There I said it.
Working in the security industry, it can sometime be embarrassing to admit our failings, but in this case it is cathartic. I just received notification from the excellent HaveIBeenPwned service run by @TroyHunt that my LinkedIn password has been compromised. I am in good company though. The accounts of 164 million others, including Troy himself, were hacked and leaked in 2012, and are just coming to light now. The problem was that LinkedIn stored the passwords unsalted using SHA1 hashes, meaning that reversing them is just a case of performing a lookup in a precomputed rainbow table. Salting the hashes (adding random data before calculating the password hashes) would have prevented this, and should be considered Security 101 for a service provider like LinkedIn. You might believe that you used a really secure, complicated password with no dictionary words, numbers, letters and symbols to protect your account, but the lack of salting combined with readily available rainbow tables undoes all your hard work.
But so what? Who cares if your LinkedIn password is compromised? Does it really matter? Unfortunately, the answer is yes. Password reuse between accounts has been seen to be between 12% and 49%, depending on the sites in question, (1, 2, 3)and is one of the biggest issues in password security. The reason this matters so much is that we often forget the chain of trust that exists between web sites. For example, you might use the same password for Hotmail as you do on LinkedIn or some other compromised site, because you don’t really use Hotmail for anything important. But where is your banking/Apple/Google, etc. password reset sent? Hotmail? It is these sorts of forgotten links that any half-competent attacker will utilize to compromise your important accounts. So suddenly, protecting access to your email account with its own unique password seems pretty important.
The upshot of breaches like these is that you cannot trust anyone other than yourself to secure your passwords. Here are my three tips for how you can start to clean up your online presence, and prevent the next website compromise from impacting your online life.
Use a federated ID, such as Google, Facebook, etc. to authenticate where possible (and make sure you have implemented a strong password on that account.) This reduces the number of passwords needed. Otherwise, use dedicated passwords for each login. This way, if any individual site is compromised, the collateral damage will be minimized.
Don’t use words you can look up in the dictionary, use more than 8 characters, and include uppercase, lowercase, numbers, and symbols.
You might be panicking right now about how to remember all of these complicated passwords. The answer is, don’t. It is impossible (I have 448 passwords.) Find yourself a password manager and let it do the hard work of remembering. Find yourself a password manager and let it do the hard work of remembering. I have a personal favorite, but there are several others, both paid and free that you can use. Password managers can auto-generate strong passwords and auto-enter them into web sites for you, leaving you only needing to remember one strong password to log into the password manager.
Most online services such as Google, Apple, Facebook, LinkedIn, and Hotmail, etc. support some form of multi factor authentication when a login from a new device or location is detected. This usually involves sending an SMS code to an authorized mobile device to prove you are who you claim to be. This prevents a compromised password from being exploited, because without the registered mobile device in their possession, attackers cannot prove their identity.
These three relatively simple steps will help to protect your online accounts, and prevent the next web site attack from making you a target across your entire online network of applications and services.
Lastly, just in case you do get caught up in the next breach, it is better to know about it so that you can take action quickly. So click here to register your email address with HaveIBeenPwned today.