LinkedIn Password fiasco: What you need NOW to do to keep yourself safe online

So if you've been monitoring the news, you would have heard that some LinkedIn passwords have been compromised. (6.5 million passwords to be exact) Hackers posted a file containing encrypted passwords onto a Russian web forum.They have invited the hacking community to help with decryption. The file containing the passwords is now widely available.

LinkedIn has said that the leaked passwords will no longer be valid. Members would receive an email with instructions on how to reset them, the company said. Users would then receive a second email with further details about why the change was necessary.

However, this does not mean you are safe. In fact not at all.

Two things:

  1. If you haven't done so already, change you LinkedIn password RIGHT NOW.
  2. There are some websites including CIO.com offering you the chance to see if your password has been compromised. DO NOT USE ANY OF THESE tools. I will explain so later. (End of the experiment section) Don't bother to check, just go ahead and change that password anyway.

Last year, when the Sony Playstation Network was hacked in similar circumstances, still unknown criminals obtained passwords and credit card information for all users on the service, including me. Now the problem I had was that ALL my passwords are pretty much the same. So whoever had this data had my email address, and the password to get in if they knew what they were doing. Till date, no one has reported a compromise based on this attack. But at the time, I decided to look into getting my online credentials across the internet in order. So anyone who is in a similar situation with this LinkedIn attack might want to do the same. I'll outline what you can do later, but first of all, what information do the hackers actually have?

Do they actually have your password? - An experiment.

What the hackers have is actually an encrypted copy of your password. LinkedIn use SHA1 to encrypt their passwords. Most sites use either MD5, SHA1, or SHA-256. So what the hackers actually have is a 'hash' of your password, generated using the SHA1 algorithm.

This website reckons that it will take 1 X 1066years to crack a 6 character password encrypted with SHA1. However, it works on the assumption that you are trying 700,000,000 different passwords per second. However, this program can try 2,300,000,000 different passwords a second, and is free to download. So this will take 3 X 1065 years to crack. About a third of the time. What about a hacker with access to powerful computers and a more sophisticated program? You'll have to ask them.

But this is just a brute force attack. Why use this when the owner of the password may have already inadvertently done the work for you, or at least made it easier? Or what if the brute force attack is intelligent and tries out 'common' passwords first?

Worst case scenario, what if you're using a simple English password? Let's say your password is 'password' or 'letmein'. How easy are these to crack if you have the hash values?

password is converted to "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8"
letmein is converted to  "b7a875fc1ea228b9061041b7cec4bd3c52ab3ce3"

So let's do something simple. Google the hash values. 

For password, the first few results are linked to 'experiments' just like the one I'm doing. And it's clear, the password is 'password'.

And for the second one, the results also show the password is 'letmein'.  For me, the second result linked to www.hackforums.com, I wonder what they do there.

There are also some reverse SHA1 databases online, so it can check a hash against previously encrypted values.

Again, imagine you're a hacker, someone who does this for a living. What if they have even better ways to check even more advanced password hash values? 

The results of this experiment is clear. You need to change your password to A STRONG password, one which isn't an English word, preferably with a mix of upper and lower case, and possibly some numbers and/or special characters. That way, if hackers get a hold of your password, they won't be able to easily crack it, and just move on to other simpler passwords.Let someone else be the SUCKER !

So why do I say you shouldn't check if your password is in the hash list made available today using any of the tools/sites being publicised today (Including the one I used above) ? Well some of these sites keep a record of all hashes calculated. So by using them, you have given someone the hash of your password. One question, who owns the site? Do you trust them? What if, just what if the site was owned by a hacker? Think about it.

So what next? What I did 

So, as I mentioned. Last year, my password was out there. And it was a very simple English word. And I was using the same password (or a variant of it) across a plethora of websites.

The first thing was to use a secure password. The second was to use a different password across the entire internet. Not an easy task. How do you remember all these passwords? Some people have come up with all sorts of systems. I decided to use a password manager.

I switched to Lastpass, a free password manager. Once you install lastpass, it will collect all the passwords currently saved in your browser, and you can check which passwords are not secure. You can convert these passwords to secure passwords which Lastpass can generate for you. And if you have lastpass installed on all computers you use, it will sync your data across all of them. A copy is also kept online. All these are encrypted, even Lastpass cannot access your data. And all you have to do is remember one master password.

And before you say it, I know Lastpass was possibly hacked last year as well. And the hackers got hold of people's master passwords.

What I do is use Lastpass with multifactor authentication. Google Authenticator (see below) works with Lastpass and GMail accounts. This means that if you log onto a PC for the first time and try to use Lastpass, it will require you to enter a code you can only get on your phone. So the hacker needs your phone and your password in order to access your account. This extra layer of security is invaluable.

I'll explain how Google Authenticator works with Gmail, and then you can check how to use it on Lastpass here.

Multifactor Authentication - Google does it best

Google has a little known feature called 2-step verification, which adds a layer of security to your Gmail login. The video above explains how it works.

If you are logging into a computer that hasn't been 'trusted' you will require a code which is sent to your phone using SMS, voice message or a mobile app (Apps are available for iPhone/iPod touch, Andriod, Blackberry. Once you 'trust' a computer, you won't need to enter another code for 30 days. And if you use an application such as Outlook or iPhone mail, you can generate an Application specific password, which gives the application access to your account without asking you to keep verifying (However, I found that the Google+ iPhone app didn't use this, and kept asking for verification. This was so annoying, I no longer use the app, or Google+ for that matter, but I digress....)

The key thing here is that even if a hacker gets hold of your password and your username, if they don't have your phone, they can't access your account. 

While this sounds like a lot of technical information, and sounds like it will be a nightmare to set up, it really isn't. All the information you need to set it up is here.

And like I said, once you have it up and running, Lastpass can work with Google Authenticator.

In conclusion

There are bad guys out there, and if you're not careful, they will compromise your accounts. I've lost count of all the compromised Facebook accounts sending me all sorts of SPAM. Or email accounts, sending me all sorts of rubbish. You need to be proactive and protect yourself online. Prevention is better than cure.

And LAstpass is not the only password manager out there. Another good one is 1Password

No comments:

Post a Comment