LinkedIn made the headlines for all the wrong reasons last week. If you haven’t been paying attention, here’s a great summary of what we know. Certainly, it’s disturbing that a company with such substantial resources couldn’t follow basic security practices. Decent web developers routinely implement hashed, salted passwords on shoestring budgets. However, we all stand to learn something from this whole episode.
1. It Could Be Worse (Technically Speaking…)
Taking a step back, LinkedIn could have done worse from a technical standpoint. There are many companies who don’t even hash their users’ passwords. Every so often, I’m completely taken aback when a website emails me my own password in plaintext. This is a bad practice for two reasons: first, email is inherently insecure, and second, passwords should be stored such that they can never be recovered, just in case of a data leak. I find being emailed my own password such a troubling breach of trust that I keep track of offending websites. In 2008, VistaPrint emailed my password right after I created an account. And it happened again in 2009 after I bought concert tickets from Live Nation. I can only hope they’ve subsequently corrected their ways. Perhaps it’s more excusable from smaller operations, such as Evite and Rent.com, who revealed my passwords in 2007 and 2010, respectively. LinkedIn dropped the ball by not appending a unique salt value to each password, but I’ll give them partial credit for hashing and using the right algorithm (SHA-1 instead of MD5).
2. Users Need More Information
LinkedIn followed a common-sense approach in response to the breach. According to the company blog, they identified users whose passwords were compromised, disabled those passwords, and alerted those users so they could change passwords on other websites as necessary. But they did it quietly. Although a banner at the top of the page directs users to the company blog, LinkedIn’s official response was drowned out by news sites and social media. And when users concerns aren’t addressed officially, they look for answers elsewhere.
Two days after the story broke, I got an email from a family member who stumbled onto LinkedIn Answers looking to determine whether his password was among the compromised. He got this answer:
LinkedIn Answers: not how you want your users getting their information
He didn’t follow the advice, and I wouldn’t recommend these steps to anyone. For one, I wouldn’t want a list of stolen password hashes on my PC. Also, why would I trust a third-party website to hash my LinkedIn password? However, I’d bet some users would mistake this for an official LinkedIn response. Scary.
3. Protect Yourself
I was surprised to see this happen to such a large website, but I should not have been. No one seems to be immune to cyber attacks, as the nation’s largest defense contractor learned last year. Evidently, we need to assume the online services we use are simply not secure. There are ways to protect yourself, but not without some inconvenience. Here are some practices that I think are a nice medium between paranoia and vulnerability:
- Use a strong password — many of the leaked password hashes that have been cracked so far were likely weak passwords and easy for algorithms to guess
- Use a unique password for every account you’d like to keep safe — remembering dozens of passwords is hard, but you need to vary your password on sites you care about
- Be careful whom you trust — assume that wi-fi hotspots are insecure, most websites will be hacked, and apps from companies you’ve never heard of (especially on Facebook) exist solely to steal your data
Hope that helps.