How secure are your passwords?

The recent theft of LinkedIn passwords has again reminded users and network security experts alike of the vulnerabilities and threats that exist online, and the need for both websites and their members to do their part to better protect their data.

Over the last few days there have been widespread reports that over 6.4 million passwords for the professional networking site, LinkedIn, have been compromised. Furthermore, a file allegedly containing the encrypted passwords has been posted online, with hackers and other interests working to decode them.  So far, it is unclear whether email addresses or other personal information were also stolen, but in statement released by LinkedIn on 6 June, it stated:

… We are continuing to investigate this situation and here is what we are pursuing as far as next steps for the compromised accounts: Members that have accounts associated with the compromised passwords will notice that their LinkedIn account password is no longer valid. These members will also receive an email from LinkedIn with instructions on how to reset their passwords…. (Source: LinkedIn)

This recent case of compromised passwords, while unpleasant, is becoming increasingly frequent. This week, at least two other high profile sites, eHarmony (dating/matchmaking) and Last.fm (music), were also targeted. In the case of eHarmony, for example, security experts discovered scrambled files with passwords for at least 1.5 million online accounts. Again, a file containing those passwords has since been uploaded to other websites and hackers have been encouraged to crack them. However, a greater concern to many who are aware of this incident is the fact that eHarmony stores extensive and highly personal information about its members, which could make them subject to extortion and embarrassment (Source: Reuters).

Network security requires vigilance

Consistent with the views of the network security professionals, from BarbadosJamaica and Trinidad and Tobago, who we interviewed during our Expert Insights series, network security requires vigilance. Threats are becoming more frequent and sophisticated; hence it is imperative that there is continuous assessment of the integrity of one’s network. This vigilance should also be underpinned by appropriate software and equipment, along with a clear and coherent data protection framework.

In that regard, it is instructive to note that LinkedIn, which has over 160 million registered users and made over USD 522 million in revenues (year ending 2011), was reportedly using a very weak password encryption system:

The 6.5 million leaked passwords were posted Monday on a Russian online forum, camouflaged with a common cryptographic code called SHA-1 hash. It’s a format that’s considered weak if added precautions aren’t taken. Roughly half of the “hashed” passwords have already been decoded and posted online in human-readable text…

… LinkedIn was using an outdated form of cryptography to secure its users’ private information. The company should have known better than to guard its lists with just SHA-1, experts say.

The problem with SHA-1 is that it translates the same text the same way each time. So if your password is “password” and your friend’s password is also “password,” they will be hashed exactly the same way. That makes reversing the process to uncover the original password significantly easier. (Source: CNN Money)

Since the incident, LinkedIn has enhanced its security and augmented its encryption systems (Source: LinkedIn). However, it is important to emphasise that since no systems is infallible. The measures implemented will not completely eliminate the possibility of another theft, but user information may be less easily compromised and deciphered.

Set strong passwords

While it is incumbent on websites to ensure that their networks are secure, website members and users must also ensure that they set strong passwords for their accounts. Admittedly, many of us are juggling numerous accounts, so it becomes important to select passwords that are still (relatively) easy to remember. However, Figure 1 shows the most popular passwords, based on the theft of nearly 200,000 passwords on Gawker in December 2010.

Figure 1: Most popular passwords based on a 188,279 leaked Gawker Media passwords (Source: Sophos)

 

How then can password be made more secure and less decipherable to hackers? To increase the strength of your passwords, consider the following tips as a starting point, along with the short video clip below:

  • make your passwords at least than 8 characters long
  • include a combination of numbers and upper and lower case letters
  • do not use dictionary words, your personal information and obvious sequences, such as parts of the alphabet or numbers
  • add complexity by incorporating and replacing letters in your starting word or phrase with special characters, such as punctuation and symbols (e.g., @, %, &,  _, ?, $, etc. ) if allowed, and
  • change your password frequently, e.g. once per quarter.

 

___________