/ Technology

LinkedIn data breach has given me a password wake-up call

LinkedIn has been hacked, eHarmony has been hacked… When 8 million passwords from popular social networks were leaked, I thought it about time I took more care of my own passwords.

It’s easy to become jaded about online security. No matter how many times you’re told to use complex passwords, and not use the same ones everywhere, in practice it’s a hard thing to do.

But this week’s news that up to 8 million passwords from LinkedIn (the social network for professionals) and eHarmony (the popular online dating site) were leaked was yet another reminder of why such advice is absolutely right.

I ought to know better, but like thousands of other people, my approach to passwords is at best inconsistent, and at worst slipshod. I’m not totally reckless – my most important online accounts, such as PayPal, online shopping accounts, email and Facebook, have strong unique passwords. But I’m far from perfect. My LinkedIn password, which I’ve since changed, was my default ‘basic’ password for low priority accounts. It was the same password I’ve used on hundreds of websites for years now.

Not as secure as you think

That got me thinking – how many other accounts are out there with the same password? Most are harmless enough, but I’m certain out of sheer laziness I’ve used it to register an account or two on retail sites I used for just one purchase. I knew better at the time, but I thought ‘what harm could it do?’

The answer? Well consider research from Cambridge University that showed that the average password could be cracked in less than 1,000 attempts, the work of but a moment using the latest hacking technology.

I found this out to my cost a few years ago when my eBay account was hacked – it too was protected by the same password I used for LinkedIn. Thankfully the damage was limited to some fraudulent listings that were quickly removed, but it could have been worse had I not had the foresight to use a different password for my PayPal account.

How good are your passwords?

When we last discussed weak passwords on Which? Convo, many commenters said they use a password keeper like RoboForm to keep track of all their passwords. But unfortunately it looks like they might be more savvy than most.

The research I mentioned above found that despite efforts to encourage people to create better passwords, very few actually did. The report stops short of saying passwords aren’t good enough, but the logical inference is that people aren’t able or motivated enough to create and remember decent passwords. A fundamental problem considering the internet is so reliant on them for security.

Do you, like me, have a ‘go to’ password that you use too much? Do leaks like this make your reconsider your choices, and have you been a victim of online account hacking? Share your thoughts in the comments.

Comments
Profile photo of wavechange
Member

I’m not going to worry until we start hearing regular reports about banks and financial services being hacked. I know my passwords are ‘strong’.

It is disappointing to hear that Linkedin has been hacked but I expected this to happen some time ago. I am glad I never registered.

It’s time we start thinking seriously about whether social networking sites and other free services are run responsibly. It’s not directly relevant but Facebook is considering allowing kids under 13 to register. Is that responsible? If I used Facebook (or similar services) I would assume that all my information would be available to everyone and my account would be hacked. How many more problems do we need to hear about before everyone wakes up?

Profile photo of thelm
Member

It is time to shift a duty of care on to websites that retain personal data – some of these issues have been caused by recklessness, mismanagement and sloppy practice, but rather than spending money on bolstering the security of their systems they seem more keen on insuring themselves against the consequences of hacks, attacks and data leaks (leaving users out in the cold generally).

You can have strong passwords, but download a trojan/virus/key logger due to a false sense of security provided by hacked info. or website then it might mean absolutely nothing with your only hope being your security software (if it’s good enough).

Profile photo of wavechange
Member

I agree. It is easy to discover whether large organisations like Google and Facebook have had security breaches but much more difficult to find out how careful smaller organisations handle security. A good record might mean good security or that no-one has bothered to attempt to defeat weak security.

I wonder how secure these password keeping services are. 🙂

Member
Chris says:
8 June 2012

I’ve not been too worried by passwords – i used strong ones on a few websites & the same one on all non threatening sites. Eventually i couldn’t remember the strong ones – so now i use one of the online services that generate & store strong passwords based on a master – careful though: forget that one & you are very, very stuck. It takes a week or so to work out how they work if you are on websites daily, ans yes, there is a bit of a learning curve – but compare that with the alternatives.

Profile photo of thelm
Member

On-line services and apps. for password handling passwords are useful, but the caveat is always the same – breaches in security in websites can cause much broader problems in which passwords can potentially be harvested irrespective of how securely they are formed. Attacks have been made on some security firms (e.g. Norton) and it might be just a matter of time before centralised password handling becomes a target. The sophistication of attacks is increasing markedly, but there doesn’t seem to be any onus on websites to do anything about beefing up their security until it’s too late. In the end it will probably take a set of key court cases and new laws being introduced to force new standards and duties of care on to companies before things improve.

