Subscribe

Lost passwords? It's not just about LinkedIn

Jon Tullett
By Jon Tullett, Editor: News analysis
Johannesburg, 08 Jun 2012

LinkedIn “lost” 6.5 million passwords. Bad LinkedIn! But while this is embarrassing for LinkedIn, it's really just the tip of an iceberg. Online security is in a bad state.

Users should take steps to insulate themselves from security failures at online services, because those failures can and will continue to occur. LinkedIn's nightmare today will be someone else's trauma tomorrow.

That it was LinkedIn was something of a surprise. LinkedIn is one of the more stable social networks. It's been around for a decade, has established a clear niche and value proposition for its 160-odd million users, and has been publicly traded (NYSE:LNKD) since May 2011. LinkedIn is no fly-by-night, but still managed to suffer at least one, probably two, gigantic security lapses. Leaking passwords is bad, but made even worse by reports that the company didn't salt its passwords either. The former is embarrassing; the latter points to systemic security failure which should raise serious questions about the company's approach to security at the most fundamental level.

The company deserves the opprobrium it is getting over this episode, but don't let that distract you from the bigger picture.

Action this day

A sizeable chunk of the leaked passwords were posted online, with several marked with leading zeroes, suggesting they had already been cracked. There are online tools which you can use to check whether your password is in that list, but since not all the passwords were leaked, don't assume that if it's not there, it wasn't leaked or cracked.

If you have ever created a LinkedIn account, whether you use it actively or not, you need to do two things immediately. First, obviously, you should change your LinkedIn password. Second, if using the same password for any other service, change that too.

Having done that, start to look more deeply at some of the security issues at play here. This breach was inevitable - if not LinkedIn, someone else would have dropped the ball eventually - and more will come. The risk is compounded by several factors, each of which could be helped by Web services doing a better job, but assuming they don't, users can take steps to reduce the risk themselves.

Three factors in particular stand out: weak passwords, password reuse and aggregation services.

Weak passwords

We all know this one. Anyone using “linkedin” as their LinkedIn password is asking for trouble, ditto “secret”, or any variation of their username. There are any number of ways to create strong, but memorable passwords. Use the initial letters from a song you like, or use a short phrase in its entirety. Length is more important than complexity, though both matter. Entropy is the key here - you want to make your passwords hard to brute-force, but easy to remember.

Password reuse

Many users reuse passwords at multiple sites, since passwords are difficult to remember, especially if they're strong passwords. The value of a leaked password is much higher than its source site: targeted attacks against an individual are much easier, and broad-base social engineering attacks like malware have a larger surface area to attack. We expect to see malware-spreading messages in LinkedIn now, sent from compromised accounts to their contacts. Similar messages within Facebook, from accounts accessed with the same passwords, may be more likely to succeed, with users less on guard.

Password salts

Adding extra characters to passwords before computing the one-way hash of the password is known as “salting”.
This doesn't make an individual password any more resistant to a brute-force attack, but does prevent pre-computed hashes from being used.
“Rainbow tables” of precomputed password hashes make cracking credentials orders of magnitude faster. And in large password databases where you are likely to find users with the same passwords like “linkedin”, “secret” or “hunter2”, the hit-rate for unsalted passwords is significantly higher.
Using password salts is Security 101. Anyone not salting passwords is fundamentally lacking in security awareness, and should raise questions about other parts of their security practice.

There are ways to mitigate this. One is to use different passwords everywhere - adding a mnemonic to each password helps, but avoid just adding “linkedin” to the end of your LinkedIn password - that's rather likely to be guessed! Using a strong password generator can help (and all modern browsers remember passwords), if you have somewhere safe to store them - cloud storage is a good option for making sure they're always accessible. It helps to use a tool like Keepass or Lastpass, which generate and store strong passwords, but this can also add complexity or cost.

Usernames, too, are reused extensively. People tend to stick with a small set of online “handles”, and that is shrinking as social networks encourage users to use real names for accounts. An attacker with the password to one service will have little difficulty finding related accounts on other services. This is a process which could easily be automated - don't assume that you aren't a target worthy of an attacker's dedicated interest.

Social media aggregation

Managing updates across multiple social media networks is a pain, so aggregators are popular tools which help users see data from multiple platforms in one interface, and push updates to several services with a single action. These include Web services like ping.fm, and smartphone apps. In order to do this, these services used to require your usernames and passwords for all the networks you were managing, so they could log in as you to access the data directly. And they have to store your password in plain text to do so. Everything about this practice, from a security perspective, is bad - the risks are numerous and severe.

To reduce the risk, social media platforms introduced APIs, allowing users to give access to partner sites without the third-party ever seeing, much less storing, their passwords. Many aggregators have moved to using these APIs, but some, notably many smartphone apps, have not. Be suspicious of any third-party app or services asking for your account login credentials: they should have updated to using APIs by now.

The integration risk cuts both ways, too. Many sites now eschew their own login systems, instead allowing visitors to “log in with Facebook”, or other services. This is convenient for users, but increases the value of that Facebook account. Be aware that your social media credentials are not limited to one site, but may be used extensively elsewhere, and guard them accordingly.

LinkedIn is going to get a dressing-down over this incident. Leaking millions of passwords, and having shoddy security practices exposed, will be deservedly embarrassing. But it was inevitable - the growing value of social media credentials makes them more of a target. As the chain of trust throughout the social media ecosystems grows, so does the pressure on the weakest links. Expect more breaches, and take steps to minimise your risk when they occur.

Do you have tips for managing multiple passwords, or creating memorable-but-strong passwords? Share them in the comments!

Share