If you have a LinkedIn account, it’s time to change your password.
As my colleague Zack Whittaker at ZDNet reports, roughly 6.5 million user passwords have apparently been downloaded and made publicly available.
Graham Cluley of security firm Sophos says his company’s researchers have confirmed that the list contains actual passwords.
Via its Twitter account, LinkedIn says it is “looking into” the issue.
Let’s put this breach in perspective:
- Only a small percentage of LinkedIn users are affected. The 6.5 million accounts on the list represent a fraction of LinkedIn’s total user base of 150 million.
- The stolen passwords are hashed, which means they have to be decrypted before they can be used. The stronger your password, the longer it will take for that decryption to happen.
So the odds are low that you have been affected by this breach. But as a basic security precaution you should change your LinkedIn password immediately. And if you used those same credentials on other web sites, you should change the password there as well. (Hint: this time choose a unique, strong password for each one.)
To change your password, go to LinkedIn.com and sign in. Click your name in the upper right corner and then click Settings. That will take you to this page:
You can use the Password Change option just below your account picture and email address. Or, if you want to adjust more settings, click Account in the lower right corner to display the options shown above, and then click Change password.
Enter your old password, then enter your new, strong, unique password (and re-enter it to confirm).
You’re done with LinkedIn. But if you’ve used that password with any other account—especially for well-known services like Dropbox, Gmail, Facebook, or for e-commerce sites like Amazon or PayPal—you need to reset those passwords too, or you risk having those other accounts compromised by an enterprising data thief.
And be prepared to change your LinkedIn password again in the near future, after we learn more about what happened here and determine whether any additional credentials have been stolen.
Update: Security researcher Robert Graham confirms the password dump is real. He also adds this fascinating note:
[I]f your password is long enough (like greater than 15 characters) and complex enough, then it’s still probably safe. A 15 character SHA-1 password composed of upper/lower case with symbols and digits is too large for “brute-force” and “rainbow tables”. However, if you’ve composed it of dictionary words, then it could fall to a “mutated dictionary” attack.
This is a sorted list of unique passwords. Thus, if 50 people use the password “password“, it’ll only show up once in this list. Which it does. The password of “password” is hashed using SHA-1 to “5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8“, which appears as “000001e4c9b93f3f0682250b6cf8331b7ee68fd8” in this list.
Given what we know of people’s password habits, it’s reasonable to assume that there are millions of easy-to-guess passwords (password clichés like 123456 and letmein, as well as words found in a standard dictionary), so the actual number of passwords should be less than the number of accounts. It’s unclear whether the passwords on this list are matched up with the email address that comprises the other half of the login credentials.
3 thoughts on “Change your LinkedIn password now”
“(Hint: this time choose a unique, strong password for each one.)”
Let me guess that most LinkedIn participants use the same email address and “clever” unique password scheme. E.g., I saw a very short list that included, “nathanlinkedin.” If the intruders managed to bust it (indeed, that’s what we’re meant to believe), it’d be a good guess that same formula would work to try “nathanhotmail” and “nathangmail.” A script or two later and you have the list of financial institutions sending “your statement is ready” or “online ATM receipt” emails, from which account numbers and … well, you get the idea.
If people don’t re-use the identical password, they set up little paradigms for them, potentially exposing ALL their passwords, even the pretty good ones. Simply, it’s too hard to log onto multiple sites with truly unique, strong passwords.
Sure looks to me that the whole paradigm of user-memorized passwords is busted.
The days of using passwords for website authentication are over. External single sign-in systems, chosen freely by each user according to trust is the only sensible solution. OpenId is the only currently available implementation.
Geir, wake me up when OpenID is widely available on the web. It’s safe to say it’s been a failure despite the fact that it is a great idea.
Meanwhile, here in the real world, those very imperfect password-based systems will continue to be used.