2012-06-06

Why I am not immediately changing my LinkedIn password

So supposedly LinkedIn has had a massive breach, and 2->6 million password hashes have been harvested from some system. While this is bad, and most people watching it are urging people to go change their passwords on LinkedIn, I am waiting and will probably close my account if the problem is confirmed.

  1. There is no indication that the hacker is "out" of LinkedIn at the moment. So any passwords that are being changed currently could end up going to the hackers again. And with the fact that the most likely password a person is going to use is one they use elsewhere.. that means the hackers have a much larger set to use.
  2. The password hashes are stored in an Unsalted SHA1 format. This is criminally poor judgement of whoever implemented this part of the password system. The SHA1sum is a very very fast to match passwords to. This means that even 5 year old hardware can work through a terabyte dictionary in a day or so even with millions of hashes to check against. So most passwords less than 8 characters is going to be found within months and passwords longer than that but easily found via "rulesets" will be found in a similar timeframe. 
If passwords are being stored in this format, then how are credit cards and other data being stored? That is the main "kicker" to me, and why I would be very concerned about information stored there. I would also be wary of any "LinkedIn invites" for a bit. Who is the person making them and are they really that person or some hacker using their identity to see what they can social engineer out of you.

The passwords being found in this set look very corporate in how they are setup. People were using "good" password rules: mixing Uppercase, Punctuation, LowerCased, Number, longer than 10 characters, etc. These are probably the ones most likely used elsewhere. 

If you used your LinkedIn password anywhere else, or you use a similar pattern (say your password was 123LinkedInQ@$ and you use that pattern elsewhere so your Fedora password was 123FedoraQ@$, please change your password at those other locations, and please please use a different pattern.

No comments: