Lessons learned from the LinkedIn password leak

Posted: June 7, 2012 in Uncategorized
Tags: , , , ,

As I’m sure many of you have heard, the popular, business-oriented social networking site, LinkedIn.com, had a security breach recently that resulted in exposing about 6 million of its users’ passwords. You might be thinking, what’s the big deal?

  1. I don’t store anything all that sensitive on my LinkedIn account and
  2. even if I did, why would anyone want to target me?

The first issue that many fail to appreciate is that most people use the same password for more than one site. In fact, many use the same password for every site. This is a problem since it means that if I know your LinkedIn password, I probably also have a pretty good idea what your email password is. And if I can get into your Gmail account, for instance, then I can also go to your banking site and request a new password be emailed to your account, which I now control.

Furthermore, I can change all these passwords to one of my choosing and then you can’t get in to fix the problem either. Then it’s game over and you are forced to deal with a sea of faceless support centers for each site trying to gain back control of your digital persona. Since many of these services are free, the support your get is worth about as much as you paid for it, if you know what I mean.

As to why you would be targeted for such an attack? Because you exist. Hackers don’t only go after famous people just as identity thieves don’t restrict themselves to only millionaires.

So, what can you do?

  • First of all, you should probably change your LinkedIn password today. Even if you weren’t one of the 6 million compromised accounts, why wait for the next breach?
  • Second, change other passwords to key accounts like your email, bank, credit card and merchant sites that might have payment details stored for you.
  • Third, choose good passwords that can’t be easily guessed or cracked through dictionary or brute force attacks, which leads to …
  • Fourth, use a password storage vault or single sign-on software to keep track of all your passwords. These tools allow you to generate strong, hard to guess passwords that are unique for every site and only require you to remember one strong master password to unlock the vault.

If you are trying to do this for an entire organization, consider a centrally managed, enterprise class tool like IBM Security Access Manager for Enterprise Single Sign-On, which automatically enters userids and passwords when logon fields pop up, allows you to set policies for all your users and supports resetting lost passwords and shared workstation support with fast user switching.

If you want a simple, free tool to keep track of passwords on a single system that requires you to copy and paste stored passwords manually from the vault, Password Safe, from the open source SourceForge project is one of many options.

Also, there are other options that range somewhere in between for a range of prices supporting a variety of platforms. Whatever you choose, just try to make sure it comes from a legitimate source. The worst case scenario would be to store all your passwords in one tool that sends all your info to an attacker.

OK, so now you just think I’m being paranoid, right?

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s