LinkedIn's security issue reveals obvious: Passwords, users always a weak link

LinkedIn's security issue reveals obvious: Passwords, users always a weak link

Summary: Here's the problem: Passwords may be the most imperfect security measure around, but it's tough to nudge out a practice that has been around for decades.

SHARE:
TOPICS: Security
33

The years change, but the stories remain the same. Passwords are a crappy defense and most of us use poor ones in exchange for ease of use.

Some LinkedIn users had their passwords stolen. Phishing attacks ensued to prey on LinkedIn users. Now eHarmony has had issues. Passwords are regularly swiped from Web mail accounts.

The problem: Passwords may be the most imperfect security measure around. Most users don't want to sacrifice usability for a good password.

Related: LinkedIn password breach: How to tell if you're affected6.46 million LinkedIn passwords leaked online

Sure, there are encryption techniques, two-factor authentication and other enhanced security measures. The reality is that most of us stick with a password we may or may not remember.

LinkedIn stated the obvious on a blog about its password issues:

Our security team continues to investigate this morning’s reports of stolen passwords. At this time, we’re still unable to confirm that any security breach has occurred. You can stay informed of our progress by following us on Twitter @LinkedIn and @LinkedInNews.

While our investigation continues, we thought it would be a good idea to remind our members that one of the best ways to protect your privacy and security online is to craft a strong password, to change it frequently (at least once a quarter or every few months) and to not use the same password on multiple sites. Use this as an opportunity to review all of your account settings on LinkedIn and on other sites too. Remember, no matter what website you’re on, it’s important for you to make sure that you protect your account security and privacy.

LinkedIn sounds like it has a handle on the issue. What LinkedIn can't control is whether a user goes from a password like "password" to something like "123456."

The password basics are well known:

  • Make your passwords eight or more characters;
  • Vary punctuation, symbols, letters and numbers;
  • Change passwords every three months;
  • Use different passwords for accounts.

That advice is obvious. But following those security practices also ensure that you won't remember your passwords.

In other words, passwords are imperfect. Users are even more imperfect. But we're stuck with them because no other security measure has gained critical mass on the consumer front.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

33 comments
Log in or register to join the discussion
  • OK, but...what was the weakest link here?

    How were more than 6 million passwords harvested? Was it a problem with Apache Traffic Server? A vulnerability in Spring? Hadoop?

    Yes, people should have secure passwords. That is a training issue. But where did linkedin go wrong?
    Your Non Advocate
    • Need more info from Linkedin...

      I'm assuming they would have had to steal a password file for this to happen. Did LinkedIn follow best practices? (encrypt/hash/salt the file)? Are accounts actually at risk?
      gtvr
      • Encrypted? Yes. Salted? Apparently not.

        My understanding is that the passwords were encrypted but without a salt. Not sure if that is indeed the case, but it was something I read in passing yesterday regarding this leak.
        joetron2030
      • SHA1 and no SALT

        and they only got the HASH. However; these authors are attributing this attack/hack as a user issue when it is not. This is a basic security issue with LinkedIn.
        mike@...
      • Here is a better story

        Then what you read here...
        http://shiflett.org/blog/2012/jun/leakedin
        mike@...
      • They hashed, but didn't salt.

        They hashed, but didn't salt. Which means that it's vulnerable to a rainbow table attack. I don't know how complete the rainbow tables are for SHA-1, but chances are if you have a weak password it's compromised.

        Some people are reporting that when they checked their moderately sized random passwords, they were listed as compromised, so I'd change it immediately anyways.

        I changed my password immediately.
        CobraA1
    • @facebook@

      It is called Linux or Unix security and its flaws. A ring architecture is hardly (along with PAM) enough to desist password snooping and other forms of AAA server intrusion. All web companies including Google with gmail face this problem. The problem is with Apache and importantly with Linux.

      Apple has smartly not got into web computing or public cloud computing at a mass scale yet. iCloud may change it. In such a case, Apple like Google, Sony Playstation network, LinkedIn etc will one day report that their users saw their private data being misused.

      I actually think Windows with its instrumentation and other methods (better from a Windows developer) is more secure with regards to NAP. Linux just sucks in this area though Linux Advocate may not agree.
      calahan
    • As Facebook posted above, who or what was the weak link,

      and who the heck is responsible for this? We def need more info, I'd personally like to know who, such as Luls, Annoym, etc...

      It's one thing when these groups contact the company and say, "hey we found a backdoor, or a large hole you can drive a truck thru", but when they turn around and post all this info on the web, it turns it all into a free for all....
      Sheesh!!!
      T-Wrench
  • On Changing Passwords Often:

    If a strong password is used and kept away from prying eyes, there is no value in changing often. The change often rule has often been enforced at different companies and clients where I have worked, but is often counterproductive as many people will write down a password on a sticky note. The other rules you list are good ones. I personally use upper and lower case, symbols, letters, and numbers in every password. For financial web sites (banks, credit cards, etc.) I use a minimum of 12 characters. Since I can't remember all, they are stored in an encrypted file which itself has a good password, and which is wiped automatically after it is opened and read.
    oldnuke69
    • I agree wholeheartedly...

