back to article LinkedIn mass hack reveals ... yup, you're all still crap at passwords

Analysis of passwords from the LinkedIn leak has revealed, should there be any doubt, that users remain terrible at choosing secure login credentials. Last week a black hat hacker using the nickname Peace was revealed as attempting to sell 117 million LinkedIn users' emails and passwords on the dark web. "Peace" wants 5 BTC …

  1. Keef

    Time to...

    Ditch using social media, they can't be trusted with your details.

    Yes, I know this is an old story from 2012, my comment above relates to that time.

    1. Nate Amsden

      Re: Time to...

      And move to what ? I have never had a facebook or twitter account but I do use linkedin. Though all of my info is "public" on linkedIn(just career stuff) so there is really nothing to compromise data wise(I believe linkedin had me reset my pw back with the original breach(?)).

      I don't use linkedin for MUCH(though I am a premium subscriber), it has gotten me tons of career leads over the years(none of which I need right now), and really if just one of those pans out again in the future(little reason to think it wouldn't) it would of paid for itself right then.

      In general I'm not a social person so being able to stay "connected" to the people in my career is handy.

      I was thinking more along the lines of it shouldn't take much work to block such simple passwords from being used in the first place. I don't advocate requiring really strong passwords for something like linkedin, but people shouldn't be using 1234567 etc (unless I suppose it is a throwaway account or something). Maybe linkedin has already implemented this since this data is pretty old already.

      1. Pascal Monett Silver badge

        Re: And move to what ?

        Back to the time where your contacts were people in your phone list that you actually called every now and then to prove that you cared that much.

        1. Triggerfish

          Re: And move to what ?

          Back to the time where your contacts were people in your phone list that you actually called every now and then to prove that you cared that much.

          I would love that to be true, but there are people I know who just don't seem to use the phone anymore, it's all messenger type apps, there are also people I know abroad and phone calls are not cheap, or have pain in the bum time differences.

          1. Vic

            Re: And move to what ?

            there are also people I know abroad and phone calls are not cheap

            Phone call pricing is really quite bizarre.

            I phoned my brother in Sydney the other week. A phone call to the other side of the planet - and it was cheaper than ringing my next-door neighbour...

            Vic.

            1. Triggerfish

              Re: And move to what ?

              You have to wonder at the real cost as well, using foreign sims to call home you start to wonder how much is operating cost and how much is profiteering.

          2. heyrick Silver badge

            Re: And move to what ?

            " there are also people I know abroad and phone calls are not cheap "

            Part of my contact includes free calls from my house phone to a land line in pretty much every country on the planet (except those usually deemed unfavourable to the world). Dunno how they account for that. I guess they make their money in that sending a single SMS from my mobile to a mobile in another country costs the same as calling them for a minute. I think the pricing is intended to confuse everybody to make operator comparisons meaningless.

      2. Rafael 1
        Windows

        Re: And move to what?

        Can't answer this question, since I am as social-network-shy as any bearded hermit in a cave in a mountain. But from the three you've mentioned LinkedIn is the most obnoxious: Facebook only bugs me about "people that I know" when I log on it, in a small notification icon so discrete I don't even remember how it looks.

        LinkedIn, on the other hand, send several e-mails, each week, to more than one account, about "Roger Neverheardabouthim wants to add you to his network".

        Sometimes I am tempted to play "six degrees of LinkedIn", and see if I can figure out how am I related to that twerp. A neighbor of the wife of a former student? Someone who is tempting to brag about having more contacts than the other idiots on his PR company? An Amway representative? Unfortunately I'd have to log in to discover, so I just delete the e-mails.

        1. Pen-y-gors Silver badge

          Re: And move to what?

          There is a lot of linkedin spam/scams - I get the odd email (but interestingly NOT to my linkedin e-mail address) asking me to connect to someone - the strange thing is the email only offers one button "confirm you know this person" - there's no option to click on "never heard of the little sod", so only option is to delete email and ignore, until another arrives next week telling me I haven't responded yet. Who designed this shit?

