/ Technology

LinkedIn data breach has given me a password wake-up call

LinkedIn has been hacked, eHarmony has been hacked… When 8 million passwords from popular social networks were leaked, I thought it about time I took more care of my own passwords.

It’s easy to become jaded about online security. No matter how many times you’re told to use complex passwords, and not use the same ones everywhere, in practice it’s a hard thing to do.

But this week’s news that up to 8 million passwords from LinkedIn (the social network for professionals) and eHarmony (the popular online dating site) were leaked was yet another reminder of why such advice is absolutely right.

I ought to know better, but like thousands of other people, my approach to passwords is at best inconsistent, and at worst slipshod. I’m not totally reckless – my most important online accounts, such as PayPal, online shopping accounts, email and Facebook, have strong unique passwords. But I’m far from perfect. My LinkedIn password, which I’ve since changed, was my default ‘basic’ password for low priority accounts. It was the same password I’ve used on hundreds of websites for years now.

Not as secure as you think

That got me thinking – how many other accounts are out there with the same password? Most are harmless enough, but I’m certain out of sheer laziness I’ve used it to register an account or two on retail sites I used for just one purchase. I knew better at the time, but I thought ‘what harm could it do?’

The answer? Well consider research from Cambridge University that showed that the average password could be cracked in less than 1,000 attempts, the work of but a moment using the latest hacking technology.

I found this out to my cost a few years ago when my eBay account was hacked – it too was protected by the same password I used for LinkedIn. Thankfully the damage was limited to some fraudulent listings that were quickly removed, but it could have been worse had I not had the foresight to use a different password for my PayPal account.

How good are your passwords?

When we last discussed weak passwords on Which? Convo, many commenters said they use a password keeper like RoboForm to keep track of all their passwords. But unfortunately it looks like they might be more savvy than most.

The research I mentioned above found that despite efforts to encourage people to create better passwords, very few actually did. The report stops short of saying passwords aren’t good enough, but the logical inference is that people aren’t able or motivated enough to create and remember decent passwords. A fundamental problem considering the internet is so reliant on them for security.

Do you, like me, have a ‘go to’ password that you use too much? Do leaks like this make your reconsider your choices, and have you been a victim of online account hacking? Share your thoughts in the comments.

Comments
Member

I’m not going to worry until we start hearing regular reports about banks and financial services being hacked. I know my passwords are ‘strong’.

It is disappointing to hear that Linkedin has been hacked but I expected this to happen some time ago. I am glad I never registered.

It’s time we start thinking seriously about whether social networking sites and other free services are run responsibly. It’s not directly relevant but Facebook is considering allowing kids under 13 to register. Is that responsible? If I used Facebook (or similar services) I would assume that all my information would be available to everyone and my account would be hacked. How many more problems do we need to hear about before everyone wakes up?

Member

It is time to shift a duty of care on to websites that retain personal data – some of these issues have been caused by recklessness, mismanagement and sloppy practice, but rather than spending money on bolstering the security of their systems they seem more keen on insuring themselves against the consequences of hacks, attacks and data leaks (leaving users out in the cold generally).

You can have strong passwords, but download a trojan/virus/key logger due to a false sense of security provided by hacked info. or website then it might mean absolutely nothing with your only hope being your security software (if it’s good enough).

Member

I agree. It is easy to discover whether large organisations like Google and Facebook have had security breaches but much more difficult to find out how careful smaller organisations handle security. A good record might mean good security or that no-one has bothered to attempt to defeat weak security.

I wonder how secure these password keeping services are. 🙂

Member
Chris says:
8 June 2012

I’ve not been too worried by passwords – i used strong ones on a few websites & the same one on all non threatening sites. Eventually i couldn’t remember the strong ones – so now i use one of the online services that generate & store strong passwords based on a master – careful though: forget that one & you are very, very stuck. It takes a week or so to work out how they work if you are on websites daily, ans yes, there is a bit of a learning curve – but compare that with the alternatives.

Member

On-line services and apps. for password handling passwords are useful, but the caveat is always the same – breaches in security in websites can cause much broader problems in which passwords can potentially be harvested irrespective of how securely they are formed. Attacks have been made on some security firms (e.g. Norton) and it might be just a matter of time before centralised password handling becomes a target. The sophistication of attacks is increasing markedly, but there doesn’t seem to be any onus on websites to do anything about beefing up their security until it’s too late. In the end it will probably take a set of key court cases and new laws being introduced to force new standards and duties of care on to companies before things improve.

Member
Optimistic says:
8 June 2012

If 5 million passwords were stolen – eventually someone may go through all of them and try them, then see if they work on that person’s other sites, but it’s not going to happen overnight, even with an army of hackers and sophisticated programs to bulk test accounts.

Change the LinkedIn password now, and you stand a good chance of being overlooked by the hackers !

Member

I think the fishing Emails being sent out are possibly more of a concern.

Member
Dan says:
16 June 2012

Bear in mind, it’s unlikely the hackers will use real people test the passwords. They can easy write software that does this automatically. They could potentially check hundreds of passwords and steal data very quickly.