If you are following what’s happening on the internet recently you might have seen that LinkedIn, Last Fm, and online dating website eHarmony were hacked and millions of passwords were posted online.
Last Fm Hack : nakedsecurity.sophos.com/2012/06/07/last-fm-password
eHarmony Hack : nakedsecurity.sophos.com/2012/06/07/eharmony-passwords-stolen
I’m not going to talk about the hacking incidents, you can get all the information you need from the above links. I’m going to talk more about what we should learn from that.
These events post questions about the security of the websites where people give their personal information, pictures and messages. People really need to think twice before giving all of their personal information to websites, posting their pictures online etc. Because, as these hacking incidents show even the best of the websites are vulnerable and you can’t be 100% sure that your information will be secure forever.
Some might argue that the cloud is more secure than having data on your computer, however if you keep your systems up to date, and your data encrypted I think your computer is pretty safer than the cloud, even the most secure method of two factor authentication was bypassed because of a security flaw in Google to gain access to the emails of CloudFlare CEO and gaining access to CloudFlare user data and changing the DNS information of 4Chan.
If you look at the passwords of LinkedIn, (not sure about the passwords of Last Fm and eHarmony) you can see how insecure the biggest websites on the internet can be.
If you look at LinkedIn, the passwords they stored were not salted. Salting is adding a random string to the password before it’s being hashed, so even the same password will have a different hash due to the random string. As a result of LinkedIn not salting their passwords 60% of passwords that were released online were cracked within 24 hours.
So if you have a website that stores passwords it’s a must to salt the passwords before hashing and use a strong hashing method like SHA-1 because MD-5 is now considered to be outdated.
If you are a LinkedIn, Last Fm or an eHarmony user :
- You need to change your passwords quickly
- If you are using the same password for other accounts you need to change them too.
- Make sure you use two factor authentication if it is available. Two factor authentication is available on Facebook, Google etc.