Wednesday, June 6, 2012

LinkedIn Password Breach

Lex Friedman:

LinkedIn said on Twitter that it’s investigating the potential password hack. In the meantime, it's another good reminder to use a different password for each of your different Web services; if you have a LinkedIn account and use the same password elsewhere, you may want to start changing some of those passwords now.

Daniel Jalkut:

What if I committed the foolish move of using the same password on LinkedIn as I did on another, more important site? Now a hacker with possession of my username and password for LinkedIn can make some very good guesses about my username and password on other sites.

He’s written an app and an AppleScript to help.

Update (2012-06-08): Poul-Henning Kamp (via Graham Lee):

LinkedIn is learning fast right now, according to their damage control missives, they have now implemented salting and “better hashing.” But we have yet to find out why nobody objected to them protecting 150+ million user passwords with 1970s methods .

And everybody else should take notice too: Even if you use md5crypt, you should upgrade your password scrambling algorithm. As a rule of thumb: If it does not take a full second to calculate the password hash, it is too weak.

1 Comment RSS · Twitter

I noticed another sketchy-at-best thing LinkedIn was doing when I went to help my father change his LinkedIn password: on some sort of default screen shown when he visits the site, LinkedIn populated a giant username/password field with an email address associated with his LinkedIn account. The form/section had a headline something like “See who you know on LinkedIn,” which sounds enough like the vague marketing headlines in vogue these days on log-in/sign-up pages to be confusing.

Since I don’t use LinkedIn and since I wasn’t aware until later that he lets LinkedIn remember him via cookies, I also thought this was a log-in form. It was only after reading the error message when “logging in” failed (“Be sure to use your email password, not your LinkedIn password,” or something to that effect), and then closely reading the text under the section headline, that I realized that LinkedIn was trying to get you to give them have access to your email account—and over plain HTTP at that!

It’s certainly starting to look like a pattern of poor judgement and security un-awareness at LinkedIn.

On the happier side of things, kudos to Daniel Jalkut for coming up with that solution to figuring out which Keychain items have the same password!

Leave a Comment