http://www.zdnet.com/blog/btl/646-million-linkedin-passwords-leaked-online/79290

Best be on the safe side............

FFS I only signed up about a month ago because people at work were pestering me.

Rather annoying, I'd like to know that the hole is patched before I change the password though, other sites will be done though

Change it to something temporary (and not used elsewhere) until it's confirmed patched - otherwise you could be going around in circles.

Thankfully the passwords are encrypted, which is a step in the right direction from previous disclosures at least. It's now down to how easy they are to crack. Provided you used a strong password (i.e. not one that can be cracked with a dictionary attack), and they used a sufficiently strong hash (at least SHA-1), then you'll be OK, but better to change it anyway.

Encryption / hashing is next to useless without salting, which is what LinkedIn haven't done. Good explanation here: http://www.standalone-sysadmin.com/blog/2012/06/bad-juju-linkedin-credentials-compromised/

FFS, its not like this is a company listed on the exchange or anything. There needs to be BIG fines for pathetic password storage policies in the modern age.

IIRC there is a part in the DPA about ensuring users information is sufficiently protected?

Under the laws in the US they'll be required to include the details of the hack in their annual filings. Next shareholder meeting promises to be interesting.

Have a unique password for LinkedIn, as with pretty much every "important" website I use that encompasses my "online presence".

I'll change it slightly for now and hold fire until they sort themselves out. No one company can be trusted at all, which is why I keep my passwords totally unique...

It's terrible companies can't keep a check on security and I don't mean losing the passwords in the first place, I mean actually making sure they're safely guarded even in the wrong hands... It's not a difficult idea, but as with any large companies they tend to be somewhat ignorant :(

Saying that most users don't take password security seriously either *sigh*...

So even if they don't think your password has been compromised, you should change it anyway, since the hack affects 6.5m passwords, not 6.5m accounts as the media have reported.

Due to their lack of salts, multiple accounts with the same password have the same hash, and thus you can't guarantee that your account hasn't been compromised because you don't know if someone else happens to have chosen the same password as you (however unlikely you may think that is).

Thankfully, I don't have a LinkedIn account. Dreading when one of my accounts does get compromised though because I only have a small number of passwords across all sites. I've been researching password managers for my phone because I think that's the way I'm going to have to go.

True, I only used the password for there as I never fully trusted LinkedIn, bit like Facebook.

I'm probably jinxing myself here, but I've had the same password (or variation of if the site insists on certain rules) since 1989 and to the best of my knowledge it's never been hacked/guessed/whatever...

I'm probably jinxing myself here, but I've had the same password (or variation of if the site insists on certain rules) since 1989 and to the best of my knowledge it's never been hacked/guessed/whatever...Posted by Faysh from Nutcase's account.
:D

:goatse:

;)

Saying that most users don't take password security seriously either *sigh*...

I think it's also partially down to silly rules on certain sites that say must be a 'Memorable' 10-12 letters/characters, involve 1 capital letter, 3 symbols, 3 numbers, a hat reference and the 3rd letter of your milkman's cat's name. And you must not write it down. So, to meet all of that criteria, and keep your password different for every single site, you'd have to be frickin' Rainman to manage it.

I think they got my password, they've changed my years of work at my previous company from June 2001 to July 2001. Devastated. ;)

I think it's also partially down to silly rules on certain sites that say must be a 'Memorable' 10-12 letters/characters, involve 1 capital letter, 3 symbols, 3 numbers, a hat reference and the 3rd letter of your milkman's cat's name. And you must not write it down. So, to meet all of that criteria, and keep your password different for every single site, you'd have to be frickin' Rainman to manage it.

I think they got my password, they've changed my years of work at my previous company from June 2001 to July 2001. Devastated. ;)

Just have one password that contains a capital letter, symbol and number and you can use it everywhere. It's amazing how easy passwords that are just dictionary words are easy to crack.

I use song titles and the year that song was released to create passwords. From that I can instantly recall the password by associating a particular song to a particular website. Works well, until my itunes account gets hacked I guess.

I use song titles and the year that song was released to create passwords. From that I can instantly recall the password by associating a particular song to a particular website. Works well, until my itunes account gets hacked I guess.

That sounds like a good idea. Not as secure as a randomly generated password with letters, numbers and symbols but a damn sight better than 'password' or '1234567890'.

I might adopt that (or a similar) system for myself - much better than my current system.

Just have one password that contains a capital letter, symbol and number and you can use it everywhere. It's amazing how easy passwords that are just dictionary words are easy to crack.

Hah, not with my memory, assuming the number is different everytime? I spend more time having to recover 'secure' passwords than anything else because I've changed a number and can't remember which site has which number assigned to it.

Belmit, I used that - used the first letter of each word of the song, followed by a year with a symbol on either end. Always had a mix of capitals, numbers & symbols. Still didn't work, by the time it rolled around for me to use non-regular websites, I'd forgotten them all. I've basically resorted to abusive words/phrases recently as it's either a system, that can usually be easily cracked depending on the site you've used it for, or completely random, in which case, I forget.

I saw this (https://www.secmaniac.com/blog/2012/06/11/massive-mysql-authentication-bypass-exploit/) on twitter before and probably explains how the passwords were retrieved.

Just have one password that contains a capital letter, symbol and number and you can use it everywhere. It's amazing how easy passwords that are just dictionary words are easy to crack.

I'm sorry, but that's extremely bad advice. The only safe way is one password per site.

What you're talking about is still vulnerable to brute force has cracking, something that is getting easier and easier as GPUs and CPUs become more powerful. Worse you're entirely gambling on the security precautions of the site. The eHarmony dump of passwords, for example, was relying on straight MD5 hashing which is ludicrously cheap computationally and extremely vulnerable to straight brute force. A number of sites are even stupider and keep passwords in plain text, even ones that should know better.

Yes it's a pain in the arse to keep a separate password per site, but it's the only way to be even remotely safe. Quite franlkly you should operate on the assumption that every website you use IS going to get hacked, and that people will get your password from the site that way. If you use one password, regardless of how secure it is and someone gets it because a website is stupid, that's it. Game over, your entire online identity is compromised. You can use tools like 1password, or keypass to help, and they're cross platform & browser.

Also use a random password generator, most of these tools include them. The longer the password the better.

If you want to be extremely paranoid, use a combination of something like PasswordSafe (http://passwordsafe.sourceforge.net/) for storing passwords securely in an encrypted file, and SpiderOak (https://spideroak.com/) for encrypted file sharing where only you hold the decryption key.

Couldn't really agree with Garp less :) I don't randomly generate my passwords but I can assure you they're over 10 chars long mixture of symbols, number, upper and lower case yet memorable, which is about as good as you get in my books...

Of course you'll be pretty stupid to use the same password for everything.

The problem that I'm sure most people on here will have is that across the internet I have at least 500 accounts across websites, if you include the things I've just signed up for once to get access to something then it's probably in the 1000's.

I have a different password for all major things; banking, email, facebook, etc.
I also have mobile verification on my email and facebook, meaning that I *HAVE* to also have access to my phone (which is behind a different password) in order to log in when using a new device and/or app.

At the end of the day you have to balance it out. It's not the end of the world if someone guesses one of the passwords I use on forums in all honesty so they are ok to keep the same/similar. Banking, email, facebook, etc however are not.

The great thing about Facebook logins on websites nowadays is that even if someone knows my password, they'll still need my phone in order to log into anything :D