Big news
Anyone that’s in IT and hopefully the wider community would have seen the news that LinkedIn have had the password hashes of 6.5 million users stolen (read more and the number keeps increasing…).
So for people that don’t know here’s a quick summary of what LinkedIn say has been stolen… Your password hash is a one-way encryption of your password, typically this is with something like MD5 or SHA1, they look like this:
Matthew-Smiths-MacBook-Pro-2:~ soimafreak$ echo "password" | md5 286755fad04869ca523320acce0dc6a
A simple hash of the word “password”, the important thing to realise is that when you login in it is the hash that is checked not your password; what does this mean? it means I don’t need to know your password, just a string of characters that generate the same hash. There’s Hash table sand Rainbow tables on the internet that are basically just random characters hashed and stored in a file or DB, it is then a matter of doing a simple lookup of the hash they have with the one in the table.
What LinkedIn have done now is mitigate that lookup by adding a salt to the password, basically a random string is prepended to the string to change your password before it is hashed, example below:
Matthew-Smiths-MacBook-Pro-2:~ soimafreak$ echo "`cat /dev/urandom | head -c12`password" | md5 a3aadeacee5d742980cf3cff67ca0cb0 Matthew-Smiths-MacBook-Pro-2:~ soimafreak$ echo "`cat /dev/urandom | head -c12`password" | md5 84957ff57478e1a82432dafb6f39bab8 Matthew-Smiths-MacBook-Pro-2:~ soimafreak$ echo "`cat /dev/urandom | head -c12`password" | md5 a6936fdb9af34da281758c8649829651 Matthew-Smiths-MacBook-Pro-2:~ soimafreak$ echo "`cat /dev/urandom | head -c12`password" | md5 3775e0dd675473e57326612304058317 Matthew-Smiths-MacBook-Pro-2:~ soimafreak$ echo "`cat /dev/urandom | head -c12`password" | md5 9ff93bc19c28c54aa2249e90b73e9f11
As you can see each time the password is generated it s different, this presents 1 problem, your password will be different every time it is generated so typically the salt (random string) is stored with your password. This only really protects against your password being easily guessed if someone has already generated a hash of the password (as even two people with the same password have different hashes). So they have to store your salt with your password, which is fine as it’s sole purpose it to make your your “password” is not the same as my “password”, for more information I would read: This
Secure your passwords
I could go through all the basic stuff of choose passwords of 6-8 characters, at least one upper case and a number; bog standard password stuff and it is completely useless. Back in the day that was considered good, but the modern convention is you are better off with a passphrase rather than a password.
For example: “SgsFd76!£” – Good use of the english £ symbol as it’s not on all keyboards! However this is still easy to crak for a modern graphics card, See this
A much better password would be: “thisismysecurepassphraseforexample” more characters = more combinations for the computer to check through, this is much better than the first example, even better than that though: “AJSACBVCjndsf76287*798sdjb7afbafuxvi679(UoahsfkjbauytSDgsbf ” – This is probably the best you can hope for but if you’re like me and don’t have an eidetic memory this will be impossible to remember and therefore pointless to you.
So what would you say if I told you all of my passwords are in that odd format that I can’t remember, and better yet I have a different one for every website / computer and I have no idea what any of them are… Crazy? Probably, but it’s true.
I use KeePassX to store all of my passwords in which means I have to remember one odd passphrase and that’s it. You can even secure it with a key pair if you so wish, I considered this overkill but it’s still nice to have the option.
So for every website there is a different random 20-26 character passphrase that I don’t know, it’s annoying how many websites don’t support more than 6-12 characters or enforce you to use poor passwords such as Virgin Media’s email service, Ticketmaster and the Student Loans company; on a side not the SLC was by far the hardest service for me to get access too asking questions I didn’t know all the answers to and then made me put in a password online that was pathetic…
So the big issue you have now is that you don’t know any of your passwords, this could be an issue. I personally use Dropbox on all my computers and mobile devices and as such it keeps up to date. The only risky thing I do is store my Dropbox password in KeePassX which Means I could lose everything, this is why I make a regular local back-up on multiple computers; if you are almost certain you’ll lose your backup you could just set a passphrase for Dropbox that you can remember.
Summary
Use passphrases rather than passwords and make sure that you use different phrases on different sites, because this is a mission use something like KeePassX to help you out and just make sure you back that up appropriately. I’ve been using it for over a year now with no issues, the only thing that is annoying more than anything, when setting up mobile devices I would have to type in a 26 character password, this is a pain; one I live with.
soimasysadmin 
Correct horse battery staple! :-)
For those confused… http://xkcd.com/936/
This was stuck in the toilet at work for ages to try and educate everyone. :-)
Guess I’ll have to change my password from Pa55w0rd then :)
[…] a bad thing to still be doing now because things have moved on. I take my passwords quite seriously and as time goes on I move more and more websites into keepassx where I have no idea what the […]