should change your password, and you should ensure that you don’t use the same password for all of the major sites you use, such as your email account, banking, Facebook etc. It’s not yet known if user names along with passwords were stolen, but Ars Technica and CNET report that it’s likely that this information is in the hackers’ hands.
Be wary of any email purporting to be from one of the affected sites, especially if it contains a link. LinkedIn have already said that they are sending emails to affected users, but that these emails will not contain any links, and they’re warning users to watch out for phishing and spam emails requesting personal information. LinkedIn have also said that they have disabled the affected passwords.
What’s all this about ‘salting’ and ‘hashing’?
LinkedIn have been criticised this week for having their users’ passwords hashed, but not salted. Hashing a password is a way of encrypting a password in case it gets into the wrong hands. LinkedIn were using an algorithm called Secure Hashing Algorithm 1 (or SHA-1), which uses a mathematical process to create a string of letters and numbers based on the original password. Like this:
Hash generated via Errata Security's website
However, it seems that LinkedIn's passwords weren't 'salted', meaning that it was possible to crack some of the more common passwords. This is done by hackers using dictionaries, collections of (precomputed) encrypted/hashed words or common passwords that make it easy to search for leaked hashes.
Salting is carried out by adding another string of characters to the password before it is hashed, so that hackers have more difficulty matching the encrypted (leaked) passwords against their prebuilt dictionaries. For instance, the resulting hash for the password "monkey" and "monkey-saltstring" would be different and hackers would need to know which salt was used, the position of the salt (the salt can be added on any fixed position, like saltstring-monkey, or m-saltstring-onkey, etc.) and then rebuild their dictionaries taking that into account.
Who's investigating the breach?
CNET reports that LinkedIn has contacted police about the security breach, while its possible that the Data Protection Commissioners here may also have a role in investigating the incident. The Irish Times has reported that because LinkedIn's operations base for outside the US is here in Ireland, the Irish Data Protection Commissioner's Office are now in contact with the company.
Meanwhile The Australian reports that Australia's privacy commissioner has asked the Data Protection Commissioner's Office to stay in touch with him. He's contacted his Irish counterpart and asked to be kept "in the loop".
Here's Google's guide to a strong password:
To embed this post, copy the code below on your site
have your say