Password breaches are becoming more and more common on web sites as hacker groups seemingly obtain hashed (and sometimes clear) passwords almost on a weekly basis from various web providers. This past week alone had three high profile password leaks with LinkedIn, eHarmony and Last.FM.
LinkedIn, a professional networking site, may have leaked as many as 6.4 million passwords. The password hashes are one-way encrypted versions of passwords meaning the password cannot be derived from the password hash. Hackers use pre-computed tables called Rainbow Tables to run through a dictionary of hashes comparing against the password hashes to arrive at the cleartext password. By the time the passwords were leaked on the Internet, several password hashes had been altered as the hackers that originally obtained the password dump had compromised those passwords already.
eHarmony was the next victim with as many as 1.5 million passwords stolen. The signs lead to the leak being performed by the same hackers as LinkedIn.
Finally, news of Last.FM came to light this weekend even though the breach may date from either 2011 or 2010. Last.FM stated that “a small fraction” of their 40m users were affected but security experts believe 17.3 million hashed passwords were stolen and that as many as 16.4 million have already been cracked.
25.2 million passwords leaked by three sites all coming to light this week!
What can you as the consumer of these web properties do? Below are the Geeks Consumer Best Practices:
1. Use a comprehensive security solution. Comprehensive security solution, such as Norton Internet Security, will cover all your security needs on your machines. These solutions provide scan and real time protection against malware, protect your inbox from spam and even had utilities to manage your identity online.
2. Create complex passwords. Similar to antivirus software, complex passwords are simply a price of the modern day Internet world. This is critically important, for example with the 6.5 million LinkedIn passwords, over 1.3 million were easily recovered within a few hours using dictionary lists on a standard laptop. A complex password is similar to a security sign in your front yard, most thieves will pass by houses with signs in search for easier targets. “password1” instead of “th1s!&p@55w()rD” is the easier target. Better yet, use your password manager's “create password” function if it exists to create a complex password for you.
3. Use unique passwords. You should have different passwords for every web site. While breaking into online banks can prove to be difficult due to fraud detection software and other mitigating features, grabbing 17.3 million hashed passwords from Last.FM, where security is not as important, is an easier target (see analogy above re: security sign and hackers/thieves going for the easier target). Again, this is critically important for consumers to shift your mindset from having 1-3 passwords depending on password requirements and having 133 different passwords if you have logins on 133 different web sites. This sounds impossible to manage but technology has provided several password management tools (including my current favorite of 1password which allows me to sync my passwords across Windows, Macs and iOS devices). Norton Internet Security mentioned in the first best practice includes an Identity Management utility that provides password management too.
4. Do not use biographical details. Mitt Romney learned earlier this week that someone had reset his Hotmail (seriously? Hotmail?) and Dropbox accounts using challenge response questions such as “what was the name of your favorite pet?”. Thanks to the proliferation of personal data leakage through sites like Facebook, age details, favorite pets, graduation class and maiden name are simple to discover. If required to use challenge response questions, either pick phrases and answers that no one could find out or make up you answers (and record in the password management tool you purchased after reading the last best practice.
5. Continually check your credit card and bank statements for fraudulent transactions. This should be a standard practice every month anyway but with people switching to paperless options for billing and statements, people do not check the statements with the same frequency as people that receive the statements in physical mail. If you have opted for paperless options, make sure you continue the process of monitoring your credit and bank statements.
6. When you suspect your personal or financial information might have been accessed you should immediately change usernames and passwords for accounts and replace your bank accounts or credit cards.
The Geeks hope this guide helps you. Please post follow-up questions to our comment section or Facebook page.