Some time ago, a very popular social network (whose name rhymes with PinkedIn) revealed that 6.5 million hashed user passwords were liberated and published to hacker sites on the internet.
The alarming bit of that news is that it was also revealed that those passwords were “unsalted”, which in laymen’s terms means, even though they were encrypted (instead of ‘password123’ they were stored as ‘ad8gd23n5tn50053n29df90s124vad8yasgyaen3tn’), it won’t be hard to decrypt them.
This also means that if those same hackers also already have account information from other sites (for say…Macebook?) that they can now easily see if your password there is the same as on PinkedIn.
This gave me pause.
Granted, LinkedIn’s storing passwords unsalted is just…negligent. However, it made me realize how wide open the internet is when users don’t want to make the smallest effort to create and manage decent and unique passwords for each web service they use.
Since this hack, so many more sites have been hacked. And dictionary attacks on exfiltrated password data and cloud-based tools make cracking passwords child’s play.
For the record, I am no expert. However, there are 5 simple things you can do to prevent your passwords from being snarfed.
- Use two-factor authentication.
- Use the longest password your web site can accept.
- Use a password manager to store and even generate difficult to crack passwords.
- Use a unique password for every web site you use.
- Use this guide!