LinkedIn Hacked, Passwords Please No Salt
Jun 7, 2012 - 2:38:33 PM
LinkedIn, the professional networking site popular among embedded systems professionals, has been hacked. Encrypted passwords of 6.5 million LinkedIn members have been revealed on a Russian website.
Like many websites, LinkedIn hashed the passwords using SH-1 encryption. This makes it almost impossible to decrypt the passwords by themselves. However, LinkedIn's Engineers did not salt the SH-1 encryption. Without salt, hackers can compare the list to a rainbow table of words and hashed passwords. By matching the hashed passwords to the hashes in the rainbow table the original password can be discovered. If the user has a hacked account on another website that uses the same password, email addresses can be matched to passwords and your LinkedIn account has gets violated.
It appears that many LinkedIn members use the unimaginably unimaginable password of "linkedin", as the SH-1 hash of that word appears more than once in the leaked password list.
Gone Phishing
There has also been a flood of phishing emails. Many LinkedIn members with weak spam protection are receiving dozens of email invitations to connect with new (fake) contacts. There have also been some fake "change your password now" emails (the real LinkedIn password change email contains no links).
Expect these phishing attempts to get more creative in the next few days. Some won't be as easy to spot as this hilarious example here:
Changing your LinkedIn Pasword
I manage the LinkedIn Semiconductor Sales & Marketing group and I've already advised my 18,000 brilliant and good-looking members to change their passwords. You should, too.
To change your LinkedIn password follow these steps:
- Log into your LinkedIn account by typing www.linkedin.com directly in your browser's address
- In the upper-right hand corner, click on your name and from the drop-down list select "Settings".
- From Settings, next to the word Password click "Change"
- Follow, follow, follow the instructions.
The best passwords are a combination of words, numbers, and at least one special character such as !,#,$,%, etc. So use the %$#*& special characters.
And when you are on LinkedIn, always, always, ALWAYS make sure that your browser's address bar shows linkedin.com. Check it carefully - for example here, 1inkedin.com the "L" is, instead, the number one. Remember, hackers are creative spellers.
© Microcontroller.com. All Rights Reserved.