Bank Vault Door - Protect Your Passwords

Questions & Answers: The LinkedIn Security Debacle and You

What’s all this about a LinkedIn hack? Wasn’t that years ago?

For LinkedIn members, an old hack is coming back to bite us in the you-know-what. Back in 2012, hackers stole a list of passwords from LinkedIn. They were encrypted, but not with the best encryption. LinkedIn thought they stole 6.5 million passwords. We know now that it wasn’t 6.5 million, it was 117 million LinkedIn passwords plus their matching email addresses. (Everything you need to hack an account.) And, according to media reports, they’re now for sale by a hacker (with the ironic alias of “Peace” ) on the dark web to any buyer for about $2200 in Bitcoin.

Either LinkedIn’s security analysts woefully underestimated the extent of the hack back in 2012, or they’ve not been forthcoming about how many accounts were potentially compromised. Neither is good for LinkedIn’s users.

After the break-in, LinkedIn forced many of its users to create new passwords. Today might be a good time for every LinkedIn member to do the same. Adding additional two-factor authentication via your cell phone would be a good idea, too.

QuotationMarks2 brownEither LinkedIn’s security analysts woefully underestimated the extent of the hack back in 2012, or they’ve not been forthcoming about how many accounts were potentially compromised. Neither is good for LinkedIn’s users.

But People Use Good Passwords, Don’t They?

Analyzing a large segment of LinkedIn passwords, ZDNet recently published the top 20 passwords used on LinkedIn, and the list is quite depressing. The top password? 123456 – used by 753,305 LinkedIn users! The second most popular password to LinkedIn was linkedin. The third most popular was (drumroll please)… password. (Really? Why even bother with passwords if this is the best people can come up with!)

And shame on LinkedIn (and almost every other social media service) for letting users get away with using such lame passwords, too!

Why Do Passwords Matter to Me?

1. LinkedIn Info Has Value

LinkedIn passwords are valuable to hackers. Not only can they access your account info, your email adddress and phone number, but they can download the entire list of your connections, including their email addresses and where they work. They can then try to hack into their email accounts by phishing or brute-force attacks. So, even if you don’t have much info on your LinkedIn account, have some respect for your LinkedIn colleagues and protect them by protecting yourself.

2. Today, It’s All Interconnected

Unlike just a few years ago, there are all kinds of software to make it easier to share info between social media and other online accounts (like email). If a hacker gets into your LinkedIn or Facebook or other online account, they might have enough info to make it easier to get into your email account. Once they get into your email account, they can get in many of your other accounts by using their password reset function.

3. The Threat is Bigger

The web is bigger today, much bigger than a few years ago. This means there are also more bad people on the web trying to steal stuff. And the bad people share info.

The bad people also have better software for breaking encryption and guessing passwords than before, too! Hacking is big business these days.

Even if you could squeek by with “Jane’sPassword” a few years ago, you cannot today.

Even Blogs are Targets

Even a small blog like Frugal Guidance 2 is a target for hackers. My security software sends me regular updates of how many times people (or software bots) try to guess the password to my website’s admin page. (The worst repeat offenders currently seem to be coming from Turkey and France.) I also have to update software weekly for security updates. Nobody has got in, yet, but my blog is only as well protected as the least-well-protected site on my host. We’re all interconnected these days.

US Army Armored Car - World War I

You don’t need an armored military vehicle to protect your passwords.

You’re Scaring Me!

Good! Now, will this inspire you to do something?

OK, How Do I Change My LinkedIn Password?

Fortunately, this is easy.

Go on LinkedIn. Find the tiny menu icon with your photo on the upper right of your LinkedIn page.

Select Privacy and Settings.

This area was recently changed. The Account tab should automatically be selected in the upper row, and Basics in the left column.

From there, select Change password.

Then:

  1. Type in your current password. (You can copy and paste your password from a private file or a password manager, too.)
  2. Enter your new password.
  3. Retype (or paste) your password again.
  4. Click the box to Sign Out of all Sessions (in case you logged in from another computer or device and forgot to log out).
  5. Click on Save

Should I Sign Up for Two-Step Verification?

If you have a LinkedIn account and a cell phone, signing up for two-step verification increases your protection and it’s easy.

When you sign up, LinkedIn sends a text message to your cell / smart phone. You read the message and enter the 6-digit code into the requesting box on LinkedIn. That’s it.

In the future, whenever you log in to LinkedIn from a new device, you get a text message and enter the code on the LinkedIn page. Once per device.

Yes, frequent viewers of TV crime and espionage shows will note that the weakness here is that if a laptop owner kidnaps you and your cell phone, they can force you to let them into your LinkedIn account. If this happens to you on a regular basis, you might not be a good candidate for two-step verification.

How do I Sign up for Two-Step Verification?

Again, it’s easy-peasy. Go back to your Privacy and Settings page. Select Security on the left, then Two-step verification. Follow the instructions. You need to have previously given LinkedIn your cell phone number and you need to have the phone handy.

See their own Q&A about Two-step verification on LinkedIn’s Help pages.

