![]() We know it's hard to remember a different password for every account, since many web users have dozens or even hundreds of different accounts. How do I manage different passwords for each account? Any data breach that occurs could include enough personally identifiable information that an attacker could figure out your username for different web services. This is widely believed to be one of the most common ways by which accounts on very security-conscious web sites get cracked and the accounts broken into: because users have used the same password on some other site which gets penetrated in a way that reveals their password.ĭoes altering my username make me safe even if I use the same password? As a concrete example, if you use the same password for LinkedIn, Gmail, and Bank of America, then it is critical that you change your passwords for the latter two websites, else there is a good chance your Gmail and Bank of America accounts could be compromised. In this sense, your security across all web services for which you use a given password is only as strong as the weakest link. That's because attackers love to re-try cracked passwords with known or guessed usernames on other sites. However, if you re-use the same password for other online services, you are at risk for all of those services so long as a data breach occurs in any of them and your password is revealed. In fact, because of LinkedIn's failure to use a salt (which would make the password-checking algorithm more specific to the site or to each individual user), attackers can simply compare the database against pre-computed versions of all of the above, and more, quickly getting an exhaustive list of exactly who has used every guessable password, in an extremely broad sense of "guessable".Īt first blush, you might think that changing your LinkedIn password is sufficient to stay safe. This is significant because attackers actually do these things whenever a password database like LinkedIn's gets leaked. It's also straightforward for attackers to try every short sequence of letters, whether it's meaningful or not. More significantly, this process can be automated to quickly check quadrillions of possible passwords: every word in every language, forwards and backwards, with various digits at the end every two- or three-word English phrase every Bible verse or line from Shakespeare, or every citation to any of these and much more. For example, an attacker can instantly get a list of any and all LinkedIn users whose password was "password123", "secret", or any other term. The leak doesn't directly tell attackers LinkedIn users' passwords, but it enables a trivial and fast way for attackers to confirm their guesses about passwords, and to check exactly which LinkedIn accounts use a particular password. What's the consequence of the LinkedIn leak? We understand there are trade-offs between secure password management and convenience we think a good balance is achieved by using a password safe for at least the vast majority of online accounts, with the option to memorize a few strong and distinct passwords for the cloud services one needs to access most frequently and from new devices. In particular, we want to emphasize that users should never re-use passwords across multiple accounts, and that using a password safe provides an easy way to manage lots of strong passwords across multiple online accounts. In light of the data breach at LinkedIn last week, in which 6.5 million unsalted SHA-1 hashes of account passwords were leaked publicly, we thought this would be a good opportunity to remind users about best practices for managing passwords online in order to stay safe.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |