On Wednesday, June 6, reports surfaced that Linkedin, a popular professional social networking site, had security breach which resulted in up to 6.5 million passwords being stolen. This is a good opportunity to describe what hackers can do and remind people about password security.
The stolen passwords had been "hashed," meaning that the passwords were encrypted with a one-way encryption technique. Hashing is a common practice for most bona fide password-controlled systems including those run in the UMS. With this one way operation, when you use a password such as "hello" it is converted and stored as something like: $1$r6T8SUB9$Qse41FJyF/3gkPIuvKOQ90. Each time you log in, the password is hashed the same way and matched against the stored hash. No one is able to unscramble that hash to reveal your password...except...
- Hackers perform dictionary attacks. Dictionaries of words have been run through all the common hashing algorithms to create tables of possible hashes, called rainbow tables. By comparing stolen hashed passwords against these tables they can see that the hash $1$r6T8SUB9$Qse41FJyF/3gkPIuvKOQ90 represents the password "hello." The dictionaries that hackers use include all common words, foreign words, names, pet names, sports figures and teams, millions of passwords known to be used etc. Dictionaries also include mutations of common passwords such as "passw0rd."
- Hackers perform brute force attacks. Hackers can re-create every possible password by systematically changing one character at a time in a proposed password. This is more easily done in an off-line environment where password hashes have been stolen. However, brute force attacks against sufficiently long passwords require much longer time to perform. Adding just one or two characters to a password may change the time it takes to crack a password from days to years or from months to hundreds of years.
Because many people use the same credentials for logging into multiple systems, hackers can check these passwords against other social network sites, online stores, bank accounts and work accounts which potentially have more valuable data. For this reason, the UMS policy prohibits using a password used for a UMS system for logging into non-UMS sites.
Hacker attacks such as these serve as good reminders on the need for strong passwords. Don't use words or names and don't reuse your passwords. Use upper case letters, lower case letters, and numbers or special characters. Longer passwords are generally better with 8 characters being the absolute minimum. Short phrases are typically stronger and easier to remember than random characters. Guides to help with password creation can be found at:
- In the wake of the LinkedIn hack, security professionals are already reporting incidents of users receiving "phishing" attempts -- e-mails that look like official communications from LinkedIn. Instead, these messages try to get users to reveal personal data that identity thieves could use. Or they include links that, when clicked on, can install malware on an unsuspecting user's computer.