Wednesday, 06 June 2012

A topic I always enjoy... I post this with the hope that you’ll be able to take something from it as a message to carry to others.

You may have heard that apparently the LinkedIn password list consisting on 16.5 million passwords was stolen and a table of hashed password values has been posted online. You may have received emails from concerned people you know, intended to let you know about the issue. And while it’s a good idea to change your password now, I wanted to take the opportunity to expand on the topic a bit.

One message I consistently try to send is that it’s *always* a good idea to change your passwords regularly to protect against threats such as this and others.

This specific case (as the info is exposed today) doesn’t represent an immediate broad threat for LinkedIn accounts, beyond the ability to potentially build a library of valid passwords sans usernames. But, there is enough information exposed to suggest a need to take reasonable action. In this case, the leaked info is a hashed (encrypted weakly but non-reversible) password list. The version of the list posted online contains only the hashed password values and not the associated user names or email addresses. However, the bad guys could possess that additional info, and just not be releasing it. Yet. We don’t know.

“Hashed” means you cannot simply unencrypt the list and see the actual passwords. Instead you’d have to create your own list or library of possible passwords, create hashes for all of those, and then compare the resulting hashes to the stolen password hash list to find any matches. At that point, you’d know that you have a valid password for *someone’s* account on LinkedIn, but you would not know whose account the password it is associated with (since the login emails were not posted). But again, that account login/email info might be held by the bad guys who posted the hash list, there’s no way to tell for sure.

If the bad guys also have the account names/email addresses, the real risk is that they would do a dictionary discovery “attack” against the hashed password list, correlate the resulting validated passwords to the respective email addresses (LinkedIn uses your email address as the login name) and then use those credentials to try to access LinkedIn -- as well as to attempt to access other sites/services where people might (and likely do) use the same login credentials.

So, yes. Change your passwords, not only on LinkedIn but also on other sites where the same user name and password are used. But do it because it’s always been a good thing to do, not just when credential theft scares happen to come up. And also know that an actual readable list of Linkedin passwords and other login credentials have not been posted in the wild -- at least not yet.

Add/Read: Comments [0]
IT Security | Safe Computing | Tech
Wednesday, 06 June 2012 16:18:14 (Pacific Standard Time, UTC-08:00)
#  Trackback