      As a frequent website utility user, when I encounter websites that require frequent password changes, I invariably stop using the account. I do the same when the website requires that I never use the same variation again, 6 months, 12 months down the road. I simply can't remember that many passwords, and never write them down. Quite simply, many people also can't be arsed to encrypt a special file on their computer and set up all those other protocols such as auto-file wipe on opening. Though really that is a smart move. My best advice is to utilize alpha-numeric-special/punctuation in a way that you'll remember it across a minimum of 3 words with unconventional spelling. Utilize at least 2 examples of capitals, punctuation/special and numerics, just in case and make the password a minimum of 12 characters. Mine are upwards of 15 in most cases. This still sometimes causes me a hit and miss of 'what did I use here? was it this one or this one? But eventually I get in, and know I'm more secure for it.
      Tora1337
    • I wouldn't dismiss change often...

      Changing passwords is not meant to foil people trying to guess your password, it is meant to mitigate the risk of the password being cracked. Say a backup copy of a production database is obtained by an attacker... even if that db is one year old, if the attacker is able to decrypt (or worse, directly read) the contents of the password fields, then the attacker now has a known set of valid credentials. If you didn't change your password for over a year, the attacker now has access using your credentials.
      davesonfire
      • May be true, but...

        Sure, but in my mind the harm change requirements cause to the security of passwords is far greater than the risk you take by not changing them. It seems to me that it would be far better to have a strong password that never changes than, say, "password1", "password2", "password3"...

        Not to mention that the risk of someone getting the "old" password can be mitigated by properly securing your database.
        scorchgeek
      • The strongest encryptions should be resistant against that.

        "Say a backup copy of a production database is obtained by an attacker... even if that db is one year old, if the attacker is able to decrypt (or worse, directly read) the contents of the password fields, then the attacker now has a known set of valid credentials."

        With modern encryption algorithms, that shouldn't be the case. Even assuming Moore's law holds indefinitely, the best forms of encryption should last far longer than anybody's lifetime.

        SHA-1 isn't exactly the best hashing algorithm, though. I don't think it's on par with our current best cryptography.

        Part of the issue here seems to be that not all websites are using the best technology available. Encryption and hashing has gotten far better since the early days, and the latest algorithms should be capable of protecting data for really long periods of time.
        CobraA1
  • PW

    The problem is that a person using a dozen or more PW protected sites needs something simple. If one must juggle more than a dozen site PWs, then a written record or key has to be made--also a bad idea.

    Now that we have touch screens, how about using fingerprints and voice profiles (combined) for PWs?

    Signed,

    The (ahem) FIRECATCHER hint hint

    (j/k...I simply rotate ddyyyy combinations)
    TaxNerd
  • enforcing good passwords

    > What LinkedIn can???t control is whether a user goes from a password like ???password??? to something like ???123456.???

    why not? this could easily be implemented via basic input validation
    7momo
  • LinkedIn is blaming users?

    seriously LinkedIn is blaming users for shoddy passwords? that not how the hackers got in and stole 6.5 million passwords 1) the passwords should have been hashed in their database 2 for the hackers to get at 6.5 million passwords they didnt hack a user they hacked LInkedIn and their security was at fault not the users.

    Now dont get me wrong I preach and teach the benefits of creating long passwords with numbers Upper and lower case character as well as special symbols most people dont choose to make a strong pass because they cant remember more than 7 digits and DONT KNOW THEY can copy paste passwords Most of my clients who I teach, once I mention they can copy paste its like a light going on also most dont know that letting your browser remember passwords is a bad idea and have no clue of the several encryption programs like 1pass

    Blame the users all ya want but LinkedIn YOUR lack of security is at issue quit avoiding the issue and quit telling lies
    KineticArtist
  • Ludicrous

    Strong passwords are of no use if the idiots running the website are so stupid and careless that they keep the passwords in clear text so they can be easily stolen

    That level of incompetence should be criminal
    archangel9999
    • They didn't keep it in Clear Text.

      They go the HASHes which were generated with SHA1 with no SALT
      mike@...
  • It should be automated

    Anyone here ever used SSH authentication using keys? I think browsers should use a similar system, with public and private keys. I keep the private key in my browser/on my phone and create a public key for each service I want to connect to, from each device I want to connect to it from.

    No passwords are required, hacking one site doesn't compromise every other site, and if one of my private keys is compromised I can remove the public key from the site in question. There could possibly be a central repository recording which keys connect to where, with a big red button to block all access from a private key.
    Li1t
  • LastPass

    Even a pre-SeniorCitizen like myself can remember ONE strong password to get into my LastPass archive. Voila! All of my passwords are strong, all are easily at hand, all are accessible on my home computer and via the web. There are so many good programs, free and for low cost, that can store (and generate) passwords. I never need to scribble my PW on a post-it. Let's make these systems as easy to locate and purchase so they are as ubiquitous as anti-virus programs. Marketers: do you hear me?
    batya7