          1. heyrick Silver badge

            Who designed this shit?

            A few years back I had quite a bit of spam from LinkedIn. Given the mail did come from them, I contacted them to ask if they could stop sending this junk.

            I was told I'd need to create a profile to manage my mailing preferences.

            So I decided the easier way is to create a filter. Anything from LinkedIn gets automatically binned.

        2. Anonymous Coward
          Anonymous Coward

          Re: And move to what?

          LinkedIn, on the other hand, send several e-mails, each week, to more than one account, about "Roger Neverheardabouthim wants to add you to his network".

          The thing that earned LinkedIn a permanent spot in my spamassassin.cf was emails wanting to add mips@gentoo.org to peoples' networks.

          mips@gentoo.org is just an alias for those of us who maintain Gentoo Linux on MIPS processors (SGI, Cobalt, Lemote). mozilla@gentoo.org copped a few too, and years ago, I was on both aliases.

          When you consider those sorts of capers, it is clear LinkedIn don't give a damn about peoples' abuse of their network and that the "links" developed there are pretty much worthless from an employment point of view.

          Want a job in IT? Start doing some meaningful work in the open-source world. Your name will then start to appear in search engines and your work will clearly stand on its own to any employer worth working for.

      3. macjules Silver badge
        Pint

        Re: Time to...

        I can still somewhat wistfully recall when 'not available' simply meant taking the phone off the hook.

      4. DrXym Silver badge

        Re: Time to...

        "I have never had a facebook or twitter account but I do use linkedin. "

        I use LinkedIn but most of the time I feel more like it's using me. During a contract phase I accepted links from some agents. Big mistake. These agents get a job spec in that says "java" in it and spam everyone who comes up in a search result. Multiply that by every agent who has the spec and its a lot of spam. It's become a cattle market and people on the system have become the cattle to be monetized for the benefit of people like agents.

        I've disconnected from the lot of them. If they want to talk with me they can spend one of their precious InMails. Chances are I'll ignore that too but at least it shows some kind of deliberate attempt to interact rather than spamming dozens of people at once.

  2. Valeyard

    it's linkedin though...

    it's so rubbish it's one of the least secure passwords in my keepass because i really don't care that much about it..

  3. Bod

    Genuine accounts?

    How many of 117 million accounts are genuine or serious accounts?

    I mean, a lot of people just knock up an account on sites to get access to view something they can't without an account. Then there are developers and testers who create many random test accounts to test an app using their API and such, and most likely use 123456 as a password.

    A lot of people also probably just sign up out of interest, put in no details and never really use it. Half my address book comes up showing people with LinkedIn accounts but half of those have empty profiles and are unused.

    I wouldn't be surprised if accounts created by recruiters and businesses that basically aren't personal accounts, also have weak passwords.

    1. Doctor_Wibble
      Devil

      Re: Genuine accounts?

      > How many of 117 million accounts are genuine or serious accounts?

      I don't think that should be an either-or question, e.g. mine is genuine but I wouldn't call it 'serious' because I barely touch it. On the other hand it's several years overdue for a revenge attack on everyone for all those 'blahblah added yoghurt knitting as a new skill' and 'blahblah moved desks again' updates that it keeps forgetting I repeatedly tried opting out of.

      I will pick the least interesting job and add as many excruciatingly irrelevant yet update-worthy details as I can think of.

    2. John Brown (no body) Silver badge

      Re: Genuine accounts?

      "I mean, a lot of people just knock up an account on sites to get access to view something they can't without an account."

      I must have done that at least a dozen times on LinkedIn over the years. I have no idea what names or passwords I used because I never have any intention of ever accessing those accounts ever again. The question is, does LinkedIn or similar sites ever do housecleaning? Or are they, like man "social networking" users all doing the same thing and using numbers of "friends" for bragging rights?

      Anyone who creates a social media account then either never uses it or doesn't even log in for more than 3 months really ought to marked dormant then deleted after 6 months. (The account, not the user!)

      1. allthecoolshortnamesweretaken

        Re: Genuine accounts?

        Thanks for the clarification as to what is to be deleted!

