Neil Turner's Blog

Blogging about technology and randomness since 2002

Change your LinkedIn password

You may have already heard that around 6.5 million passwords have been leaked from LinkedIn. The cause is not yet confirmed, and although the passwords were hashed using SHA-1 it’s only a matter of time before a dictionary attack against the password list deduces most of the passwords.

LinkedIn has said that anyone whose account had a compromised password will be forced to reset their password, although I’ve seen at least one tweet from someone who claims their password was leaked and a reset was not forced.

Either way, here are the steps everyone should follow:

1. Check to see if your password was compromised

Two sites have spawned in the past 24 hours which let you check to see whether your password was one of those leaked – the snappiliy titled LeakedIn and the LinkedIn Password Checker from LastPass. If your password was leaked, read on. If it wasn’t, have a sigh of relief but read on anyway.

Related: a blog post from the guy who created LeakedIn.

2. Change your LinkedIn password

LinkedIn has over 100 million users, so statistically you’re unlikely to be in the 6.5 million affected. However, I would still change your password regardless – I, for example, have been on LinkedIn for 3 years and at that time when I joined I wasn’t using as strong passwords as now. And, if you have a weak password, even if it hasn’t been leaked then it’s still possible for your account to be compromised.

Microsoft has some tips for creating a strong password, and thankfully LinkedIn does allow for long passwords – my new one is 16 characters. You could also use a password generator such as SafePasswd. Remember to check its strength using a site like Password Strength Checker, and take note of any suggestions it makes.

3. Change any other passwords that were the same as your LinkedIn password

Something many of us are guilty of (including, ahem, me) are re-using the same password for multiple sites. This is bad – if someone manages to get your password for one site (such as LinkedIn), and you use the same password for your Gmail account, then you’ll probably find that your Gmail account is compromised very quickly too. Even worse if you used the same password for online banking, or PayPal.

So, if your old LinkedIn password was used anywhere else, change your password on any other site where it was used. If you saved your passwords in Firefox, you can sort all of your passwords so that you can easily see where else you have used them – click on the Firefox menu and choose Options (or Preferences on a Mac), select the Security tab, and then click Saved Passwords. Click the Show Passwords button, click Yes, and then click the Password column to sort by password. Make a note of each site where you used that password, log in, and change the password.

4. Consider using a password manager

Although I’ve mentioned Firefox’s built-in password manager, I would strongly recommend using a third-party password manager. There are several available:

  • 1Password – this is the one I use, and it runs on Windows, Mac, iOS and Android (and Richy runs it on Linux using Wine), can be synced using Dropbox, but costs money to buy.
  • KeePass – a free and open source client, which is Windows only (but with unofficial clients for various other platforms).
  • LastPass – free, cross-platform and also has built-in sync.
  • RoboForm – historically very popular but I’m not sure how many people use it nowadays.

With these programs, you protect all of your passwords using one strong but easy to remember password. For each site, you can then generate a unique and very difficult to crack password using symbols, numbers and non-sequential letters.

5. Do you really need a LinkedIn account?

If you no longer use a web site, then you may be as well deleting your account. I’m keeping my LinkedIn account for now but if you have dormant accounts on sites you no longer use, ask for your account to be deleted. There’s usually an option somewhere in your account settings, and, as far as I am aware, by law all UK (and probably EU) web sites must delete all of your data if you ask them to. That way, if that site is compromised in future and all of its passwords are leaked, yours won’t be one of them.

Have a look at all of the places you’ve saved a password for and think whether you really need an account there. If not, delete the account.

One Comment

  1. From what I was reading from @mikko , the “public list” of the hashed passwords did not have any duplicates and some expected common passwords were not listed -leading him to think that this was alist of passwords they couldn’t crack themselves and that the whole password list could have been leaked.