Jun 7, 2012

Use eHarmony? Time to Update That Password, Too


It's that time again, folks. Time to update another password. Popular matchmaking site eHarmony announced last night that it too has suffered a breach, confirming that the passwords of a "small fraction" of its user base have been compromised.

Want to test if yours was one of them? Find out here: https://lastpass.com/eharmony. Whether or not yours made the list, though, we highly recommend you update your password. The LastPass security challenge can also help you identify duplicate or weak passwords for other accounts.

You can use LastPass to login to your eHarmony account, go to your account settings page, and update the password to a new, randomly generated one using the LastPass password generator, located in the Tools menu in the LastPass Icon. LastPass helps automate the process by filling in your old password and confirming the update to your stored eHarmony account when you've saved the new password.

The eHarmony hack was reportedly perpetrated by the same Russian hacker who uploaded 6.46 million LinkedIn stolen password hashes Wednesday, June 6. According to Ars Technica, the hacker, who uses the name "dwdm", also posted the list of compromised eHarmony accounts.

According to their blog, affected eHarmony members have had their password reset, and will receive an email with additional instructions on updating their account. Of the leaked list, we can confirm that 1,229,054 hashes were already cracked, and we predict that they'll be cracked in their entirety soon.

Given that most of the password hashes do not correspond to the standard list of "bad passwords", eg dictionary words, it's probable that the person has only released the data for the harder-to-guess passwords in a bid to have them cracked.

As we said above, no one should be taking their chances - everyone should update their passwords, and use this as an opportunity to look over all of their online accounts to ensure they are using strong, unique passwords everywhere. The LastPass security challenge will give you a good starting point, and you can then use the LastPass password generator to start better securing your online life.

The LastPass Team

Jun 6, 2012

Use LinkedIn? Time to Change Your Password


UPDATE: Want to know if your LinkedIn account password was one of 6.5 million that were leaked? You can now test your password on our tool: https://lastpass.com/linkedin to find out! Either way, we still recommend updating your account password.

Reports are now circulating that LinkedIn user accounts may have been compromised, after nearly 6.5 million hashed passwords were reportedly uploaded to a Russian hacker forum.

The popular business networking site has responded that they are looking into these reports, but we highly recommend updating the password for your LinkedIn account.

You can use LastPass to login to your LinkedIn account, go to your account settings page, and update the password to a new, randomly generated one using the LastPass password generator, located in the Tools menu in the LastPass Icon. LastPass helps automate the process by filling in your old password and confirming the update to your stored LinkedIn account when you've saved the new password.

With more than 150 million users worldwide, the breach seems to have affected about 10% of the user base. Although usernames do not appear to have been posted alongside the hashed passwords, Finnish security firm CERT-FI warned that hackers may have access to user email addresses in an encrypted form.

The LinkedIn passwords are said to be stored as SHA-1 hashes, a very secure algorithm, but the fact that they did not "salt" the hashes puts user data at significantly higher risk of being compromised. Reports indicate that weaker passwords - some 300,000 of them - may have already been cracked, and the hackers seemed to be reaching out to others in an attempt to crack more [the forum thread referenced appears to be inaccessible at the time of writing this post]. A number of LinkedIn users have already confirmed that their passwords were stolen in the breach.

If user passwords consist of dictionary words or are on the list of 'bad' passwords, then they have likely already been cracked. We still highly recommend updating your account password even if yours is much stronger. If you're new to secure password management, get started today by downloading LastPass, creating a free account, and updating your passwords to secure, generated ones.

Graphic courtesy of Lifehacker.com