        But they won't do that - their selling point is "Look at our huge user base! And it keeps growing!"

        1. Anonymous Coward
          Anonymous Coward

          Re: Genuine accounts?

          A better approach would be to publish "active" accounts only in user base statistics (those accessed in the last three months for example). People paying for linkedin accounts should get a pass. They deserve to use their accounts as much or as little as they like.

          On the other hand, the duff and dead free accounts should not be counted as active, for truth in advertising, if nothing else. Web hit counters that should report unique or new visits only face a similar dilemma when they don't discard crawlers and other bots from their stats.

          Anyway this latest news may cause a few of those 117 (164 or 167) million pwned LI users to visit their accounts again to change their passwords. I certainly did and I am a Premium user.

          For more fun and games check Troy Hunter's https://www.troyhunt.com/ to see where your email has shown up in data-breach land. Quite eye-opening, some decent blogs as well.

      2. Anonymous Coward
        Anonymous Coward

        Re: Genuine accounts?

        They might do some housecleaning. I occasionally browse through the "people you may know" list. At least two of the accounts I used to see on the list were deceased. I haven't seen them on the list in the last couple of months, so they may have had their accounts deactivated. One of the contacts was pretty high profile (retired Congressman) so he'd be a candidate for manually dealing with the account (or, more likely, having a staffer remove/lock/etc. the account). The other person was much more low profile.

  4. Dave W

    Tosh

    There's also the argument that as LinkedIn is such a steaming pile of tosh, many people (myself included) use crap (weak) disposable passwords.

    There's absolutely nothing of value in my LinkedIn account - just lots of people trying to connect with me so that they can try to sell me stuff, and the credentials I used are so weak that I wouldn't dare use them anywhere else.

    1. Anonymous Coward
      Anonymous Coward

      @Dave

      "just lots of people trying to connect with me so that they can try to sell me stuff"

      Which could just as easily originate from a bunch of spam drones. In other words: compromised accounts from people who thought just like you and also didn't see the need to apply better security.

      1. Valeyard

        Re: @Dave

        compromised accounts from people who thought just like you and also didn't see the need to apply better security.

        nah, contracting agency drones, even more soul-less

  5. Tom Wood

    Attitudes to risk

    I really don't want someone to get access to my bank account, or my email account, or root access to my servers, so I use secure passwords for them.

    But LinkedIn, or for that matter some random forum such as this one, what's the worst that can happen if someone logs in as me?

    The main risk if someone steals my login details from the likes of LinkedIn (or indeed this forum, which doesn't even use a HTTPS connection...) is if I use the same email and password combo for either this site and others, or for my email account, in which case they can get access to all the "forgotten password" emails and the like.

    But if I don't, then what's the problem?

    I have a better lock on the front door of my house than I do on my garden shed, for much the same reason. Get into the shed and at most you can steal some plant pots, potting compost, barbecue charcoal and a bit of garden furniture maybe.

    1. Banksy

      Re: Attitudes to risk

      "But LinkedIn, or for that matter some random forum such as this one, what's the worst that can happen if someone logs in as me?"

      In the case of LinkedIn they could get in touch with your contacts and tell them they're a c**k, that you shagged their mum, that you worked somewhere disreputable, that sort of thing. That's what I'd do anyway.

      1. Anonymous Coward
        Pint

        Re: Attitudes to risk

        but by me using a crap password, I could tell everyone that I endure they are complete utter cocks, then blame it on the hack.

        Win all round

      2. Vic
        Joke

        Re: Attitudes to risk

        In the case of LinkedIn they could get in touch with your contacts and tell them they're a c**k, that you shagged their mum, that you worked somewhere disreputable, that sort of thing.

        ...Or they could say somthing that's untrue...

        Vic.

    2. Charles 9 Silver badge
      Devil

      Re: Attitudes to risk

      But the problem is, what if you ALSO accidentally dropped a bit of a bill or something else that can identify you more completely. Then that shoddy shed lock just became an inroad to social engineering or even identity theft. That's why ANY site with a bad password can be risky. ANY information they can glean from it can be used to reconstruct your identity, at least to the point they can employ social engineering to get more information and then eventually they have enough to compromise or steal your identity.