Member
Optimistic says:
8 June 2012

If 5 million passwords were stolen – eventually someone may go through all of them and try them, then see if they work on that person’s other sites, but it’s not going to happen overnight, even with an army of hackers and sophisticated programs to bulk test accounts.

Change the LinkedIn password now, and you stand a good chance of being overlooked by the hackers !

Profile photo of thelm
Member

I think the fishing Emails being sent out are possibly more of a concern.

Member
Dan says:
16 June 2012

Bear in mind, it’s unlikely the hackers will use real people test the passwords. They can easy write software that does this automatically. They could potentially check hundreds of passwords and steal data very quickly.

Member
Clive says:
15 June 2012

This prompts me to ask – what is the best password programme?
Have these programmes ever been tested?

Member
Kevin says:
16 June 2012

There are quite a few good ones available. Probably the best cross platform password manager is Last Pass. It also works on iOS and Android. It has been fully scrutinised by one of the world’s premier security experts – Steve Gibson of Gibson research corporation. He is the brains behind the Security Now podcast on the TWIT network.

Last pass did notice some unusual activity with one of their servers 2 years ago and asked everyone to change their main password. BUT if you had used a decent password then all the other passwords in the cault will have been safe because everything is truly encrypted and your master password is salted and hashed and only the result of this is stored. I have used Last pass for ove a year now at Steve’s recommendation.

Member
Trevor says:
15 June 2012

I am now 78. I can still remember my old home and business telephone numbers and my National Service number and original Health Number. But having moved 3 years ago I cannot remember my new telephone number, struggle to remember my new postcode, and really do struggle with passwords. Unfortunately all these modern gismos are devised by young active minds to whom rembering current data is just a piece of cake – they have no knowledge or interest in the problems of older folk, and unfortunately the government has fallen into the same trap. We are expected to fill in all our forms on line, and it is to our disadvantage if we don’t. I can just about manage a simple password, but to ask me to create new, unique and stronger passwords for each function is totally unacceptable, unless I write it all down somewhere.

Profile photo of thelm
Member

Some security experts have suggested that it would be better to write it all down on paper (in an encoded form and kept in a secure place) rather than keep it digitally irrespective of how it’s encrypted. Then main issue is constantly having to refer to the paper form and then having to re-enter passwords many times each time you log on.

Member
Martin says:
15 June 2012

There is a fundamental issue which needs addressed. In some cases your password is known only by you. In other cases the website knows your password. But the information as to whether yourpassword is known or not is not provided. So using a ‘secure’ password can be compromised by discovering that the website provider can read your password. There needs to be a compulsory notice each time a password is requested as to whether this is known only by the applicant.

Member
Jon E says:
15 June 2012

I have been using password managers for years now. I’m currently using 1password for my mac and still use lastpass which really is an excellent cross-platform free manager and secure password generator. The other advantage of lastpass is that they offer a free password analysis. Once you’ve entered all your passwords into your vault, lastpass will analyse them and tell you which ones are weak and which are being used on multiple sites. Using this system i have changed most of my duplicate passwords to unique ones (i say most: laziness prevents me from changing the others, but after the linkedIn breach, I may just reanalyse and change the remaining duplicates/weak passwords).

Member
Tony Cross says:
15 June 2012

I use KeePass current version 1.22 a free password manager where I can store, generate and use complex passwords. I have also recently started to use Lastpass also free and find this very effective as well. I will however continue to use Keepass as it can be used to store any password and is handy for banking as these sites are often difficult to use with Lastpass due to use of drop down boxes. The best system I have found for on line banking is Accountunity – also free. This can only be used with Internet Explorer but has the ability to log in to all of your bank accounts at once whilst keeping the passwords on your computer. Versions of this software is also offered by some banks such as Egg and First Direct but I prefer to stick with Accountunity. Maybe all this is over the top for some but it works well for me and I never loose a password.

Member
Dan says:
16 June 2012

In my opinion, forget aout fancy techniques that supposedly help you create unique and rememberable passwords for each site. Password managers that generate passwords for you is the only way to go. You then only have to come up with a single good password. I use LastPass. It’s free and dead easy to use so there’s no excuse not to try it.

Member
Ian says:
16 June 2012

I suppose I’ll have to bite the bullet –

Member
my1login says:
30 July 2012

Jr.’Be careful what you pretend to be because you are what you pretend to be.