back to article LinkedIn mass hack reveals ... yup, you're all still crap at passwords

Analysis of passwords from the LinkedIn leak has revealed, should there be any doubt, that users remain terrible at choosing secure login credentials. Last week a black hat hacker using the nickname Peace was revealed as attempting to sell 117 million LinkedIn users' emails and passwords on the dark web. "Peace" wants 5 BTC …

Page:

  1. Anonymous Coward
    Anonymous Coward

    Time to...

    Ditch using social media, they can't be trusted with your details.

    Yes, I know this is an old story from 2012, my comment above relates to that time.

    1. Nate Amsden

      Re: Time to...

      And move to what ? I have never had a facebook or twitter account but I do use linkedin. Though all of my info is "public" on linkedIn(just career stuff) so there is really nothing to compromise data wise(I believe linkedin had me reset my pw back with the original breach(?)).

      I don't use linkedin for MUCH(though I am a premium subscriber), it has gotten me tons of career leads over the years(none of which I need right now), and really if just one of those pans out again in the future(little reason to think it wouldn't) it would of paid for itself right then.

      In general I'm not a social person so being able to stay "connected" to the people in my career is handy.

      I was thinking more along the lines of it shouldn't take much work to block such simple passwords from being used in the first place. I don't advocate requiring really strong passwords for something like linkedin, but people shouldn't be using 1234567 etc (unless I suppose it is a throwaway account or something). Maybe linkedin has already implemented this since this data is pretty old already.

      1. Pascal Monett Silver badge

        Re: And move to what ?

        Back to the time where your contacts were people in your phone list that you actually called every now and then to prove that you cared that much.

        1. Triggerfish

          Re: And move to what ?

          Back to the time where your contacts were people in your phone list that you actually called every now and then to prove that you cared that much.

          I would love that to be true, but there are people I know who just don't seem to use the phone anymore, it's all messenger type apps, there are also people I know abroad and phone calls are not cheap, or have pain in the bum time differences.

          1. Vic

            Re: And move to what ?

            there are also people I know abroad and phone calls are not cheap

            Phone call pricing is really quite bizarre.

            I phoned my brother in Sydney the other week. A phone call to the other side of the planet - and it was cheaper than ringing my next-door neighbour...

            Vic.

            1. Triggerfish

              Re: And move to what ?

              You have to wonder at the real cost as well, using foreign sims to call home you start to wonder how much is operating cost and how much is profiteering.

          2. heyrick Silver badge

            Re: And move to what ?

            " there are also people I know abroad and phone calls are not cheap "

            Part of my contact includes free calls from my house phone to a land line in pretty much every country on the planet (except those usually deemed unfavourable to the world). Dunno how they account for that. I guess they make their money in that sending a single SMS from my mobile to a mobile in another country costs the same as calling them for a minute. I think the pricing is intended to confuse everybody to make operator comparisons meaningless.

      2. Rafael 1
        Windows

        Re: And move to what?

        Can't answer this question, since I am as social-network-shy as any bearded hermit in a cave in a mountain. But from the three you've mentioned LinkedIn is the most obnoxious: Facebook only bugs me about "people that I know" when I log on it, in a small notification icon so discrete I don't even remember how it looks.

        LinkedIn, on the other hand, send several e-mails, each week, to more than one account, about "Roger Neverheardabouthim wants to add you to his network".

        Sometimes I am tempted to play "six degrees of LinkedIn", and see if I can figure out how am I related to that twerp. A neighbor of the wife of a former student? Someone who is tempting to brag about having more contacts than the other idiots on his PR company? An Amway representative? Unfortunately I'd have to log in to discover, so I just delete the e-mails.

        1. Pen-y-gors

          Re: And move to what?

          There is a lot of linkedin spam/scams - I get the odd email (but interestingly NOT to my linkedin e-mail address) asking me to connect to someone - the strange thing is the email only offers one button "confirm you know this person" - there's no option to click on "never heard of the little sod", so only option is to delete email and ignore, until another arrives next week telling me I haven't responded yet. Who designed this shit?

          1. heyrick Silver badge

            Who designed this shit?

            A few years back I had quite a bit of spam from LinkedIn. Given the mail did come from them, I contacted them to ask if they could stop sending this junk.

            I was told I'd need to create a profile to manage my mailing preferences.

            So I decided the easier way is to create a filter. Anything from LinkedIn gets automatically binned.

        2. Anonymous Coward
          Anonymous Coward

          Re: And move to what?

          LinkedIn, on the other hand, send several e-mails, each week, to more than one account, about "Roger Neverheardabouthim wants to add you to his network".

          The thing that earned LinkedIn a permanent spot in my spamassassin.cf was emails wanting to add mips@gentoo.org to peoples' networks.

          mips@gentoo.org is just an alias for those of us who maintain Gentoo Linux on MIPS processors (SGI, Cobalt, Lemote). mozilla@gentoo.org copped a few too, and years ago, I was on both aliases.

