Reports emerged yesterday that over six million passwords had been hacked and posted on a Russian web forum.
LinkedIn later confirmed that the passwords spilled were genuine ones, although they were encrypted, as you would expect.
Sophos, the security experts, reckon that after duplicates have been removed, there are some 5.8 million passwords which have been compromised.
Despite the encryption, however, hackers can “brute force” and crack passwords, particularly the more obvious and simple kind. Sophos claims that 60 per cent of the stolen passwords have already been brute forced, in other words, are out in public – and possibly being used by the hackers.
LinkedIn, however, has moved quickly to disable those passwords, and affected users will receive an email from the social network, detailing how to perform the necessary password reset.
As ever, if you’ve used the same password elsewhere, aside from your LinkedIn account, it’s a very good idea to change those passwords, as well.
LinkedIn has also clarified that the passwords it has reset will be stored in salted, hashed format. Which means that a string will be added before cryptographically hashing the password, and that in turn means it will be much more difficult to force.
That’ll buy extra time in the event of another password breach, and will hopefully mean that LinkedIn can switch any passwords and run damage control before a single account is compromised.
Of course, ideally, there won’t be another password spillage… but it’s always better to be safe than sorry.