Bob

Quite a lot of you folks use LinkedIn here, so thought you might be interested if you haven't already heard:

6.5M passwords leaked in a hack - http://www.telegraph.co.uk/technolog...passwords.html

Though don't know how much of a threat it really is as I think they only stole the hash keys, so alone not that much use.

Either way, probably still worth changing your password.

cindyabs

I end up doing that fairly regularly anyway, since my own memory vault for those is full and I never can remember ones for less visited sites.

rpjs

More to the point, if you've used the same password on other sites, change it there too, using a different password for every site.

I seen some suggestions that LinkedIn weren't salting their password hashes, which makes the leaked hashes vulnerable to brute force attacks, which are getting easier and easier with modern GPUs. For those of a technical bent, this article is interesting reading - for non-techies, the bottom line from it is that your passwords need to be at least 12 characters long to be reasonably secure these days.

Nutek

Seems there might be another issue with LinkedIn to be aware of if you use the iPhone app.
http://arstechnica.com/apple/2012/06...-linkedin-app/

Bob

http://7habitsofhighlyeffectivehacke...-password.html

Basically if the hash tables haven't been salted, you're boned.

I'm guessing it's time to use KeePass to auto generate passwords, for individual sites now being a must....or use weird, long pass phrases.

http://keepass.info/

Bink

Done. Thanks for the heads up. I hadn't gotten around to checking the beeb yet today.

Nutek

Looks like eHarmony got hit too.

Bob

So you're saying to everyone on BE who we've told to go get married, might be in trouble too?

Nutek

Nutek

Heads up... Todays winner is... Last.FM

Hacked... Check those passwords.

http://arstechnica.com/security/2012...eir-passwords/

Might be easier to list the places that havent been hacked recently.

markwm

Have used hash/salt for quite some time for password protected applications and came across this a while back which looks interesting: http://bcrypt.codeplex.com/. Will be evaluating this and, if secure enough, reversing into the current application.

I simply do not understand why businesses like LinkedIn aren't choosing to use the securest possible methods to protect their clients - it's not like it would really cost them serious money to do it.

Nutek

You would think everyone would have learned their lesson from Sony. It's certainly been long enough.

markwm

Indeed though I suspect it';s becuase a lot of social networking companies are not created by professionals and only hire fresh out of college (cheap) and inexperienced developers who neither recall such incidents nor fully understand the ramifications of a poor security model.

Bob

Probably a simple cost analysis at the beginning, once the site starts to take off and they figure it isn't worth it and then suddenly they get big and it becomes expensive to change things around and then becomes bad for investors to find out they're not very secure so try to hide it.

Apparently linked in is saying the emails haven't been hacked, they think, possibly. If that's the case, passwords alone aren't to much use. Bit late to be salting the passwords now though, but better late than never...

Nutek

Right now, these hackers can

1) Find you a job
2) Get you a date
3) Play you some romantic music

They should start a Social site or something.