          When you consider those sorts of capers, it is clear LinkedIn don't give a damn about peoples' abuse of their network and that the "links" developed there are pretty much worthless from an employment point of view.

          Want a job in IT? Start doing some meaningful work in the open-source world. Your name will then start to appear in search engines and your work will clearly stand on its own to any employer worth working for.

      3. macjules
        Pint

        Re: Time to...

        I can still somewhat wistfully recall when 'not available' simply meant taking the phone off the hook.

      4. DrXym

        Re: Time to...

        "I have never had a facebook or twitter account but I do use linkedin. "

        I use LinkedIn but most of the time I feel more like it's using me. During a contract phase I accepted links from some agents. Big mistake. These agents get a job spec in that says "java" in it and spam everyone who comes up in a search result. Multiply that by every agent who has the spec and its a lot of spam. It's become a cattle market and people on the system have become the cattle to be monetized for the benefit of people like agents.

        I've disconnected from the lot of them. If they want to talk with me they can spend one of their precious InMails. Chances are I'll ignore that too but at least it shows some kind of deliberate attempt to interact rather than spamming dozens of people at once.

  2. Valeyard

    it's linkedin though...

    it's so rubbish it's one of the least secure passwords in my keepass because i really don't care that much about it..

  3. Bod

    Genuine accounts?

    How many of 117 million accounts are genuine or serious accounts?

    I mean, a lot of people just knock up an account on sites to get access to view something they can't without an account. Then there are developers and testers who create many random test accounts to test an app using their API and such, and most likely use 123456 as a password.

    A lot of people also probably just sign up out of interest, put in no details and never really use it. Half my address book comes up showing people with LinkedIn accounts but half of those have empty profiles and are unused.

    I wouldn't be surprised if accounts created by recruiters and businesses that basically aren't personal accounts, also have weak passwords.

    1. Doctor_Wibble
      Devil

      Re: Genuine accounts?

      > How many of 117 million accounts are genuine or serious accounts?

      I don't think that should be an either-or question, e.g. mine is genuine but I wouldn't call it 'serious' because I barely touch it. On the other hand it's several years overdue for a revenge attack on everyone for all those 'blahblah added yoghurt knitting as a new skill' and 'blahblah moved desks again' updates that it keeps forgetting I repeatedly tried opting out of.

      I will pick the least interesting job and add as many excruciatingly irrelevant yet update-worthy details as I can think of.

    2. John Brown (no body) Silver badge

      Re: Genuine accounts?

      "I mean, a lot of people just knock up an account on sites to get access to view something they can't without an account."

      I must have done that at least a dozen times on LinkedIn over the years. I have no idea what names or passwords I used because I never have any intention of ever accessing those accounts ever again. The question is, does LinkedIn or similar sites ever do housecleaning? Or are they, like man "social networking" users all doing the same thing and using numbers of "friends" for bragging rights?

      Anyone who creates a social media account then either never uses it or doesn't even log in for more than 3 months really ought to marked dormant then deleted after 6 months. (The account, not the user!)

      1. allthecoolshortnamesweretaken

        Re: Genuine accounts?

        Thanks for the clarification as to what is to be deleted!

        But they won't do that - their selling point is "Look at our huge user base! And it keeps growing!"

        1. Anonymous Coward
          Anonymous Coward

          Re: Genuine accounts?

          A better approach would be to publish "active" accounts only in user base statistics (those accessed in the last three months for example). People paying for linkedin accounts should get a pass. They deserve to use their accounts as much or as little as they like.

          On the other hand, the duff and dead free accounts should not be counted as active, for truth in advertising, if nothing else. Web hit counters that should report unique or new visits only face a similar dilemma when they don't discard crawlers and other bots from their stats.

          Anyway this latest news may cause a few of those 117 (164 or 167) million pwned LI users to visit their accounts again to change their passwords. I certainly did and I am a Premium user.

          For more fun and games check Troy Hunter's https://www.troyhunt.com/ to see where your email has shown up in data-breach land. Quite eye-opening, some decent blogs as well.

      2. Anonymous Coward
        Anonymous Coward

        Re: Genuine accounts?

        They might do some housecleaning. I occasionally browse through the "people you may know" list. At least two of the accounts I used to see on the list were deceased. I haven't seen them on the list in the last couple of months, so they may have had their accounts deactivated. One of the contacts was pretty high profile (retired Congressman) so he'd be a candidate for manually dealing with the account (or, more likely, having a staffer remove/lock/etc. the account). The other person was much more low profile.

  4. Dave W

    Tosh

    There's also the argument that as LinkedIn is such a steaming pile of tosh, many people (myself included) use crap (weak) disposable passwords.

