Jun 6, 2012

Use LinkedIn? Time to Change Your Password


UPDATE: Want to know if your LinkedIn account password was one of 6.5 million that were leaked? You can now test your password on our tool: https://lastpass.com/linkedin to find out! Either way, we still recommend updating your account password.

Reports are now circulating that LinkedIn user accounts may have been compromised, after nearly 6.5 million hashed passwords were reportedly uploaded to a Russian hacker forum.

The popular business networking site has responded that they are looking into these reports, but we highly recommend updating the password for your LinkedIn account.

You can use LastPass to login to your LinkedIn account, go to your account settings page, and update the password to a new, randomly generated one using the LastPass password generator, located in the Tools menu in the LastPass Icon. LastPass helps automate the process by filling in your old password and confirming the update to your stored LinkedIn account when you've saved the new password.

With more than 150 million users worldwide, the breach seems to have affected about 10% of the user base. Although usernames do not appear to have been posted alongside the hashed passwords, Finnish security firm CERT-FI warned that hackers may have access to user email addresses in an encrypted form.

The LinkedIn passwords are said to be stored as SHA-1 hashes, a very secure algorithm, but the fact that they did not "salt" the hashes puts user data at significantly higher risk of being compromised. Reports indicate that weaker passwords - some 300,000 of them - may have already been cracked, and the hackers seemed to be reaching out to others in an attempt to crack more [the forum thread referenced appears to be inaccessible at the time of writing this post]. A number of LinkedIn users have already confirmed that their passwords were stolen in the breach.

If user passwords consist of dictionary words or are on the list of 'bad' passwords, then they have likely already been cracked. We still highly recommend updating your account password even if yours is much stronger. If you're new to secure password management, get started today by downloading LastPass, creating a free account, and updating your passwords to secure, generated ones.

Graphic courtesy of Lifehacker.com

23 comments:

  1. When are you guys going to add password aging? so that lastpass can tell me even when I'm not monitoring security reports, hey you haven't updated your 'linkedin' password in 2 years, go update it. Given aging passwords too often has been shown not to help (more so because then you can't remember them) but I think never updating is bad too.

    ReplyDelete
    Replies
    1. This is a great suggestion, I would like to see this feature as well.

      Delete
    2. Great idea!

      Delete
    3. Asked the same question, exactly 6 months ago.
      The answer was "Currently no, but thanks for the good suggestion!"

      Delete
    4. Password aging is *not* a good idea, as any decent cryptologist will tell you. It's safer to use a longer, more secure password once than using dozens of insecure, structured passwords frequently.

      Delete
    5. When required in work situations for the average person, I agree that password aging only makes passwords weaker. People either cycle through things that could be broken in dictionary attacks or are forced to use a more complicated password, won't end up memorizing it because of its short lifespan, and write it on a Post-It right by the keyboard...

      Those of us with LastPass accounts, though, are (hopefully!) using more secure passwords; I see little harm in updating complex generated passwords every now and then.

      Delete
    6. Yea, devs, you really should add that feature. You have a last used time on the vault, get off your ass and write 3 lines of code.

      and password aging IS a good idea. If your using "dozens of insecure, structured passwords" your doomed to fail anyway you idiot. Even if you use common (bad) passwords -- say "password" -- you might change it every month and make the next one "password1" then "password2" so on and so forth. If you use strong passwords, having ones that change every so often creates an even stronger policy. if one does on the odd chance get compromised, it will be for a maximum of however long your aging tolerance specifies.

      Strong passwords, updated more frequently FTW.

      Delete
    7. Thanks for nasty response. Did you really have to call her an idiot? The fact is -- especially in corporate settings where security policies require frequent password changes -- that people will choose lame passwords they can remember and just increment through a digit on the end. Many people write them down.

      "if one does on the odd chance get compromised, it will be for a maximum of however long your aging tolerance specifies." -- well, unless of course once the hacker gets it, the hacker changes it, causes damage, and sends your boss nasty emails from your account. Then the compromise has much more enduring effects. PAM

      Delete
    8. yes updating passwords frequently does generally cause people not using password managers to choose weak ones. I personally do not intend to update frequently (even though last pass means it doesn't matter). My personal intent is to say, 1 year is long enough for any password to not be changed. I just updated a password I know I haven't updated since ~ high school ~9 years ago. Far too long and it was far too weak. I imagine eventually it'll be that long after some lastpass passwords. Also some unfortunate websites make me have really sucky passwords to begin with as they have really stupid limitations leaving me to believe they aren't encrypting them properly. (such as may not be > 10 characters) oh I even have a site that allows only numeric characters as it's a PIN *headdesk*.

      Delete
  2. Thanks for the Facebook post about this. Quick, easy change with LastPass.

    Thanks again!

    ReplyDelete
  3. Thank goodness I was already using LastPass to create complex passwords so, thankfully my LinkedIn password was a unique password not used on other sites and I can easily change it. Thanks for the heads up.

    ReplyDelete
  4. Interesting that I have to use "Copy Password" to change my password since lastpass cant detect that I need to fill the form for "Old Password"...

    ReplyDelete
    Replies
    1. This is actually not interesting at all. More whiny than anything. Sorry you had to use the copy button like the rest of us.

      Delete
    2. Actually, it is interesting - since you'd think LastPass could figure out LinkedIn's password form... especially since they are posting articles on the LinkedIn issue. Sorry that you (and several others on here) have such rude, intolerant responses - and feel the need to express them. Have a nice day! :) <3

      Delete
  5. Thanks and also, please add pronounceable passwords to Firefox.

    ReplyDelete
    Replies
    1. man I kind of wish that was a generate passphrase feature.

      Delete
  6. The article up at Ars Technica speculates that passwords from a dating site (possibly eHarmony) was leaked as well.

    ReplyDelete
  7. You really should be more supportive of quality password habits and boldly tell people not to use the password checking tool until after they have changed their LinkedIn password, and then to never again use the same password. It doesn't matter if LastPass is trustworthy, you should promote password safety.

    ReplyDelete
  8. The password-checking website http://leakedin.org/ has one feature yours doesn't: it tells you not only if your password was in the leaked set, it also tells you if it has been cracked. That would be a Cool Thing to add.

    Add my +1 vote for password-aging options, set on a per-website basis.

    ReplyDelete
  9. I blog about LinkedIn password checker at http://www.liewcf.com/linkedin-password-checker-8098/

    ReplyDelete
    Replies
    1. Thanks for passing it along, Liew!

      Delete
  10. so, in the wake of the Yahoo breach, are you going to have a Yahoo username checker? Actually it isn't just Yahoo accounts, here were 35,000 domains affected.

    ReplyDelete