LinkedIn password disclosure
There is a ton of speculation going around the Twitterverse that LinkedIn's SHA-1 hashed passwords have somehow been leaked. While LinkedIn has not yet come out to confirm, many people seem to have found their own password hash in the list, making it likely that something did indeed happen.
As I write this, we have no information as to how the hashes got out. There could have been a system breach, maybe some disgruntled employee carried it out on a storage device; for all we know, it could even be as silly as a lost backup tape.
Whatever it may turn out to be, the only things that are known at this time:
1) some 6.5 million unsalted SHA-1 hashes have been leaked
2) The hashes could be digests of phrases used as passwords
3) The hashes may originate from LinkedIn.
Now, the next question is: what next?
First of all: if you used your LinkedIn password anywhere else, go ahead and change those passwords. Personally, I changed the LinkedIn password to a disposable one, until we have more clarity. There is no need to come up with an ueber strong password for LinkedIn until we know what happened, and if the password hashes are indeed real. After all, changing the password now, and finding out later on that there was indeed a breach, the attacker could have just stolen my shiny new password too. No need for that to happen. Once we know what's going on, I'll change it again.
If you are even the slightest bit tech-savvy (or sufficiently paranoid), now might also be a good time to start thinking about using unique and strong passwords for each web site. While doing so is a royal pain in the behind, a good password manager application can help ease the pain a little. Actually, on full-fledged desktop/laptop computers, a good password manager can actually ease most of the pain. On mobile devices and on tablet, they help, but aren't as effective.
Remember, as with all crypto: the strength of the crypto-system is only as good as the strength of the key to protect it (Kerckhoff's Principle). If you do use a password manager, you probably want to choose a good passphrase to protect your key store.
As I write this, we have no information as to how the hashes got out. There could have been a system breach, maybe some disgruntled employee carried it out on a storage device; for all we know, it could even be as silly as a lost backup tape.
Whatever it may turn out to be, the only things that are known at this time:
1) some 6.5 million unsalted SHA-1 hashes have been leaked
2) The hashes could be digests of phrases used as passwords
3) The hashes may originate from LinkedIn.
Now, the next question is: what next?
First of all: if you used your LinkedIn password anywhere else, go ahead and change those passwords. Personally, I changed the LinkedIn password to a disposable one, until we have more clarity. There is no need to come up with an ueber strong password for LinkedIn until we know what happened, and if the password hashes are indeed real. After all, changing the password now, and finding out later on that there was indeed a breach, the attacker could have just stolen my shiny new password too. No need for that to happen. Once we know what's going on, I'll change it again.
If you are even the slightest bit tech-savvy (or sufficiently paranoid), now might also be a good time to start thinking about using unique and strong passwords for each web site. While doing so is a royal pain in the behind, a good password manager application can help ease the pain a little. Actually, on full-fledged desktop/laptop computers, a good password manager can actually ease most of the pain. On mobile devices and on tablet, they help, but aren't as effective.
Remember, as with all crypto: the strength of the crypto-system is only as good as the strength of the key to protect it (Kerckhoff's Principle). If you do use a password manager, you probably want to choose a good passphrase to protect your key store.