If you missed the news (and I bet you didn’t) then here it is – LinkedIn recently had its very own digital moment of truth, when hackers stole around 6 million passwords. Well, if not actual passwords, then the SHA-1 hashes for passwords.
And, to make matters worse, the thieves then published them online with a request to help crack them. Ah, internet: you never cease to be a source of inspiration and hope for our species.
Now, leaving aside the rather troubling question of *how* they got the hashes (one which I hear the FBI is taking an interest in) this really shouldn’t be a problem. Unless, of course, you used something fairly obvious as your password, because just getting the hash of it isn’t exactly the end of the world. I mean, not something to go pop a Champagne cork over, but no reason to go sobbing into your scotch and soda either.
Because you didn’t use an obvious password, right?
Assuming you’ve been in the info sec business for longer than roughly 30 seconds, the following probably isn’t going to come as a surprise.
According to this piece in the LA Times, the most commonly used password that was exposed was, you guessed it, “link.”
Actually, the only surprising thing here is that the ever-popular “1234” was pushed to second place. Followed closely, in third place, by the somewhat more secure “12345”. Because, that extra digit makes all the difference.
Now, obviously these are a minority of users, since the vast bulk of passwords seem to have been able to defeat the usual dictionary attacks that one would expect to be used. (Note the use of the word “seem”. Obviously, it’s hard to say exactly what the hackers were actually able to do.)
Is it me, or is something wrong here?
My point here is not that people choose bad passwords (see previous comment about being in the industry longer than 30 seconds) but rather that a website aimed at professionals allows them to be so, frankly, dumb.
I’m all for self-reliance and responsibility, but I have to think that a site that happily allows you to define your passwords as “1234” is rather phoning it in when it comes to their share of responsibility too. I’m not advocating the irritating (and often self-defeating) practices of sites wanting you to include six special characters and four Sanskrit pictograms just to get access to your dog’s pet food order, but I do think there are minimums that should be applied.
If hackers (well, anyone with a browser) can simply get hold of tools to perform dictionary-based attacks, rainbow tables and the other paraphernalia of password crackers, then why on Earth don’t we expect the sites themselves to apply at least the most basic level of checking to prevent you from using “password” as your password?
If you want me to create an account on your site, and store my personal information (and they do, they really, really do) then it’s time to step up to the plate and make sure you’re doing the best you can to stop us from harming ourselves while you let us tell you all about ourselves.
It’s not only good manners, it’s good business too.