G
Guns Guns Guns
Guest
Earlier this week a file containing what looked like 6.5 million passwords and another with 1.5 million passwords was discovered on a hacker forum, which offers password-cracking tools.
Someone using the handle "dwdm" had posted the original list and asked others to help crack the passwords, according to a screenshot of the forum thread, which has since been taken offline.
The passwords were not in plain text, but were obscured with a technique called "hashing."
Strings in the passwords included references to LinkedIn and eHarmony, so security experts suspected that they were from those sites even before the companies confirmed that their users' passwords had been leaked.
Hashed passwords that aren't salted can still be cracked using automated brute force tools that convert plain-text passwords into hashes and then check if the hash appears anywhere in the password file.
So, for common passwords, such as "12345" or "password," the hacker needs only to crack the code once to unlock the password for all of the accounts that use that same password.
Salting adds another layer of protection by including a string of random characters to the passwords before they are hashed, so that each one has a unique hash.
This means that a hacker will have to try to crack every user's password individually instead, even if there are a lot of duplicate passwords.
This increases the amount of time and effort to crack the passwords.
The LinkedIn passwords had been hashed, but not salted, the company says. Because of the password leak, the company is now salting all the information that is in the database that stores passwords.
In addition to inadequate cryptography, security experts say the companies should have fortified their networks better so hackers couldn't get in.
The companies haven't disclosed how the passwords were compromised, but given the large number of accounts involved, it's likely someone broke into their servers, maybe by exploiting a vulnerability, and snatched the data.
LinkedIn won't say whether user names were exposed, but says that e-mail addresses and passwords are used to log into accounts and that no e-mail log-ins associated with the passwords have been published, that they know of.
I would recommend changing your password if you use any of the sites that have issued warnings just in case.
Just because your password isn't on the leaked lists doesn't mean it wasn't stolen, and security experts suspect that the lists aren't complete.
So, you've changed your password on the sites, don't relax just yet.
If you recycled that password and used it on other accounts, you need to change it there too.
Hackers know that people re-use passwords on multiple sites out of convenience.
So when they know one password, they can easily check to see if you used it on another more critical site, such as a bank Web site.
http://news.cnet.com/8301-1009_3-57449325-83/what-the-password-leaks-mean-to-you-faq/
Someone using the handle "dwdm" had posted the original list and asked others to help crack the passwords, according to a screenshot of the forum thread, which has since been taken offline.
The passwords were not in plain text, but were obscured with a technique called "hashing."
Strings in the passwords included references to LinkedIn and eHarmony, so security experts suspected that they were from those sites even before the companies confirmed that their users' passwords had been leaked.
Hashed passwords that aren't salted can still be cracked using automated brute force tools that convert plain-text passwords into hashes and then check if the hash appears anywhere in the password file.
So, for common passwords, such as "12345" or "password," the hacker needs only to crack the code once to unlock the password for all of the accounts that use that same password.
Salting adds another layer of protection by including a string of random characters to the passwords before they are hashed, so that each one has a unique hash.
This means that a hacker will have to try to crack every user's password individually instead, even if there are a lot of duplicate passwords.
This increases the amount of time and effort to crack the passwords.
The LinkedIn passwords had been hashed, but not salted, the company says. Because of the password leak, the company is now salting all the information that is in the database that stores passwords.
In addition to inadequate cryptography, security experts say the companies should have fortified their networks better so hackers couldn't get in.
The companies haven't disclosed how the passwords were compromised, but given the large number of accounts involved, it's likely someone broke into their servers, maybe by exploiting a vulnerability, and snatched the data.
LinkedIn won't say whether user names were exposed, but says that e-mail addresses and passwords are used to log into accounts and that no e-mail log-ins associated with the passwords have been published, that they know of.
I would recommend changing your password if you use any of the sites that have issued warnings just in case.
Just because your password isn't on the leaked lists doesn't mean it wasn't stolen, and security experts suspect that the lists aren't complete.
So, you've changed your password on the sites, don't relax just yet.
If you recycled that password and used it on other accounts, you need to change it there too.
Hackers know that people re-use passwords on multiple sites out of convenience.
So when they know one password, they can easily check to see if you used it on another more critical site, such as a bank Web site.
http://news.cnet.com/8301-1009_3-57449325-83/what-the-password-leaks-mean-to-you-faq/
