Today I saw an article on Slate that referred to Russian hackers stealing 6 million passwords from LinkedIn, and I thought: oh, that’s weird. Alpay said he wasn’t worried about it because LinkedIn was forcing those whose passwords were compromised to get a new password, and when he went to LinkedIn, his was fine. So I went to LinkedIn. I didn’t get very far, because I needed to change my password.
Fortunately, another Slate article describes how to quickly and easily create super-strong passwords, as well as a system for making each unique. While I try not to use the same password for everything, I won’t deny I do double-dip sometimes. I don’t know how much damage a hacker could do with my login at Lancome or the New York Times. I also figure that if you have only unique passwords, it’s impossible to remember them all, and then the problem becomes where to hide the password list. It seems practically any place--either hard copy or soft--is unsafe. Digging out the list from a file every time you want to logon would be impractical. And I don’t like the idea of “remember me on this computer” because what if a computer is stolen? Then the thief would have access to all the sites you use before you had a chance to change them.
I actually don’t have an excuse not to have unique passwords for everything: for the last couple of years, I’ve subscribed to a virus protection package that includes a password logon service. I can have as many passwords as I want, as complex as I want, and I don’t have to memorize them. I logon to the service and whenever I go to a site that requires a password, the service logs me in. Alpay doesn’t like this. He thinks it’s risky--that all a hacker has to do is hack that one site, and then they have all your passwords. And that’s true. I am rather putting my eggs in one basket this way. But one of the things pointed out in the Slate article is that LinkedIn did not use standard, high-level encryption. I trust that an undisputed leader in computer security would be able to keep their own site secure, but concede the possibility that I might one day rue this trust.
But I’m more concerned about plain human error. Like: I realized my LinkedIn password was the same as my logon service. And so today, I changed all my logons, one by one.
A postscript: Slate reporter Will Oremus addresses why only some LinkedIn passwords appear to be compromised. We know that the compromised passwords were published as a list online. Security experts hypothesize that those were the passwords the hackers couldn’t match with an email address, which is what they would need to confirm an account. So if your password wasn’t on the list, it may not be because they don’t have it, but that they have successfully matched your password to your account. Maybe this weekend would be a good time for a password change project for everyone.