The Great LinkedIn Leak
by: Pierluigi Stella, CTO of Network Box USA, Inc.
Initially, LinkedIn was in denial. Finally, they did the right thing; they admitted that something might have gone wrong, and requested millions of their users to change their passwords. I know firsthand because I received an email from them notifying me of ‘the possible issue’. Naturally, I clicked on the link in said email, went online to LinkedIn and changed my password. Well, rather, it was forced upon me; I was denied access into my account with my old password.
In spite of all this, I like the procedure LinkedIn adopted, as it quickly forced all the affected users to take action and, even if they didn’t take action, protected them anyway.
The problem here is how many of us are using the same password everywhere?
I use a criteria of importance (or site prioritization, if you like) to overcome this issue; for unimportant sites – I use a not so strong password; if it’s compromised and someone gets into those accounts, no much damage can come of it. For the important places, I use strong passwords, and I try not to reuse the same everywhere. This puts a burden on me to remember it, but at the same time, makes my important data more secure.
My recommendation to CUs – educate your customers that online banking is likely the most important place where they need a strong password. Highlight the folly of weak passwords and how easy it is to steal one, educate them on password crackers, and encourage them to maintain a very strong one for their e-banking activities.
All that said, there is one point I disagree with – the idea of having to change passwords every 3 months because this adds yet another strain on my memory. I’m getting old and forgetful; and having to change a password every quarter is really not a good thing for me and, more importantly, doesn’t in any way increase my security. Protecting the password is a whole lot more important; having a very strong password is crucial to achieving this. Changing it on a regular basis becomes secondary and, quite possibly, counterproductive.
But I digress.
Back to the “Great LinkedIn Link” ~ it would appear that the most commonly used passwords were “job” or “link”. All I will say is, if that was _your_ password and your account was compromised, I’ve no further comment beyond an emphatic “you deserved it!”.
While I did say that for those sites I don’t consider as important, I don’t use strong passwords; there’s a “low” limit to this – a password still needs to be a password.
Therefore, if I use the classic (and very predictable) 12345, I may as well not have a password at all. It is, in essence, akin to an open door, warmly inviting anyone to come right in.
In a nutshell, a site may NOT contain my banking data and I may NOT want to use my strongest password for it; but please, let’s accord the password a decent level of dignity?
Pierluigi Stella worked for 15 years at IBM, accumulating international experience primarily in the oil and manufacturing sectors. With a sterling track record of successfully accomplished projects, an extensive technical know-how, and nine years as head of both the technical as well as customer service divisions of Network Box USA, Pierluigi has been helping financial institutions and health care providers develop their security policies, and has accumulated extensive experience and knowledge of security issues. He is one of the founders of Network Box USA. www.networkboxusa.com
Houston-based Network Box USA (www.networkboxusa.com), the American division of Network Box Corporation Limited, is a leading Managed Security Services Provider (MSSP) in the domestic market. The company was formed in response to the increasing danger posed by security breaches, virus attacks and similar threats arising from widespread use of the Internet.
