Just this week multiple media outlets reported over 129 million LinkedIn passwords being sold on the darkweb, stemming from a breach that occurred in 2012. Although LinkedIn has implemented automated security precautions, such as blocking login attempts from a suspicious locations, e-mailing PINS, etc. - this breach is still a huge deal. The passwords are very easily accessible in plaintext through various sources that don’t require the dark web (I won’t share them here, if you are curious do a quick google search). Just yesterday, Forbes.com reported that LinkedIn has began resetting users passwords that haven’t been changed since 2012 to help thwart potential account compromises. The problem is that – this is only the tip of the iceberg.
One thing I know and many security professionals know for a fact is that users HATE passwords. Therefore, users will re-use the same password for multiple services. Let’s say your name is Ray Reddington (I do love the blacklist), you were involved in the great LinkedIn data breach of 2012, and your account credentials are now plastered all over the dark web for the pickings. Roman and his hacking buddies have targeted you (or your organization), and the data looks something like this.
Because of LinkedIn’s diligent efforts to protect your security, they have conveniently reset your password, which you have changed by now. Good game, uber hackers!
Not so fast.
The hackers have located Blacklist Enterprises email portal, located at webmail.blacklist.com, which you use the same password for! Sure – you changed your LinkedIn password, but did you change your company email password? Your remote access or VPN password? If I breached your email account, how many changed passwords could I reset? Well, you use that e-mail for you LinkedIn account, banking account, online payment and benefits portal..you get my point.
Now, your account and possibly your corporate network has been owned because of LinkedIn, a classic example of some pwnage-by-proxy! So, what can you as a user do to help prevent this?
- Use complex passwords (or passphrases)
- The more complex, generally the harder to break. If an attacker does compromise a site such as LinkedIn, and your account is protected with a strong password, it will not be cracked, therefore your account is not in immediate danger.
- Use different passwords for each service
- Re-using passwords is something that has plagued and will continue to plague the security industry. By using different passwords for each service, it ensures that if one service is breached (such as LinkedIn), an attacker will not be able to access services such as your webmail with the same username/password combination.
- Really..make that password different
- Using the example above, changing the password to IL0veLiz1 will not cut it, and a motivated attacker will step right through it. Maybe something like Liz1sN0TD3AD!LOL?.
A good resource to bench how secure your password may be can be found at www.howsecureismypassword.net. According to howsecureismypassword, IL0veLiz1 will be cracked in about 4 days, whereas Liz1sN0TD3AD!LOL? Will take about 4 Quadrillion Years (yes, that’s the actual metric).