      1. Tom Wood

        Re: Attitudes to risk

        "ANY information they can glean from it can be used to reconstruct your identity, at least to the point they can employ social engineering to get more information and then eventually they have enough to compromise or steal your identity."

        They *could*. But *would* they?

        Your common-or-garden cybercriminal, much like your common-or-garden house burglar, will go for the easiest targets. They're after quick money not some convoluted identity theft.

        In practice, my LinkedIn password is better than "password" or "12345678", but not as good as 12 truly random characters or whatever. Which is fine, as long as there are lots of people who have passwords worse than mine; just as my house isn't likely to get burgled as long as I have pretty good locks on the doors, and the guy down the street has crap ones.

        1. Charles 9 Silver badge

          Re: Attitudes to risk

          "Your common-or-garden cybercriminal, much like your common-or-garden house burglar, will go for the easiest targets. They're after quick money not some convoluted identity theft."

          But you could always have motivated enemies out to target you specifically or one who just feels like putting forth extra effort, like you say, so as to steal an identity and milk it for all its worth (one big haul versus many little ones) much like sociopathic stalkers who groom their victims over time.

  6. m0rt

    I was informed by haveibeenpwnd? This morning. the email address was one that has been defunct (I still have the domain, though) since late 2008. I 'killed' my Linkedin account when they, by default, started allowing the profiles to be indexed by google without an opt in for this.

    So the account was three years defunct by the time the data was leaked.This is also looking like one of the biggest datadumps of users to date.

    I am not arsed about my old LI account. But it hits home that if, say, Amazon ever had a rogue employee, or were hacked, (though I imagine Jeff has some seriously dodgy internal police force that use 'justifiable' force), then I would be worried. I realised, recently, that my amazon account, with all the purchases visible since 2000, and a lot of addresses I have used over that time, has more info about me than probably any other online resource. Including gov sites. (Exception of GCHQ probably - Hi guys).

    1. Seajay#

      2FA on amazon

      Did you know you can trick amazon uk in to enabling 2FA even though (for no obvious reason) it isn't available here yet?

      http://www.techworld.com/security/how-brits-can-enable-amazon-two-factor-authentication-security-now-3631955/

      Worth doing.

  7. JimmyPage
    Thumb Up

    Not about linked in, but a plug for "haveibeenpwned.com" (and Lastpass)

    Been signed up with them for a few years now, and this is the first alert they have had to send me ...

    You're one of 164,611,595 people pwned in the LinkedIn data breach

    Like others here, my LinkedIn password is probably the lowest level, since it's not really used much. Still I note (with interest) that it was last changed in 2014 (Lastpass notes such things.

    Oh, and a big-up for Lastpass here. I just tried their "autochange password" function (on LinkedIn) and it worked a charm. So weighing cloudy encrypted vault against top-notch per-site password protection, I'll risk Lastpass anyday.

  8. 0laf Silver badge
    FAIL

    Maybe not now

    This was 4yr ago.

    Maybe we're all great at passwords now...maybe.

    I got the domain list this morning and I think out of 300 accounts about 20 of them were still valid. Most of the remaining users could barely remember using LinkedIn if at all.

  9. smartypants

    Stop being surprised at shit passwords

    Passwords are a broken way to enforce security. How much more proof do we need that significant numbers of people find passwords a bother and always will?

    When are we going to start building a replacement for this broken idiom which humans have no problems with?

    1. Pascal Monett Silver badge

      Probably as soon as you explain what better method we could use.

      And if you answer biometrics, you've lost.

      1. smartypants

        I didn't expect this.

        In years to come, the proof that passwords are a good way to enforce security will be that some bloke pointed out how shit they were and didn't provide an alternative.

        Seriously

        Lol.

        1. Charles 9 Silver badge

          Re: I didn't expect this.

          "In years to come, the proof that passwords are a good way to enforce security will be that some bloke pointed out how shit they were and didn't provide an alternative."

