Change your LinkedIn Password now

If you’re a little behind on the security front, the latest hottest breach is the security poop-up at LinkedIn.  A Russian hacker claims to have hacked almost 6.5 million account details of LinkedIn users and uploaded them online.

Hackers have been working on the exposed passwords and there is fear that already 60% of the passwords have been breached - they are public.  LinkedIn has also confirmed this.

Thankfully, the details of which password belongs to which account hasn’t been published.  But if 60% of the passwords or almost 3.5 million are already known, how long would it be before a specific LinkedIn account is tagged with a specific password?  So what should we do?

LinkedIn in the blog post referred to above have stated that the accounts whose passwords have been breached have been reset - their old passwords will no longer work.  They will be contacted by email to reset their password.  But don’t wait for LinkedIn.

Do what I have already done.  Log into LinkedIn and change your password immediately.

To change your LinkedIn password:

1. Login to your LinkedIn account
2. Click on your name on the top right of the page.
3. Click "Settings"
4. Choose the "Password change" option and follow the instructions

Which brings up the question, what if the ‘exploit’ is still open and this ‘second’ password is also copied and published?  The answer is LinkedIn is employing better technique (in effect closing a security loophole) to store your password.  No need to get technical, but it is something called salting.  In effect this new password should be safe.

As long as we are on the subject of passwords and breaches, here are a few words of advice, based on my experience:

• Don’t use familiar phrases or dates (birth/anniversary) or names (children, spouse) in/as the passwords - it is worth repeating this most basic of security rules.
• Don’t use the same password for many services.  I know people who have 1 or 2 passwords which they repeat when they log into their Windows PC, ISP login, Wii, etc. 
• For e.g., let us taken the words ‘steak house’ or ‘choco milk’.  They are easy to remember especially if you don’t like steak, chocolate or milk, or is forbidden from enjoying them due to health reasons.
• ;-)
• Thankfully, they don’t use those words as such, but use a near sounding equivalent.  Something like ‘stake mouse’ or ‘coco blink’.  Apart from the problem that they are regular words, their mistake is compouned when they resort to a combo of the same words - it is either ‘stake mouse’ or ‘mouse stake’ everywhere.
• :-P
• Oh, in case the site insists on the password being ‘alpha numeric’, they tend to add a standard number like ‘66’ or ‘2012’.
• Don’t use the same password not only across many services, but also across many sites like Twitter, Gmail, LinkedIn, and banking sites.  I mean is your Twitter account as important as your Gmail or your Bank account?
• Don’t use standard English word.  Here it helps if you have an ‘additional’ language.  Let me tell you a secret - my own passwords are a combination of 2 or 3 different languages - and English is *not* one of them.  For e.g., I might (not that I do) have a password for my Gmail account as budiyaschwanger - which is ‘budiya’ in Hindi and ‘schwanger’ in German.  It is also easy to remember - old woman-pregnant.
• :-D
• Using substitute characters is not necessarily safe - just substituting $ for S or zero for O doesn’t make the password safe - it is easy to guess, especially for a machine.
• Using a machine generated password, which is difficult to remember, like J4fs<2 is also not necessarily safe - there is a fantastic write up on using passwords versus pass phrases by Thomas Baekdal [http://www.baekdal.com/insights/password-security-usability].  It is a must read.

Here is a take on the issue of passwords by XKCD.



So go ahead and make up your own bunch of passwords (pass phrases), change your LinkedIn password and that of every service and site you use.
Cheers!

---