    There's absolutely nothing of value in my LinkedIn account - just lots of people trying to connect with me so that they can try to sell me stuff, and the credentials I used are so weak that I wouldn't dare use them anywhere else.

    1. Anonymous Coward
      Anonymous Coward

      @Dave

      "just lots of people trying to connect with me so that they can try to sell me stuff"

      Which could just as easily originate from a bunch of spam drones. In other words: compromised accounts from people who thought just like you and also didn't see the need to apply better security.

      1. Valeyard

        Re: @Dave

        compromised accounts from people who thought just like you and also didn't see the need to apply better security.

        nah, contracting agency drones, even more soul-less

  5. Tom Wood

    Attitudes to risk

    I really don't want someone to get access to my bank account, or my email account, or root access to my servers, so I use secure passwords for them.

    But LinkedIn, or for that matter some random forum such as this one, what's the worst that can happen if someone logs in as me?

    The main risk if someone steals my login details from the likes of LinkedIn (or indeed this forum, which doesn't even use a HTTPS connection...) is if I use the same email and password combo for either this site and others, or for my email account, in which case they can get access to all the "forgotten password" emails and the like.

    But if I don't, then what's the problem?

    I have a better lock on the front door of my house than I do on my garden shed, for much the same reason. Get into the shed and at most you can steal some plant pots, potting compost, barbecue charcoal and a bit of garden furniture maybe.

    1. Banksy

      Re: Attitudes to risk

      "But LinkedIn, or for that matter some random forum such as this one, what's the worst that can happen if someone logs in as me?"

      In the case of LinkedIn they could get in touch with your contacts and tell them they're a c**k, that you shagged their mum, that you worked somewhere disreputable, that sort of thing. That's what I'd do anyway.

      1. Anonymous Coward
        Pint

        Re: Attitudes to risk

        but by me using a crap password, I could tell everyone that I endure they are complete utter cocks, then blame it on the hack.

        Win all round

      2. Vic
        Joke

        Re: Attitudes to risk

        In the case of LinkedIn they could get in touch with your contacts and tell them they're a c**k, that you shagged their mum, that you worked somewhere disreputable, that sort of thing.

        ...Or they could say somthing that's untrue...

        Vic.

    2. Charles 9
      Devil

      Re: Attitudes to risk

      But the problem is, what if you ALSO accidentally dropped a bit of a bill or something else that can identify you more completely. Then that shoddy shed lock just became an inroad to social engineering or even identity theft. That's why ANY site with a bad password can be risky. ANY information they can glean from it can be used to reconstruct your identity, at least to the point they can employ social engineering to get more information and then eventually they have enough to compromise or steal your identity.

      1. Tom Wood

        Re: Attitudes to risk

        "ANY information they can glean from it can be used to reconstruct your identity, at least to the point they can employ social engineering to get more information and then eventually they have enough to compromise or steal your identity."

        They *could*. But *would* they?

        Your common-or-garden cybercriminal, much like your common-or-garden house burglar, will go for the easiest targets. They're after quick money not some convoluted identity theft.

        In practice, my LinkedIn password is better than "password" or "12345678", but not as good as 12 truly random characters or whatever. Which is fine, as long as there are lots of people who have passwords worse than mine; just as my house isn't likely to get burgled as long as I have pretty good locks on the doors, and the guy down the street has crap ones.

        1. Charles 9

          Re: Attitudes to risk

          "Your common-or-garden cybercriminal, much like your common-or-garden house burglar, will go for the easiest targets. They're after quick money not some convoluted identity theft."

          But you could always have motivated enemies out to target you specifically or one who just feels like putting forth extra effort, like you say, so as to steal an identity and milk it for all its worth (one big haul versus many little ones) much like sociopathic stalkers who groom their victims over time.

  6. m0rt

    I was informed by haveibeenpwnd? This morning. the email address was one that has been defunct (I still have the domain, though) since late 2008. I 'killed' my Linkedin account when they, by default, started allowing the profiles to be indexed by google without an opt in for this.

    So the account was three years defunct by the time the data was leaked.This is also looking like one of the biggest datadumps of users to date.

    I am not arsed about my old LI account. But it hits home that if, say, Amazon ever had a rogue employee, or were hacked, (though I imagine Jeff has some seriously dodgy internal police force that use 'justifiable' force), then I would be worried. I realised, recently, that my amazon account, with all the purchases visible since 2000, and a lot of addresses I have used over that time, has more info about me than probably any other online resource. Including gov sites. (Exception of GCHQ probably - Hi guys).

    1. Seajay#

      2FA on amazon

      Did you know you can trick amazon uk in to enabling 2FA even though (for no obvious reason) it isn't available here yet?

      http://www.techworld.com/security/how-brits-can-enable-amazon-two-factor-authentication-security-now-3631955/

      Worth doing.