          What if someone produced a true reductio ad absurdum that showed that anything other than passwords is provably worse than passwords, which we know to be unacceptable because people can have bad memories. Then I have to wonder where we go from there...

          1. Pascal Monett Silver badge

            Passwords are not a good way to enforce security. Like democracy, they are the least bad way we have now.

            Because if your eyeball gets compromised, what do you do then ?

            1. Charles 9 Silver badge

              "Passwords are not a good way to enforce security. Like democracy, they are the least bad way we have now."

              Only thing is, we're realizing all these "least bad" solutions are not acceptable. So we need an alternative that is better than the least bad solution out there, and we need it soon before the whole house of cards collapses in on itself.

              1. cbars Silver badge

                "So we need an alternative that is better than the least bad solution out there"

                Half a password?

      2. Charles 9 Silver badge
        FAIL

        "And if you answer biometrics, you've lost."

        And if you answer anything OTHER than biometrics (because for many people biometrics is all they have, literally. No phones and terrible memories for anything else), you've lost, too.

        Meaning we're lost either way. Meaning it's a lost cause...

  10. wolfetone
    Coat

    Glad to see my 987654321 password isn't in the Top 6.

    I'm doing security correctly.

    1. Anonymous Coward
      Anonymous Coward

      987654321

      Sort-of-related story: a colleague used to play a version of Lotto/Powerball with the numbers 1-2-3-4-5-10. His theory was that if ever 1-2-3-4-5-6 was drawn, lots of clueless yokels would have to share the prize, but with 1-2-3-4-5-10 the top prize would be all his.

      Changing my password to 1-2-3-4-5-10 in 9, 8, 7, 6...

      1. 0laf Silver badge
        Boffin

        Re: 987654321

        He's right.

        Loads of people have 1-2-3-4-5-6, it's just as likely to come up as any other combination but as he said if it does come up it'll be shared between thousands.

        If he wants to keep it all for himself he should pick a range of number above 31. Many people use dates of birth for picking numbers and you cut them out the share above that. And you're just as likely to win. Which is not very these days.

        1. Charles 9 Silver badge

          Re: 987654321

          No, because people know there are numbers above 31 and start looking for other sources of numbers. Clocks and times provide up to 60 in this case, and years can cover any lottery spread there is right now.

      2. JimmyPage
        Happy

        Re: lottery wins

        I recall a story that the NY lottery was once won by hundreds of people.

        The reason ? The winning numbers made an "X" in the playslip .......

      3. Steve Graham

        Re: 987654321

        I analyzed the winning stats and got a set of numbers which only or mainly occurred in single-ticket jackpots.

        It didn't help. They kept taking my money and never awarded me a prize.

  11. Lucasjkr

    How come nearly the first thing that was ever told to me was that each password gets its own unique salt, yet so many developers who are paid multiple times what I earn thanks to lucrative stock options at places like LinkedIn, never think about this?

    1. John Brown (no body) Silver badge
      Joke

      I think the first thing I was ever told was "Aaaaaawwwwww, don't you look cute!". It was a number of years later before I was told anything about passwords. Probably some while after I after I learned to speak.

  12. Anonymous Coward
    Anonymous Coward

    Advice please

    Hoping to ask some people who know more about security than me some advice! I have been guilty in the past of sharing passwords between sites and think it is time to tighten things up. I was thinking of doing the following and wondered if this sounds sensible?

    1. Get an account for something like KeePass or 1Password Manager

    2. Create a strong, unique password for this service that isn't used anywhere else.

    3. Create random, strong passwords unique to each other account using something like https://www.random.org/passwords/

    4. Store those in my password manager

    I guess my only real concern is how secure is 1 + 2?

    1. Alan Mac

      Re: Advice please

      These password managers tend to be able to create the passwords for you as well:

      http://keepass.info/features.html#lnkrandgen

      1. Roland6 Silver badge

        Re: Advice please

        These password managers tend to be able to create the passwords for you as well

        However, what they won't do is automatically change your password. On of the features of the LinkedIn breech is the information LinkedIn disclosed about how infrequently people actually changed their passwords; many not having been changed since the 2012 breech; basically people don't (change their passwords) unless they forget it or are forced to (as LinkedIn has done this time round).

