Change Your Linkedin Passwords

[JumpUp]

HeliX - i totally agree with ans (for once) and i am not here to enlighten merely to keep everyone open minded and vigilant.

 

i think you're assuming that since I have worked in the IS arena for years that I am a network architect or a CISO, you must never assume because you will make an (ass) out of (u) and (me).

 

do you not think it is strange how my newly changed password (post hacking) is leaked but my other one hasnt?

[HeliX]

do you not think it is strange how my newly changed password (post hacking) is leaked but my other one hasnt?

 

No, I already explained this on the previous page. Your new password was already used by someone else on LinkedIn, which is not largely surprising given there's 125million users.

 

EDIT: And as I said, if you're worried give them a pre-hashed password, SHA1 is a one-way hash so there's no security risk involved. Especially since the hashes have already been leaked by LinkedIn!

[ans]

It's not strange, you've just managed to pick another password that someone else has had before. It might be unlikely (and the degree of likelihood is determined by the complexity of your new password) but it's not strange. If you picked a passphrase, a simple substitution cypher or some other basic obfuscation technique, it's possible that someone else repeated the same steps you did.

 

If you're that concerned, download the original 6.5million password file, hash your new password and see if you get a match manually. If it was in there from the beginning, before you changed your password, then you've just chosen badly. I have the original unmodified leaked file here if you can't find it yourself, but I'm sure anyone who's "worked in the IS arena for years" would know where to get that.

 

Edit: Welp, I need to type quicker.

[JumpUp]

HeliX - i use the name of my old home town football team with a series of memorable numbers at the end, a favorite number plus a date.

 

for example i.e bromwichalbion1210 which i have always used for my linkedin since day dot - this apparently WAS NOT hacked

 

i changed it to:

 

for example i.e bromwichalbion2420 i use a simply doubling or dividing of numbers so i have a few combinations to try, i changed it to this a couple of days ago - apparently THIS WAS hacked

 

coincidence? maybe. actually possible for some to have exactly the same password? - ABSOLUTELY NOT

[HeliX]

HeliX - i use the name of my old home town football team with a series of memorable numbers at the end, a favorite number plus a date.

 

for example i.e bromwichalbion1210 which i have always used for my linkedin since day dot - this apparently WAS NOT hacked

 

i changed it to:

 

for example i.e bromwichalbion2420 i use a simply doubling or dividing of numbers so i have a few combinations to try, i changed it to this a couple of days ago - apparently THIS WAS hacked

 

coincidence? maybe. actually possible for some to have exactly the same password? - ABSOLUTELY NOT

 

Of course it's actually possible. 125million is a HUGE number.

 

If that's the actual password, I'll go check the original dump for you.

[ans]

So, a football team suffixed by a four digit number? You're right, nobody could possible ever have that sort of combination as a password.

 

Sport teams, places of birth, songs and bands and family members names are among the most common sources of passwords around and all you've done is put a number on the end? Let's hope the work you do in IT security never has to protect anything important.

[pongo]

Isn't it amusing that the two people claiming to be knowledgeable in the in the infosec field are citing Gibson and TheReg as security sources?

 

Assuming that one of the people you are referring to here is me then:

 

1. There are 3 people, so far, in this thread who are "claiming to be knowledgeable in the infosec field". None of them are me. No claims from me.

 

2. What I wrote about Steve Gibson is that he knows more about this field than someone else. He does. FWIW he is well connected too which makes him a good source of news about this subject.

[ans]

In your opinion he does. You're just as entitled to hold your view as those who think he's a charlatan who's only true talent is self promotion and hyperbole.

 

There are dozens of sources I would look at for infosec news in general, none of them would be GRC. I'm too scared of the nanoprobes that live on his website.

[Slim]

2. What I wrote about Steve Gibson is that he knows more about this field than someone else. He does. FWIW he is well connected too which makes him a good source of news about this subject.

 

I don't understand why you've made this into a pissing contest. I've never claimed to know more than Gibson. I said I wouldn't pay much attention to him. He's a frequently misguided attention seeker in my opinion and it's an opinion that's shared by many others who's knowledge and abilities I do respect.

 

 

 

 

it serems suspicious that since the story came about, my old password says it wasnt leaked but the new one has! i think you have to be more open minded about the ingenious ways hackers work, this site you have posted it most probably a data capture site which will link up the password when it is entered again on my browser and used with an email.

 

What are you actually claiming? What's leaked in done do you think?

[HeliX]

http://www.troyhunt.com/2011/03/only-secure-password-is-one-you-cant.html

 

 

Here's a guide on having decent passwords, fyi.

[pongo]

You're just as entitled to hold your view as those who think he's a charlatan who's only true talent is self promotion and hyperbole.

 

Another way of looking at it is that more people are more secure and better informed thanks to him. Which is not to say that he is the definitive source of all knowledge. High profile people invariably draw considerable crabby flak and slander from other people. His enthusiasm for his subject is almost certainly echoed in the backlash against him.

 

But most of the noise about Gibson seems to be from people largely repeating the same old received opinion from ancient forums. Much of which was from people who were angrily defensive of their own complacency - and so began to compile lists of every mistake he ever uttered .... as if we don't all make mistakes. This is where the Gibson-is-a-charlatan nonsense originates from.

 

Much of which misses the fact that he turned out to be more right than wrong (and more right than his detractors) with much of what he said about Windows, scripting etc. And he might not have been the first person to draw attention to the inherent problems of connecting pre service pack 2 versions of Windows XP to a modem .... But he certainly brought this to the attention of a much wider public.

[Cliff Hazard]

My password was leaked, and cracked. What does this mean for me? I've changed it now on Linkedin but am I going to have to empty my bank accounts and change my name and so on?

[HeliX]

My password was leaked, and cracked. What does this mean for me? I've changed it now on Linkedin but am I going to have to empty my bank accounts and change my name and so on?

 

Change any other site/service you use with the same password. Other than that you're fine.

[P.K.]

The strongest passwords are those chosen at random and of a reasonable length - say 15 numbers/chars/symbols. The difficulty then is remembering them!

 

Of course, the infinite monkey theorem means ALL passwords can be compromised eventually. But to peruse the sort of garbage idiots put up on LinkedIn about themselves - a sort of Apprentice Wannabee sounding board with nauseously pretentious contents - why would you bother???

[slinkydevil]

why would you bother???

 

That's right, they hacked linkedin so they could read peoples profiles.