  7. JimmyPage Silver badge
    Thumb Up

    Not about linked in, but a plug for "haveibeenpwned.com" (and Lastpass)

    Been signed up with them for a few years now, and this is the first alert they have had to send me ...

    You're one of 164,611,595 people pwned in the LinkedIn data breach

    Like others here, my LinkedIn password is probably the lowest level, since it's not really used much. Still I note (with interest) that it was last changed in 2014 (Lastpass notes such things.

    Oh, and a big-up for Lastpass here. I just tried their "autochange password" function (on LinkedIn) and it worked a charm. So weighing cloudy encrypted vault against top-notch per-site password protection, I'll risk Lastpass anyday.

  8. 0laf
    FAIL

    Maybe not now

    This was 4yr ago.

    Maybe we're all great at passwords now...maybe.

    I got the domain list this morning and I think out of 300 accounts about 20 of them were still valid. Most of the remaining users could barely remember using LinkedIn if at all.

  9. smartypants

    Stop being surprised at shit passwords

    Passwords are a broken way to enforce security. How much more proof do we need that significant numbers of people find passwords a bother and always will?

    When are we going to start building a replacement for this broken idiom which humans have no problems with?

    1. Pascal Monett Silver badge

      Probably as soon as you explain what better method we could use.

      And if you answer biometrics, you've lost.

      1. smartypants

        I didn't expect this.

        In years to come, the proof that passwords are a good way to enforce security will be that some bloke pointed out how shit they were and didn't provide an alternative.

        Seriously

        Lol.

        1. Charles 9

          Re: I didn't expect this.

          "In years to come, the proof that passwords are a good way to enforce security will be that some bloke pointed out how shit they were and didn't provide an alternative."

          What if someone produced a true reductio ad absurdum that showed that anything other than passwords is provably worse than passwords, which we know to be unacceptable because people can have bad memories. Then I have to wonder where we go from there...

          1. Pascal Monett Silver badge

            Passwords are not a good way to enforce security. Like democracy, they are the least bad way we have now.

            Because if your eyeball gets compromised, what do you do then ?

            1. Charles 9

              "Passwords are not a good way to enforce security. Like democracy, they are the least bad way we have now."

              Only thing is, we're realizing all these "least bad" solutions are not acceptable. So we need an alternative that is better than the least bad solution out there, and we need it soon before the whole house of cards collapses in on itself.

              1. cbars Bronze badge

                "So we need an alternative that is better than the least bad solution out there"

                Half a password?

      2. Charles 9
        FAIL

        "And if you answer biometrics, you've lost."

        And if you answer anything OTHER than biometrics (because for many people biometrics is all they have, literally. No phones and terrible memories for anything else), you've lost, too.

        Meaning we're lost either way. Meaning it's a lost cause...

  10. wolfetone Silver badge
    Coat

    Glad to see my 987654321 password isn't in the Top 6.

    I'm doing security correctly.

    1. Anonymous Coward
      Anonymous Coward

      987654321

      Sort-of-related story: a colleague used to play a version of Lotto/Powerball with the numbers 1-2-3-4-5-10. His theory was that if ever 1-2-3-4-5-6 was drawn, lots of clueless yokels would have to share the prize, but with 1-2-3-4-5-10 the top prize would be all his.

      Changing my password to 1-2-3-4-5-10 in 9, 8, 7, 6...

      1. 0laf
        Boffin

        Re: 987654321

        He's right.

        Loads of people have 1-2-3-4-5-6, it's just as likely to come up as any other combination but as he said if it does come up it'll be shared between thousands.

        If he wants to keep it all for himself he should pick a range of number above 31. Many people use dates of birth for picking numbers and you cut them out the share above that. And you're just as likely to win. Which is not very these days.

        1. Charles 9

          Re: 987654321

          No, because people know there are numbers above 31 and start looking for other sources of numbers. Clocks and times provide up to 60 in this case, and years can cover any lottery spread there is right now.

      2. JimmyPage Silver badge
        Happy

        Re: lottery wins

        I recall a story that the NY lottery was once won by hundreds of people.

        The reason ? The winning numbers made an "X" in the playslip .......

      3. Steve Graham

        Re: 987654321

        I analyzed the winning stats and got a set of numbers which only or mainly occurred in single-ticket jackpots.

        It didn't help. They kept taking my money and never awarded me a prize.

  11. Lucasjkr

    How come nearly the first thing that was ever told to me was that each password gets its own unique salt, yet so many developers who are paid multiple times what I earn thanks to lucrative stock options at places like LinkedIn, never think about this?

    1. John Brown (no body) Silver badge
      Joke

      I think the first thing I was ever told was "Aaaaaawwwwww, don't you look cute!". It was a number of years later before I was told anything about passwords. Probably some while after I after I learned to speak.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like