Linked password hashes were leaked on a Russian site a few hours ago, and we have everyone speaking about SHA-1 , the weakness of the algorithm which is being used by Linked-in to hash the passwords, why not use Salt? so on and so forth. Linked-in has also confirmed the same.
For statistical purposes , to understand the speed and complexity in password cracking alongwith the stark reality –
A few weeks ago I had written about the methods personally being used in-order to prioritize and segregate the passwords. In this blog-post I had explained about the difficulties being faced whenever there was need to change the passwords and what was done to overcome this issue.
Today, after knowing about the Linked-In password leak , it wassn’t a surprise to me nor was there any lingering thought about ‘What Next’, but I simply went ahead to initiate the password change. I had to change the password in ONLY two different services (excluding Linked-In) which were NOT linked with Linked-In but shared the same password. At the end of this exercise, the password was crossed out from any further usage.
Web-sites and Web-based services, will provide you with a service but, there is no guarantee about the security measures they are deploying. Hence, I would reiterate – “Learn to segregate your passwords and prioritize them” and for the sake of ensuring just that the snippet of the previous blog is presented below.
Snippet of the Previous Post :This raises a few questions and forces us to think about the concept of linking email accounts and using them as a Single Sign On. For past few years, numerous services have started integrating themselves with each other, allowing you to access these services by authenticating yourself using Gmail, Hotmail, Yahoo, Facebook etc. Alternatively, your email accounts are used for password retrieval or are used as usernames. Advantages are numerous, no need to register, no need remember different usernames, passwords for different sites/services. But, very recently I realized that drawbacks are numerous. Whenever I wanted to change the password for one service then I ended up changing passwords for quite a few of other linked services. There was just no method involved and I felt quite lost in the world of passwords. Managing server passwords , admin passwords and also managing my personal passwords. Here is what I did to make my life simple yet have a fairly secure environment: 1: Created a List of all the sites which were frequently visited and had login rights. 2: Segregated them into Mail, Forums, Newsletters and associated services. Group 1
Email Services – All having different passwords. Group 2 – These sites needed their own usernames but password retrieval system depends on email services.
Insurance/Financial Services – All having different password
Some Forums Group 3 – These sites need either twitter/facebook accounts and rest of it handled by OAuth APIs
Associated Services – bit.ly, scoop.it etc.
Some Forums/NewsLetter sites etc. The second task was generating another list of services, which even if they are hacked shouldn’t impact my online presence, also, sometimes in order to retrieve some information, many websites require you to register, hence a secondary email id was created and started providing this email id for authentication purposes or for registrations. Effectively, ensuring that my primary email account is free from spam and even if there is a security issue with these not so secure services, I do not end up changing each and every password. At the end of this exercise, I ended up with 9 different passwords and am able to access 30+ services. and while changing passwords all needed to do was to rotate these passwords and at the end of term, generate 9 new passwords and manage them. During this term, if ever I came across any report suggesting a breach, all I need to do is look at the services I used and do the needful if required. Researchers are always asking everyone to use difficult passwords, or password managers , change passwords at regular intervals but as a end-user, it is our responsibility to ensure that we learn to segregate and prioritize the services we use. Password Managers are closely integrated with browsers and all of the browsers come with a password manager of their own. The issue with this is that many tools are available which can extract the stored passwords and also most of the trojans also extract this information and upload it to the attackers inbox, effectively rendering ‘Browser based Password Mangers‘ useless.