LinkedIn Was Breached. Now What Do You Do?

Security researchers have confirmed that a file containing 6.5 million encoded LinkedIn passwords has been posted to a Russian hacker site. LinkedIn has yet to confirm the breach, but it took to its Twitter account Wednesday to tell users it was investigating the matter.

It is unclear whether the file represents the full extent of the breach. Paul Kocher, president of Cryptography Research, a computer security company in San Francisco, said it appeared that LinkedIn’s user credentials had been compromised because it stored log-in information on its main Web servers instead of isolating those files on separate, secure machines whose only function was to verify log-in details.

The passwords are encoded in what is called hash cryptography, in which the standard letters and numbers are encrypted into a table of what seems to be random numbers and letters.

As hackers work quickly to crack those “hashed” passwords — –165,000 passwords have already been cracked and posted online– — LinkedIn users would do well to change their passwords immediately.

Here is the important thing to note if you are worried about your password being taken. You need to change the password not just for LinkedIn, but for any other site where you might have used the same password, or any site for which you might have given a simple password for that matter.

Here are some quick tips in the meantime:

Throw out the dictionary
Stop using simple passwords. To crack passwords, hackers often use automated tools. Any password that can be found in the dictionary is useless. “The worst passwords are dictionary words or a small number of insertions or changes to words that are in the dictionary,” said Mr. Kocher.

Consider an easy-to-remember phrase that contains two or three words, or stringing together only the first few letters of each word in a sentence that would be difficult to guess. The longer the password, the better.

Never use the same password twice
People tend to use the same password across multiple sites, a fact hackers are all too happy to exploit. While cracking into someone’s professional profile on LinkedIn might not have huge consequences, hackers can use that password to crack into, say, someone’s e-mail, bank, corporate account or brokerage firm, where sensitive financial and personal details are free for the taking.

Choose your security questions carefully
Hackers can easily reset your password using basic information found on the Internet. During the 2008 presidential campaign, a hacker was able to reset Sarah Palin’s password using her birth date, ZIP code and information about where she met her husband — the security question on her Yahoo account, the answer to which –”Wasilla High”– was available on the Web. On Tuesday, a hacker claimed he had been able to crack into Mitt Romney’s Hotmail and Dropbox accounts using the name of his favorite pet.

Store your passwords somewhere safe
Do not store your passwords in your e-mail inbox. Consider a password manager, password-protected software that lets you store all your usernames and passwords in one place. Some programs will even create strong passwords for you and automatically log you into sites as long as you provide one master password. Those programs also make it impossible for hackers to crack your accounts using keystroke logging software or a phishing attack. Several password managers work across platforms. Splash Data offers password-management software for Windows and Macs and mobile devices, as does Agile Bits with its 1Password software. Top Ten Reviews has reviews of password managers for PCs.

Read article in its’ entirety at the link below.