Earlier this week, amidst reports that more than 6.5 million passwords may have been compromised in a hack of a LinkedIn database, I received several calls and emails from friends and family that feared the worst of their LinkedIn accounts, especially after LinkedIn’s Vicente Silveira took to the company’s blog to confirm the reports. Silveira didn’t mention numbers, but on all accounts, the breach is significant.
What struck me was how violated these people felt about their personal information being exposed. Because LinkedIn is career-oriented, it is especially scary that those personal details – your livelihood, essentially – are at risk. Being part of a digital security company, I knew all the right things to say to provide some comfort:
- Change your password immediately to something very strong
- If you use the compromised LinkedIn password for any other sites, change those too, and again – make it something strong
- Change your password frequently
- Never use the same password for multiple sites again
Despite knowing that this is the best advice, I can’t help but feel that it really isn’t enough. This LinkedIn hack has shown us that even strong passwords can be compromised, and rather easily, too. All the cybercriminals had to do was turn to the larger hacker community and say “help.”
Silveira said in the LinkedIn blog post yesterday, “It is worth noting that the affected members who update their passwords and members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases.”
It’s good that LinkedIn is trying to up its security measures, but what this breach really brings to light for me is that anytime we are dealing with personal information on the Internet, passwords are just too weak.
What our entire Internet community, including those on LinkedIn, really needs is to go beyond simple passwords to strong, two-factor authentication – something you know (your username and password) and something you have (a security device). With this method, you need both a password and a physical token, such as a smart card or encrypted USB token, before you can be logged in. I’d also like to see a future where a third factor, “something you are,” (a biometric, for example) is added as well. The more “factors,” the more our information is secured.
As we move into an increasingly digital era where more and more of our personal information is online, we need to take control over our own digital security. Ask the sites that house our personal information to take stronger security measures and move to strong authentication, and when it is offered, be sure to take advantage.
What did you think about the LinkedIn security breach? How did you feel knowing that your personal details may have been compromised? Was your account hacked? Let us know by using the comments section below.