LinkedIn may be a boring place with no secrets, but those passwords are important, says Peter Judge
The release of up to 6.5 million LinkedIn passswords yesterday is cause for concern. You need to change your password now, and LinkedIn’s response is inadequate. But let’s keep this in perspective, shall we?
A hash file containing around 6.5 million passwords has been posted online, possibly by the generic bad guys: “Russian hackers”. Security firm Imperva thinks the number could be much higher, as the details leaked on a hash cracking forum did not include easy to decipher passwords. That indicated the hackers did not share those login details but kept them for their own gain.
LinkedIn has confirmed in a blog that passwords have been leaked, has posted advice on how to change your password, and has issued four Tweets on the subject. That is probably not enough, and you need to act now. But acting quickly is not the same as panicking.
Change your password now
First, we assume that all of our readers – or at least a very high proportion of them – have LinkedIn accounts. It’s become an expected part of being an online professional. If you do have a LinkedIn account, you need to change your password now, even if you don’t use LinkedIn regularly.When I say “now”, don’t feel obliged to read to the end of this post first. I can wait while you do it…
Six and a half million is a significant proportion of the 161 million people who have LinkedIn accounts. So on the face of it, there is an appreciable chance that your password has been cracked. LinkedIn says it hasn’t confirmed that all the passwords in the file are genuine, but the fact that they are there shows that hackers most likely had access to the company’s systems.
If you want to know if your password was revealed, it is easy enough. The leaked file contained passwords encrypted with SHA-1, which converts your password’s characters into a 40-character hash. Download an SHA-1 converter to see what your password looks like in the LinkedIn file, find an online copy of the leaked file and you can search to see if it contains your password.
But why should we take a break-in on LinkedIn so seriously? I’m sorry to disappoint LinkedIn staff and fans, it’s not because of what is on the site. LinkedIn is the most boring social network, this side of the Ford Galaxy Owners’ Club. Even people who like that sort of thing are there out of a sense of duty, and those who make it a way of life are just scary.
For most of us, there is a CV, a set of professional connections, and maybe some half-hearted emails about work. There is nothing there which we want to keep private. We all know our bosses are stalking us on LinkedIn, so we behave ourselves there. How much more boring is LinkedIn than Facebook? It had an IPO that just worked, and its privacy disputes pale beside those of the undisputed social gorilla.
Hackers in your account might be able to tell our boss what jobs you are applying for. They might post fake messages in your name, causing mischief until you set the record straight. The amount that could be done with your LinkedIn ID is so small, you needn’t worry too much.
The real danger – as most security experts are now saying – is in where else you have used that password. If your Facebook account has the same password, change that too. And any other account using it. Hackers are well aware that a password for one site may get them onto others.
LinkedIn’s response – good but could be better
For this reason, LinkedIn’s response is very good, but not quite good enough. The company has updated its security behind the scenes, so the password hashes are now salted – a set of random bits are added, so the hash cannot be decrypted so easily. LinkedIn will be more secure in future as a result.
LinkedIn has also deactivated the passwords in the published file. This is another good move – instead of waiting and hoping that users will respond, the network is forcing a response from those it knows are affected. “Members that have accounts associated with the compromised passwords will notice that their LinkedIn account password is no longer valid,” reads the company blog.
Where I take issue with LinkedIn’s response is the fact that there was no apparent global warning sent directly to its users.
My password isn’t in the ones released (as I say, you can check this), so I haven’t had an email from LinkedIn. There was also no message greeting me when I visited the site – and I think there should have been.
It is still possible that other passwords have been compromised, so it really would make sense for every LinkedIn user to change theirs. And since those passwords are likely to be in use on multiple sites, LinkedIn would be doing a public service if it reinforced the warning to stop doing that.
Right. I’ve changed my password for LinkedIn. While I’m about it, it’s probably time to change my password for the Ford Escort Owners’ Club.