There is quite an uproar over the compromise of sites such as LinkedIn. Users are rightly annoyed but the big issues are:
- the site was compromised to the extent that the hashed passwords could be copied,
- obviously, with 60% of those hashed passwords cracked so quickly, many are trivially attacked with dictionary-type attacks so the taking of the hashes only facilitated the compromise of individual accounts, and
- what the Hell were the operators of the site doing when the intrusion occurred?
Users have a responsibility to choose strong passwords. Sites should enforce that to avoid global melt-downs of important systems. It’s not good enough to say your messages are of little value. An account has value to malware artists and spammers no matter the current content. Users should have very strong passwords kept in an encrypted database so that having to recall/type the passwords is not an issue. Copy and paste can deal with it. Users should learn how to clear the clipboard and avoid using public terminals. If users must type in passwords they should not use common names, dictionary-words and should include punctuation/special symbols as well as upper/lower-case letters and digits. Less than 8 characters takes only minutes to crack by brute force… Take a hint and use much longer passwords.
Web sites require constant attention as does any establishment with unlocked doors. High profile sites need layers of paranoid system administrators. Automation of security functions, and intrusion detection are necessary. Web sites can be quite complex in structure and usage. It is important that compromised sites publish details so everyone can benefit from lessons learned. Too often, breaches are cloaked in secrecy. For example, the compromise of kernel.org which is home to a key piece of IT is still not documented nearly a year after the incident. “We will be writing up a report on the incident in the future.” does nothing to enhance the security of the world’s IT. Security is a shared thing, like FLOSS. You cannot keep it to yourself because compromised systems are a threat to you and everyone else.
“As of this writing, over 60% of the unique hashed passwords obtained by hackers from a LinkedIn password database and subsequently posted online have now been cracked.”