10 Million User Passwords Compromised

It is not going to help, of course, if online services are not going to treat this matter more seriously. The response of LinkedIn, eHarmony and Last.FM was not very encouraging in this respect. Even though the password breaches were headline news, none of the three websites highlighted these problems on their home page to alert current users to change their password, or, indeed, inform new users to the issue.

The social networking site, LinkedIn, has over 150 million users who upload details of their lives such as career history, education details, group interests and current employment. Put together this information provides a history of your adult working life and, more importantly, your current place of employment and your location.  A total of 6.5 million passwords were posted on a Russian web forum, along with a message encouraging other hackers to help decrypt the “hashed” data.

LinkedIn also confirmed that its mobile app was sending unencrypted calendar entries to LinkedIn servers without users’ knowledge.  Although the site updated security systems quickly following the confidentiality breach should users be questioning these sites and their security?

Website LastPass enables users to check if their password was compromised but suggest that you only use the service if the passwords you are checking aren’t used for any other accounts.  With security breaches like this, it is clear why the future of identity management is in multifactor authentication, in which a combination of token or biometric based evidence of who you are is combined with a password or pincode; the later two hopefully simplified by developing from highly private information as American researchers have suggested. They have suggested to use the answers to a variety of highly private questions as sources of authentication, like in which street did your first boyfriend live, how many moles do you have on your left ankle, or what is your worst habit in the bathroom (Jakobsson et al., 2008). That is a promising strategy, unless we have put all such information on our LinkedIn already.

Jakobsson, M., Stolterman, E., Wetzel, S. and L. Yang (2008). Love and Authentication.  Proceedings of the twenty-sixth annual SIGCHI conference on Human factors in computing systems, p. 197-200. http://dl.acm.org/citation.cfm?id=1357087

By Sharon Walker and Liesbet van Zoonen