        I suggest that the use of password managers doesn't change this behaviour and may in fact encourage people to not periodically change passwords, since they no longer have to remember them and hence are even less likely to suffer from a memory lapse.

        1. Charles 9 Silver badge

          Re: Advice please

          WHY do people need to change their passwords periodically if people follow the best practice of using a different password for each and every site? If the password's been breached, it won't work anywhere else, and odds are the password gets breached before ANYONE knows about it, making the while "change the password" exercise moot as odds are the criminal will change the password THEMSELVES once they have it--to block backhacking.

          IOW, with password managers and different passwords for every site, it's either too early to worry about or too late to do anything to fix it, with no middle ground.

    2. Nick Ryan Silver badge

      Re: Advice please

      Keepass can run as an independent application and all it needs is to access your Keepass data file.

      Keepass comes with a Portable version (no installer required), download from the keepass website itself: http://keepass.info/download.html.

      The next step is that you need to keep the Keepass data file available to you. There are many ways of doing this, the issue is likely to not have a single (losable) copy on something like a memory stick and to instead use a web storage service of some form. Pretty much any of them would do as long as you trust the encryption of the Keepass application the strength of your password to it.

      1. Charles 9 Silver badge

        Re: Advice please

        So what happens when a zero-day drops a keylogger onto one of the devices and nabs your master password?

        1. Nick Ryan Silver badge

          Re: Advice please

          ...or somebody guesses the master password, or watches you type it in, or the keepass encryption algorithm has flaws, or the application itself...

          While services such as keepass are very useful they do shift the focus onto a single password with which an attacker will get access to a lot of services.

          1. Charles 9 Silver badge

            Re: Advice please

            But it seems the "least bad" solution there is for someone with a bad memory. Unless you're saying the least bad solution still isn't good enough...

  13. cs94njw

    FFS. What really p155es me off at the moment, is websites trying to increase the complexity of passwords that I use.

    But it's for websites where I don't store personal information, or where I don't care if I'm "hacked".

    LinkedIn - password "1234" is more than ample. Someone hacks it, deletes the profile? I'll re-enter it.

    Facebook - hmm... there's some nice history/photos I'd like to keep, perhaps a more complex password.

    Banking/shopping website - OK, full-on password here.

    By forcing more complex passwords, it makes us re-use the passwords we use for banking.

    Or dream up another one, which we're likely to forget.

    1. Roland6 Silver badge

      Re: LinkedIn - password "1234" is more than ample.

      Whilst I understand your point, I suggest it depends upon both the characteristic's of a particular website and your password reuse policy.

      Looking at the KoreLogic analysis, what is interesting is that the only 1.14M users out of 117M accounts, ie. approximately 1%, use the most common password, for LinkedIn, of "123456". So whilst in theory a hacker might get lucky every 100 accounts they try to gain access to, these odd's will be lengthened by other security measures such as timeouts after some many failed attempts from the same session and account locking after so many failed attempts from any session. The question really is what additional security measures have LinkedIn instigated to identify improper access attempts.

      1. Anonymous Coward
        Anonymous Coward

        Those counter-measures, though, could probably be defeated by a botnet. Each bot only tries one account once, maybe twice, so there's no real way for an IDS to figure the scheme out since they use different IPs, only use 1 account per IP to defeat IP tracking (since now you can't tell whether it was an attempt or an honest mistake), and only go a couple times to avoid timeouts. And this is a world where the criminals only need to be lucky ONCE, so like spammers they're willing to cast a wide net.

  14. bigphil9009

    Using "linkedin" as a password

    If you don't value your LinkedIn account particularly, as a lot of people probably don't, then the use of "linkedin" as a password isn't all that bad - after all, you're unlikely to be using that password elsewhere, and that is where the real problem lies.

