June 2016 – Passwords – Don’t be the Weak Link

The 2012 LinkedIn hack has been back in the news again recently after it was identified that the exposure of credentials leaked has increased from the previously reported 6.5million records to a substantial 117 million records. With a network of 433 million accounts this equates to 27% having been compromised. Needless to say if you haven’t yet changed your details it’s important to do so. A report in The Register which analysed the Linkedin hack recently revealed:

“Login credentials – especially to social media sites – are a valuable commodity for black hat hackers. A new password hash dump analysis on the LinkedIn breach from password recovery Kore Logic has revealed that many use easily cracked login IDs.

  1. 123456
  2. linkedin
  3. password
  4. 123456789
  5. 12345678

‘123456’ appears more than a million times (1,135,936 to be precise) in the dump, a long way clear of second-placed LinkedIn (207k). The most common ‘base word’ used in the passwords is, unsurprisingly ‘LinkedIn’.”

So what does this mean to us? Well, in an age where technical controls to prevent security breaches are becoming more sophisticated we are still being let down by human factors and a complacency around security measures. Passwords are still being shared across multiple accounts which means a compromise in one area will inform the attacker of the security credentials that could be used to attack another area.

 

It’s worth remembering that for the majority of us using LinkedIn, our account contains information about where we work and the role we perform. This provides information to attackers of a potential target to try for an attack.

What can we do about this? There are a few things. Firstly configuring secure password criteria on systems will ensure that the users of those systems are required to use a secure password and that this is changed regularly.

Secondly training and awareness is key; creating a culture of security and embedding this into operations as well as communicating the reasons why security is so important will aid in ensuring that passwords are taken seriously. The training and awareness should also stress the importance of not using the same password across multiple accounts.

Whilst the LinkedIn hack does not reveal any new areas of concern it does act as a reminder of why we should stay diligent in reinforcing the message of security within our organisations.