Ann Arbor Area Business Monthly
Small Business and the Internet
By Mike Gould
Broken Record Department: News Flash! Hacker steals 6.5 bazillion passwords from LinkedIn! And eHarmony! And maybe even more!! Pictures at eleven…
Before I get into this month’s exciting story (passwords! Schweeet!...), the department of historical redundancy department requires me to explain to our younger readers what a broken record is. Ya see, back in the day, we didn’t have no fancy-schmancy MP3 devices, nooo, we had these vinyl disks (“records”) that played music when placed on a rotation device. Occasionally, a flaw in the vinyl groovage would cause the music to skip or, more relevantly, repeat, hence the phrase, “broken record” which denotes something repeating, such as me ranting about passwords.
I am repeating this even though I wrote about passwords (PWs) way back in 2004 (URL below). Please do review that article, because it is pretty funny, unless you are afraid of fish. Needless to say, a few things have changed on the ‘Net since then, so here we go again.
LinkedIn (LI) is sort of a FaceBook for the business set. Business folk link to each other and trade recommendations for members seeking hot real estate action, or whatever. I am a member, but, crusty curmudgeon that I am, I have never really taken advantage of it. I can’t think of a single gig I’ve gotten due to LI, but that’s probably just me.
Anyway, the news broke last week that hackers had nabbed a metric boatload of PWs due to LI’s lame computer security. The love-lorn, reputedly Russian hackers then did a similar number on eHarmony, which can only mean we will soon be seeing a flood of “Russian women seeking husbands” in the mailboxen of male eHarmonoids. We can only speculate on what the female members will be subjected to: “Hot real estate agents need wives”, maybe?
The interesting thing here is that the security lapse was on LI’s end. You could have the meanest PW on the planet, but it don’t mean a thing if the server holding that password gets hacked due to lax security.
Salt Your Hash
The technical background to this is semi-interesting. The passwords were stored on LI’s servers as un-salted hash data. Wait, what? As a security measure, LI would take your password, and encrypt it with an algorithm (long story, but math is involved) so that instead of being stored as “th1sIsmYp@ssword”, it is stored as a string of digits that bear a mathematical relationship to your real password, such as 7c4a8d09ca3762af61e59520943dc26494f8941b. The server knows the key to unraveling the password, but, theoretically, a hacker would have a hard time figuring it out.
Except, hackers are now quite capable of de-crypting hashes, using techniques beyond the scope of this article (deep dish programming mojo). So security programmers now add more depth to their hashes by adding “salt”, an additional layer of encryption. LI hashed their passwords, but didn’t salt them. So when their servers were broken into, the criminals were able to download long lists of names and corresponding encrypted passwords. They cracked the easy ones, and posted the hard ones on various hacker sites, asking fellow crooks to help them crack the tougher nuts. Which they did, so now there are long lists of passwords out there for the world to see and copy.
Why This Matters
So now we have a database of commonly-used passwords that bad guys can use to test the defenses of various users’ identities on public websites. A common attack on a site asking for a password is to hammer the server with a list of passwords, hoping the user used one of the common ones.
In other words, if your password was among those hacked in this attack, you can (and should) change your LI password, but if you use that same password elsewhere, that elsewhere is now at greater risk of being hacked into because of the LI hack. You may not care about the security of your listing on LinkedIn, but now your security at other sites is at risk.
What To Do
Obviously, job one is to change your password on Linked In and eHarmony. Here are some other recommendations from my previous article, updated a bit:
- Use at least 8 characters.
- Don’t base your PW on a word that is found in the dictionary (such as the “password” example below).
- Include one or more digits or punctuation marks (p@ssw0rd)
- Include at least one capital letter (Sw0rdf!sh)
- Choose a phrase or combination of words to make the password easier to remember (“Ih0pe1canrememberthis”).
- Don’t use a common sequence of characters (abcd, 1234, etc.)
- You can have non-printing characters (such as spaces).
- Use different passwords for different accounts.
- Change password regularly and don't reuse passwords or make minor variations such an incrementing a digit.
Note the bit about not using the same password on different sites. If you practiced unsafe passwordage on LI, and shared a password with another site, change that one too, and use a different one than the LI password.
Where To Go
When news of this first appeared, a guy named Chris Shiflett checked his password, hashing it against a common algorithm. He then confirmed that it was on the list of cracked hashes. As a public gesture, he and some friends created a site that will tell you if your password is in the cracked hash list (sounds like a menu at a greasy spoon…).
The URL for this is below, and yes, I tested it with my PW, it was cracked, I have changed it (on LinkedIn, not eHarmony – hey, I’m happily married…) and am hoping I am safe for just a little while until the next event.
Previous password pronouncement: http://mondodyne.com/b2b/smbiznet.77.shtml
Check to see if your password was hacked:
About LeakedIn: http://shiflett.org/blog/2012/jun/leakedin
Mike Gould has impenetrable passwords, was a mouse wrangler for the U of M for 20 years, runs the MondoDyne Web Works/Macintosh Training/Digital Photography mega-mall, builds laser display devices, performs with the Illuminatus 2.2 Lightshow, and welcomes comments addressed to firstname.lastname@example.org.