    1. ThomH

      Re: Using "linkedin" as a password

      I was in the process of saying exactly the same thing.

      If you (i) don't consider it much of a loss if somebody else accesses your LinkedIn account; and (ii) don't want to share your LinkedIn password with any other site because LinkedIn passwords might leak; then something both unique to the site and easy to remember is ideal.

      Mine are usually slightly better than that but I am definitely guilty of having very little regard for the quality of passwords that I use for sites which have no privileged information about me whatsoever. What's the worst that can happen here? Somebody might delete or graffiti my online CV? Not only do I have it in various other forms but I'm pretty sure I could reconstitute it from nothing with fairly limited effort. It's not particularly difficult to remember which university I went to and the list of my employers since then.

      EDIT: hasty update on this, per the haveibeenpwned.com suggestion above, my LinkedIn password has leaked. So I guess I'll change it. But it's hard to feel a sense of urgency.

  15. breakfast
    Mushroom

    The worst social network

    People complain about Twitter being full of insane hateful trolls ( it is ) and Facebook being full of awful passive-aggressive dolts posting endless tiresome minion memes ( it is ) but the true dregs of humanity are to be found on Linked In.

    I don't even like to use the term in polite company, but Linked In is jammed full of recruitment agents.

    Awful. The worst.

    1. 0laf Silver badge

      Re: The worst social network

      And salesmen. don't forget the salesmen.

      1. Michael H.F. Wilkinson Silver badge
        Happy

        Re: The worst social network

        Just reply to the recruitment firms you are a headhunter .....

        A real one .....

    2. Duffaboy

      Re: The worst social network

      And users who are a bit economic with the truth

  16. macjules Silver badge

    Reason for the price drop?

    Is it perhaps due to the Acer Predator 15 G9-591-73MY, the supposed #1 choice in gaming laptops, having come down in price to $2,200?

  17. Anonymous Coward
    Anonymous Coward

    There's no reason to use a strong password on linkedin

    No one wants to "hack" your linked in profile. So you use the same password you use for all the sites you don't care about. A hacker who gets my linkedin password can visit my profile on a few online forums, shopping sites where you need a password to view order status, and the like. I'm not changing it, because I don't care if they get into those sites because they can't hurt me in any way.

    I use different & better passwords on sites that matter, so that if one is compromised it is just that one. But I can't be bothered to use a different strong password on every site. And yeah, I know about password managers, but I can't be bothered with that for sites I don't care about.

  18. DrXym Silver badge

    No salting?

    That link suggests that all the attackers needed to do to find the most common passwords was count duplicates. So 7c4a8d09ca3762af61e59520943dc26494f8941b was 123456 and they could count them up and crack them.

    LinkedIn, a site which should know better didn't even bother to salt its passwords. Not acceptable, not even in 2012.

  19. Jeffrey Nonken

    OMG now I'm going to have to change the combination on my luggage!

    Seriously... My LinkedIn password is rubbish, but it's not THAT rubbish.

  20. Tommy Pock

    If my password was 'blimeythisisalongpa$$word128bitsofentrOPy' it wouldn't matter a jot if a server has been hacked. I'd have been just as secure with 'passw0rd'.

  21. jzl

    LastPass

    I use a 20 character randomly generated password for LinkedIn. Just changed it with one click to another randomly generated 20 character password.

  22. Anonymous Coward
    Anonymous Coward

    Passwords are rubbish and a single point of failure

    Better to deploy 2FA and other techniques. These will at least keep you a few steps ahead of the script kiddies and other miscreants that seem to walk through so many mainstream site's security with such astonishing ease. But it does become a pain when you can't find the "something you have".

    1. Charles 9 Silver badge

      Re: Passwords are rubbish and a single point of failure

      And what if people don't routinely carry a second factor with them (say they hate cell phones)?

  23. Darth.0

    I'm secure

    I didn't see qwerty on the list, which means my new password has been selected.

  24. Roland6 Silver badge

    Kore Logic

    It would seem that Kore Logic should be proactively offering password DB analysis to the major online businesses, rather than restricting it to analysis of 'liberated' DB's.

