LinkedIn passwords stolen

[Doug Pardee]

If you have a LinkedIn account, you should seriously consider changing the password immediately. Millions of LinkedIn passwords, perhaps all of them, have been stolen.

News story: http://arstechnica.com/security/2012/06 ... -linkedin/

LinkedIn's Twitter feed: https://twitter.com/#!/LinkedInNews

The same happened to eHarmony, but that's not really relevant to this board.

Edit 12:45 PM PDT LinkedIn now confirms password theft. They're disabling access to compromised accounts. See their blog posting:
http://blog.linkedin.com/2012/06/06/lin ... mpromised/

[Mira]

Thanks Doug!

I heard about this. I'm debating. Such a pain in the neck to go change all my passwords, although it's probably a good idea to do it every couple of months anyway. I'll have to get organized!

Frankly, I haven't used Linkin that much. Not really sure what you're supposed to do once you sign up and connect with some folks....

Does anyone really know how to use Linkin well? I'd be curious.

[writersink]

Does anyone really know how to use Linkin well? I'd be curious.

I haven't even heard of it

[lindsayB3462]

ha? didn't know about it. This post is from June. So, I am three months late. I am going to change the password now. Any suggestions regarding preventing the password stealing?

[Doug Pardee]

Any suggestions regarding preventing the password stealing?

You can't do anything about passwords being stolen. That's up to the web site operators. And 100% security is impossible.

Provided that the web site has encrypted the passwords, you can make your password harder to decrypt. In recent years the hackers have developed some incredibly powerful tools such as rainbow tables and gigantic lists of actual passwords that have been used in the past, and any advice on password-picking that's more than a few years old is probably out-of-date. Here's an article that's kind-of techy, but makes the point that it's gotten darned hard to pick a password that isn't easily decrypted: http://arstechnica.com/security/2012/08 ... r-assault/ [Hint: length still matters. The longer the password, the harder to crack, unless it appears on a list of previously-known passwords.]

What you really must do is to stop using the same password for multiple sites. The big problem with the LinkedIn break-in wasn't that shady people could now log into your LinkedIn account, but that you probably used the same password on a bunch of different accounts, and now they have your email address(es) and the password. A simple script will try hundreds of popular sites — including most of the webmail sites — to see which ones it can log into. If they can get into your email account, they can start requesting "forgot my password" actions from other sites that you used a different password on. How bad can the result be? Wired magazine's Mat Honan recently found out: http://www.wired.com/gadgetlab/2012/08/ ... n-hacking/

For me, the LinkedIn hack was the wake-up call. Like most people, I'd been using about a half-dozen different passwords across about 150 different sites. I got a password management program — me, I went with OnePass — and started changing passwords everywhere. Every one of the web sites I access now has a different password, and OnePass takes care of supplying the correct password. It also generates random passwords for me whenever I sign up at a new site or change the password on an existing one.

Now, if hackers break into a site and get my password, at most they'll have my password to that one site. And if that site properly encrypted my password, the hackers probably won't even be able to get even that much.