LinkedIn Passwords apparently stolen

I just sent this around at work, but it could probably use a signal-boost here as well:

http://arstechnica.com/security/2012/06/8-million-leaked-passwords-connected-to-linkedin/

Summary: it appears that LinkedIn got hacked, and ~8 million passwords were stolen. (This is not confirmed, but seems to be the consensus in the security community.)

Now before anybody panics, that’s far from all of them: it’s a small subset of LinkedIn’s DB. And they were stolen in hashed form: LinkedIn wasn’t so incompetent as to store them in plaintext.

That said, their security was apparently weak, and the hashes are relatively weak and crackable: determined hackers are blowing through the easy ones quickly, and are making their way through the rest. And the 8 million that were posted may just be a subset of what was stolen.

So: if you have a LinkedIn account, change your password *now*. If you use the same password for other sites, it would be adviseable to change it there as well, since it isn't hard to go from a LinkedIn account and start making guesses about accounts elsewhere on the Internet.

Time for my periodic ad for LastPass

In reference to my posting from a few minutes ago, it seems like a good time to put in another plug for my password tool of choice.

The truth is, if the LinkedIn crack had happened a few years ago, I would have been in non-trivial trouble: turns out that my password (now changed, of course) was one that I'd used at a lot of sites. It was consciously my "yeah, whatever" low-security password that I was using for sites that I didn't think were terribly important -- but some of those sites have become more important to me over time.

But the nice thing about LastPass is the way it has changed my habits. It doesn't just keep all of my passwords in a nicely secure locker (hidden behind one mnemonic-to-me but *really* hard to guess password); it also integrates so well with my browsers that it's really easy to *always* use secure passwords. When confronted by a new site, it offers to generate a reasonably high-security random password, and then creates a new record to keep track of that password afterwards.

The result, yes, is that I don't actually *know* most of my passwords. But I don't need to, so long as I have either *some* kind of Internet access, or a machine that has my password locker and LastPass loaded onto it -- which is very nearly all the time. And it means that no two sites have the same password, so even if one site is compromised, the rest of my online identity is still decently safe.

This is an unpaid plug: my only connection to LastPass is as a customer who wants to see the company safe and secure, because they are providing me with an invaluable service. And frankly, at only $12/year for the "premium" service, I consider it well worthwhile to subscribe at that level, even though the free basic service provides most of the important features. IMO it's one of the best bangs for the buck that you can find on the Internet today, and I encourage you to check it out...

Unpredictability is key

Passwords seem to be today's topic. By pure coincidence, I just came across this article from the Economist a couple of months ago, on the subject of how people pick passwords. It brings up the topic of so-called "mnemonic passwords".

I first came across these when I got to Memento a few years ago. My colleague Bob was setting me up on various systems, and set one of them up with a strange-looking password: it looked like there was something to it, but it was kind of a jumble. When I went to him and asked about it, he explained that it was a somewhat hacked acronym of a particular line from a particular poem -- suddenly, the password was completely transparent to me, easy to remember despite being cryptic and at least *somewhat* secure.

I've used those a lot since then; indeed, it's become my go-to technique for those relatively rare cases where I need a password that I actually have to *remember*. (As opposed to a generated LastPass password.) But it occurred to me early on, and has been confirmed in a number of security articles, that these things aren't a panacea. In particular, if all you do is take the acronym of the first line of a well-known song or poem it's not really all that secure: a smart dictionary attack just needs a database of major songs and poems (and really, that database isn't *that* large), run the obvious acronymizing on that, and it'll still come up with some good guesses.

That said, the technique still works well -- you just have to step it up a bit by injecting a little bit of random whimsy into it.

For instance, let's take one of my old passwords: "1234,CIhalittleM?" This is, of course, a famous Beatles line: "One, two, three, four: can I have a little more?" It's a good candidate for this technique: doing it in the obvious way would give you "1234cIhalm?", and that has all the elements of a good password: a decent length, a mix of numbers, letters and symbols, and not a word in any dictionary. But it could still be cracked, precisely because it *is* the obvious permutation of the line: that reduces the search space to a manageable length.

But by tweaking it with a little bit of randomness -- injecting that comma between the phrases, capitalizing the M and spelling out "little" -- the password becomes *much* more secure. Since each possible line has many possible "whimsies" in it, using a few of them increases the difficulty of the password by a fairly big multiplier. It's not impossible to crack (especially if, say, you were known to always use Beatles-based passwords), but it becomes hard enough to usually not be worth it.

So I recommend this approach, of using a mnemonic based on song or story: it works well if used right, and can produce passwords that are fairly easy to remember but hard to crack. But don't generally use the first line or the title, choose a more-obscure song if possible, and always toss in at least one inconsistent detail: a word or number spelled out, a symbol used somewhere odd, a strangely-chosen capital letter, and so on. Just a few of these tweaks can change a password from Okay to Solid...

I totally don't need any more projects...

... but Dance Practice: the LARP practically writes itself.  Hmm.  Geloxia is practically worth it all by itself...

Posted via LiveJournal app for Android.