QuotationMarks2 brownGet a Password Vault – better known as a password manager. Once it’s set up, you only need to remember one password to open the program. Then, with a few keystrokes, clicks or taps, you can log on to your favorite online sites.

What’s a Good Password?

Don’t be obvious and don’t be easy.

At minimum, use a number and combine 2 simpler passwords. Use some caps, substitute signs for letters, or use those figures on top of your number keys ($#@!&*, etc.).

Better, use a program to create random passwords without words. (More, below.)

Use a different password for each site you visit. This is important!

How do I Keep Track of Lots of Passwords?

You can’t remember your own phone number, let alone a password list? At the very least, have a spreadsheet or text file with a list of your online accounts and a different password for each. That file needs a password of its own and it needs to be encrypted in case anybody else sits down with your device and copies it.

An Even Better Solution

Here’s a better idea. Get a Password Vault – better known as a password manager. Once it’s set up, you only need to remember one password to open the program. Then, with a few keystrokes, clicks or taps, you can log on to your favorite online sites easily without typing out the password. That means instead of using your dog’s birthday as a password, you can use a crazy-hard-to-crack password like d8e5c7*60$75b20a2e3@c3f53dfcf27e771f1c1fbbe.

If you stay awake at night worrying about hackers getting into your social media or your bank account, this is the way to go.

There are a number of good password managers out there, with names like LastPass, KeePass, Dashlane, RoboForm, 1Password, and many, many more. I’ve got links to reviews of the most popular ones below.

The main differences between the different password managers are:

  • Some save passwords online, some on your own computer. Both use encryption to protect the file.
  • Some use browser integration, some work independently of your browser.
  • Some can install the program and your password vault on a USB Drive, handy if you use public computers (say on a campus or in a library).
  • Some are easier to use than others.
  • Many good ones are free, others require some sort of fee.
  • Many have auxiliary programs so you can access the same password vault on Windows, on Macs, on iOS, Android, Windows Phone, and other devices.
  • Some of the commercial programs have easier-to-use interfaces and extra features, including automatic changing of passwords.

If you’re married (or sharing accounts with a significant other), it’s a little more complicated. If you share a single password for a banking or other joint accounts, use a single program with folders to organize your passwords into: His Passwords, Her Passwords, and Our Passwords. (Or something similar.)

But Setting Up Takes Time, Doesn’t It?

Yes, you have to learn a new program, set up new passwords, and learn how to use them on all your devices. Best to budget a couple of hours to get started.

But how much would you lose if your bank account was hacked? Time and Money? How much time would your friends and colleagues lose if their accounts were hacked because somebody sent them malware from your email account? Investing the time is worth it.

Do it! You know you should. Start Today. We have links to lots of info on password managers below.

Protect your passwords aggressively

Protect your passwords aggressively

Reviews and Comparisons of Password Managers

From PC Magazine, The Best Free Password Managers for 2016 and, if you prefer a commercial (paid) program, The Best Password Managers for 2016.

From Lifehacker, Five Best Password Managers by Alan Henry, Jan. 11, 2015.

From Wired Magazine, You Need a Password Manager. Here Are Some Good Free Ones by April Glaser, Jan. 24, 2016.

ConsumerAffairs.com, Compare Password Manager Reviews includes managers for both personal and corporate use, with links to reviews and lots of other info, including explanations of features for newbies.

References

The International Business Times website, Has your LinkedIn been hacked? The 10 worst passwords used by members revealed by Jason Murdock, May 20, 2016, on.

These are the worst passwords from the LinkedIn hack by Zack Whittaker for Zero Day on May 19, 2016, on ZDNet.

2012 report on CNN Money, More than 6 million LinkedIn passwords stolen by David Goldman, CNNMoney Tech, June 7, 2012.

CNN Money report, Hackers selling 117 million LinkedIn passwords by Jose Pagliery, May 19, 2016.

TechCrunch report, 117 million LinkedIn emails and passwords from a 2012 hack just got posted online by Sarah Perez, May 18, 2016.

Motherboard article, Another Day, Another Hack: 117 Million LinkedIn Emails And Passwords by Lorenzo Franceschi-Bicchierai, May 18, 2016.

The Motley Fool article, Instant Analysis: 117 Million LinkedIn Passwords Up For Sale, by Leo Sun, May 23, 2016.

Photo Credits

The 12-ton door and safe deposit vault is of the Old Colony Trust Company of Boston, from the collection of the Detroit Publishing Co., created about 1913. Courtesy of the online catalog of the Library of Congress Prints and Photographs Division, Washington, DC.

The World War I era armored car was from the photographers, Harris & Ewing, taken 1916. Courtesy of the online catalog of the Library of Congress Prints and Photographs Division, Washington, DC.

The image of two Fort Benning machine gunners in a halftrack scout car is by Alfred T. Palmer in 1942 for the Farm Security Administration / Office of War Information. Courtesy of the online catalog of the Library of Congress Prints and Photographs Division, Washington, DC.

All three images were adjusted, cropped and toned in Photoshop and/or Topaz Labs image software.

Frugal Guidance 2 - http://andybrandt531.com