10 Million User Passwords Compromised
Posted by: Sharon Walker
It was a bad week for the passwords: an estimated ten million of them were breached last week on three established websites, LinkedIn; eHarmony and Last.FM. The password is generally distrusted for exactly this sort of vulnerability and for the fact that we all have too many passwords nowadays, to remember them. Already in 2004, IT consultant Calum MacLeod complained that he had password overload syndrome, and could not keep up with his pincodes and passwords. So, commercial services have tried to come to our rescue and offer us to keep all our login data in one place that you access with only one password; certainly that can make life easier, but is it also safer?
It is not going to help, of course, if online services are not going to treat this matter more seriously. The response of LinkedIn, eHarmony and Last.FM was not very encouraging in this respect. Even though the password breaches were headline news, none of the three websites highlighted these problems on their home page to alert current users to change their password, or, indeed, inform new users to the issue.
The social networking site, LinkedIn, has over 150 million users who upload details of their lives such as career history, education details, group interests and current employment. Put together this information provides a history of your adult working life and, more importantly, your current place of employment and your location. A total of 6.5 million passwords were posted on a Russian web forum, along with a message encouraging other hackers to help decrypt the “hashed” data.
LinkedIn also confirmed that its mobile app was sending unencrypted calendar entries to LinkedIn servers without users’ knowledge. Although the site updated security systems quickly following the confidentiality breach should users be questioning these sites and their security?
Website LastPass enables users to check if their password was compromised but suggest that you only use the service if the passwords you are checking aren’t used for any other accounts. With security breaches like this, it is clear why the future of identity management is in multifactor authentication, in which a combination of token or biometric based evidence of who you are is combined with a password or pincode; the later two hopefully simplified by developing from highly private information as American researchers have suggested. They have suggested to use the answers to a variety of highly private questions as sources of authentication, like in which street did your first boyfriend live, how many moles do you have on your left ankle, or what is your worst habit in the bathroom (Jakobsson et al., 2008). That is a promising strategy, unless we have put all such information on our LinkedIn already.
Jakobsson, M., Stolterman, E., Wetzel, S. and L. Yang (2008). Love and Authentication. Proceedings of the twenty-sixth annual SIGCHI conference on Human factors in computing systems, p. 197-200. http://dl.acm.org/citation.cfm?id=1357087
By Sharon Walker and Liesbet van Zoonen