Summary
I just changed my LinkedIn password and here is why. Word came out this morning that a large number of LinkedIn accounts had passwords leaked to the internet. If you use LinkedIn please change your password for that service today. If you use the same password on any other online accounts change the password there as well. Your reputation is at stake!
Details
According to this report on ZDNet 6.4 million user passwords – out of approximately 150 million total users – have been leaked to the web in encrypted form. Please note that the encryption can be and is being cracked as I type. The simpler the password the faster it will be decrypted.
- If the password is in a dictionary consider it already decrypted
- If the password is a dictionary word but spelled backward consider it already decrypted
- If the password is a dictionary word with one or two numbers at the beginning or end then it has probably been decrypted
Suggested Action
Password management is a miserable fact of today’s connected life. My personal password rules are as follows:
Where a website will let me I like to use a nonsensical English language phrase composed only of lower case letters. There are only three stipulations:
- Must be composed of at least 4 different words
- Length must be at least 16 characters (mine are usually longer)
- The phrase must not be found in any quotes or books (i.e. it is not searchable)
Example: myleftfootisnotright
My rationale for this is phrases such as this are easier to remember and easier to transcribe than something like this: hY39&)Ikl
Passwords like that latter example are difficult to use for two reasons. First just glancing at it can you easily tell that the last character is a lower case “L” while the third from last is upper case “I”? Second, if you are entering this on a mobile device you might need to go through several operations of changing the virtual keyboard from lower case to upper case to numeric to symbol entry. All of which greatly slows down the process of logging into the site.
Other rules for password management:
- Never ever use the same password for your e-mail account as you use for ANY other web account
- All e-mail accounts MUST have unique passwords
- All financial accounts must have unique passwords
- All accounts that, if compromised, could be used to affect your reputation (LinkedIn, Facebook etc) should have unique passwords and definitely not be shared with other types of web sites
- If you need to reuse passwords amongst other sites make sure you stratify the sites (e.g. online shopping, journal subscriptions, hobbies, online forums etc)
- If you do reuse passwords keep track of which sites have common passwords. It is almost a certainty that at some point you will need to change these passwords due to a security breach at one of them.
In an ideal world you would have long complex and unique passwords for every web site and online account. The only way that can be accomplished for most mortals if through the use of a password manager installed on each computer and device you use. There are several available that work on most platforms (Windows, Mac, iPhone, Android) and integrate into most web browsers. We use both LastPass and SplashID although I can no longer wholly endorse the latter. LastPass is a secure web service that allows you to synchronize passwords amongst all devices and browsers making the use of unique passwords for each account relatively easy. LastPass is free for use on computers only and $1/month if you wish to use it on a mobile device as well.
Other well regarded password managers you can consider are: 1Password, KeePass & RoboForm.
In any event your most important task today may well be changing your LinkedIn password as well as changing the password for any other sites that use the same password.
[…] partners over at ClearTech Solutions put together a wonderful blog post on this topic and password management in […]