  25. JimmyPage
    Stop

    All this casual "who cares about my LinkedIn" password ?

    On the one hand - a fair point.

    On the *other* hand, LinkedIn - like great many sites with the ability to post text on - is a vector for potential libel suits or worse, depending on your jurisdiction.

    If your LinkedIn account were to be compromised - without your knowledge - then you might be onm shaky grounds with a defence.

    Probably better to be as cautious as possible with *all* passwords.

    Hence another vote for a complex-password-generating password manager .....

  26. Anonymous Coward
    Anonymous Coward

    Yeah, so people use crap passwords. So what? My password for linkedin was a variant of what I use for many sites: a random letter combination I use for almost all passwords (no financial websites) and the phrase linkedin. Why? I manage my own passwords and just want them to be non-unique. If someone were to get my password for something and start to manually try other random websites, they might hit another one. So what: they can now post pictures on my facebook account as well. Whatever.

    All this sort of misses the larger point: if large businesses whose business model is the storage and manipulation of data have such crap security that 164 million logins and passwords can be swiped, what does it matter if my password is emmmcatbttihhmhp$50edmtmtptboayani (Eenie meenie miney mo catch a tiger by the toe if he hollers make him pay fifty dollars every day my mother told me to pick the best one and you are not it) or LinkedIn ??? It's still now out there and available for sale by some dimwit to some darkwit. Using "password" as your password for everything online? Sure, stupid. But hardly the larger problem.

  27. J.G.Harston Silver badge

    Err.... but LinkedIn is just (effectively) a chat site, and a very low-traffic site at that. As long as I don't use my trading account password or my banking account password, what's the harm? For throw-away thing like FarceBeuk and LinkedIn I *do* use such crappy easy-to-remember throw-away passwords, whereas my financial accounts have regularly-changed horse battery staples. The thing that really annoys me is sites such as job vacancies sites that insist you use a bank-account-strength password just to frikking read the frikking job adverts.

    1. Charles 9 Silver badge

      Social Engineering.

      They can glean information off your "throwaway" accounts to learn more about you to pull off social engineering attacks so as to perhaps execute a password reset attack on a higher-profile site.

      Think of it like a social version of privilege escalation.

  28. lurker 82
    Linux

    Official email from LinkedIn

    FWIW: I just got this:

    Subject: Important information about your LinkedIn account

    Notice of Data Breach

    You may have heard reports recently about a security issue involving LinkedIn. We would like to make sure you have the facts about what happened, what information was involved, and the steps we are taking to help protect you.

    What Happened?

    On May 17, 2016, we became aware that data stolen from LinkedIn in 2012 was being made available online. This was not a new security breach or hack. We took immediate steps to invalidate the passwords of all LinkedIn accounts that we believed

    might be at risk. These were accounts created prior to the 2012 breach that had not reset their passwords since that breach.

    What Information Was Involved?

    Member email addresses, hashed passwords, and LinkedIn member IDs (an internal identifier LinkedIn assigns to each member profile) from 2012.

    What We Are Doing

    We invalidated passwords of all LinkedIn accounts created prior to the 2012 breach that had not reset their passwords since that breach. In addition, we are using automated tools to attempt to identify and block any suspicious activity that might

    occur on LinkedIn accounts. We are also actively engaging with law enforcement authorities.

    LinkedIn has taken significant steps to strengthen account security since 2012. For example, we now use salted hashes to store passwords and enable additional account security by offering our members the option to use two-step verification.

    What You Can Do

    We have several dedicated teams working diligently to ensure that the information members entrust to LinkedIn remains secure. While we do all we can, we always suggest that our members visit our Safety Center to learn about enabling two-step

    verification, and implementing strong passwords in order to keep their accounts as safe as possible. We recommend that you regularly change your LinkedIn password and if you use the same or similar passwords on other online services, we recommend

    you set new passwords on those accounts as well.

    For More Information

    If you have any questions, please feel free to contact our Trust & Safety team at tns-help@linkedin.com. To learn more visit our official blog.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020