Please change your linkedin passwords now. I mean right now. If you are one that uses the same password across multiple sites, you should do a review of your passwords immediately. If the linkedin password was shared across sites, those passwords should be changed right now. If your linkedin password resembles your work credentials, change them. Change them all. Right now.
Unfortunately users rarely take password security seriously. It has been shown that most users user one password for all their accounts. That’s a problem when a breach like this linked loss of 6.5 million passwords occurs. The attacker is a worthy opponent. They know what to do. The hacker that stole this information has already gotten in to some bank accounts and stolen hard earned cash.
Don’t be a victim. Change any password you instinctively know is just too simple. Use minimum of 9 characters with caps, numbers and special characters. Use Lastpass.com to remember them all. It’s an excellent tool and it works. Add a yubikey for two-factor authentication. Google Authenticator is great also and uses your cell phone as a second factor. Most email services can use SMS verification so that accessing your email always requires the password, and a code delivered via your cell phone. See this article at coding horror for a good tutorial on that.
If you think your pass is strong, Run a MD5 and SHA1 hash of your passwords and search google for those hashes. If any hits come back, change your password(s). NOW! If you’re not sure what I’m talking about, here’s a tool on my website to help you: http://emsy.us/hash
Yampolskiy created a tool that checks your password against the list of known cracked passwords(about 160k of 6.5 million). You can check if your password has been affected here. Check out his blog post on the topic.
Lastpass has also offered a tool to check if your linkedin password was compromised.
Should you use any of these tools to check if you password has been hacked? If you don’t, you may never know. Why not change the linkedin password, and then check it. You should be changing passwords regularly anyway right?
The days of being secure using a password are long gone. Today, at the very least, you should be using complex passwords of minimum 9 characters(edit: as of 10/2013 I recommend 12 characters), preferably randomly generated, with a second factor authentication.
Please comment, call or email anytime if you have questions about all this.
Update Sept 4, 2013:
When the linkedin news broke, I thought about what a crutch md5 hash is. It is a great way to store a complex password, but what if the md5 belongs to a password whose hash has been published to the internet? Are we all completely certain that the hashes to our passwords aren’t out there waiting for a google search to match a criminal with our password?
The answer to the OP is yes, it is possible to reverse a user’s md5, if their password was simple, unimaginative or not completely random and complex. Try this. Hash any password you may have used in the past but have discarded for a more complex one. Google the hash. If you get any results, you were using an insufficient password.
As we progress along this curve of complexity into the future, more and more complex, random combinations of words, letters, special characters, numbers, etc will be hashed and set out there in the googleverse for all to match. If your hash isn’t out there yet, it will be at some point, unless we use ridiculously complex, unique passwords.
http://md5.gromweb.com has 88,684,099 known MD5 sums. I will check back in a month to see the growth rate. I’m sure it will be alarming…
89,335,404 (10/09/2013) 0.734 % increase
I got curious and did some googling on hashes (see http://emsy.us/hash) of randomly generated passwords including maximum one digit, caps, lowercase, numbers and special characters. Passwords with a length of 8 returned 0 of 10 times. Passwords with a length of 4 returned 5 of 5 times. Passwords with a length of 5 returned 1 of 1 time. Passwords with a length of 6 returned 0 of 1 time.
I lost steam after this. Anyone seen any real research on this? To me, these very cursory results clearly dictate your random password should be no less than 8 characters, all types included, to maximize complexity. But since we have tools to generate and securely store much longer passwords, why not do it?