Macworld Forums: LinkedIn hack FAQ: What you need to know - Macworld Forums

Post your comments for LinkedIn hack FAQ: What you need to know here

And by "Yes and no. The passwords were all hashed using SHA-1 and so they won’t be readable without the right software." you mean they won't be readable at all and that at best they'll find some collisions which aren't actually your password? It's improbable that they'll be able to turn that hash into your actual password (unless you used a dictionary word and they brute force it), but due to certain weaknesses in SHA-1 they might come up with another password that would work as your password anywhere else they store your password as a SHA-1 hash.

d00d, on 07 June 2012 - 04:58 AM, said:

I don't think I'm atypical: I used a routine alphanumeric 8-character password for LinkedIn (since changed to something more involved, of course), because I just have basic membership and frankly I don't really care that much whether someone hacks my account.

Since LinkedIn brilliantly failed to salt the hashed passwords, it would take even a hapless programmer like me at most a few days to crack all possible 8-character alphanumerics -- you're grossly overstating the difficulty that the hackers face. SHA-1 can be very secure, but not when it's used the way LinkedIn used it.

"it's best to assume the worst"

In most situations worst first thinking is usually wrong and only fuels paranoia.
Security expert Bruce Schneier made some interesting observations in his TED talk on The security mirage. It ties together a wide range of topics and I recommend hearing the whole video.
If it's in the news, don't worry about it. Because by definition, news is something that almost never happens.

If you can, you should be using 1Password for everything - you can generate a very secure unique password for every service you use, so no risk of one leak on one service resulting in another being potentially compromised.

"We don’t know" often is said just before we hear of some speculation. At least the author included the possibility that those behind this may only have the passwords and not the user names or access to credit cards.

The TED talk about putting various security risks in perspective is at:
http://www.ted.com/t...e_schneier.html

aestival, on 07 June 2012 - 05:27 AM, said:

Fair enough. I'll admit I only read this article which failed to mention the lack of salt.

Given that, hackers could use a rainbow table to figure out your password for sufficiently short passwords.

I still contend the article is misleading, causing users to believe that hashed passwords are normally reversible using some software normally. It requires prerequisites not discussed. They fact of the matter is people should change their passwords because they often satisfy the conditions.

And it should be noted that due to mistakes in both implementation and losing the hashed passwords, one shouldn't trust LinkedIn anymore, opting for both a complex password (or at least long) that you only use on their site.