eHarmony and Last.fm Passwords Stolen

Some customers of CBS Corp. (CBS)’s Last.fm music site and EHarmony Inc.’s dating site had passwords stolen.

eHarmony, the “No 1 Most Trusted Dating Site,” stores the personal details of millions in the USA, UK, Australia, Canada and Brazil. The dating website was founded in 2000 and is based in Santa Monica, California. Over 500 people in the U.S. get married because of the site every day. 1.5million of eHarmony’s 20million-plus users have had their passwords hacked.

“After investigating reports of compromised passwords, we have found that a small fraction of our user base has been affected,” wrote eHarmony’s Becky Teroka. eHarmony has reset the passwords for those with compromised accounts. At least 420 of the passwords in this list contained the strings “harmony” or “eharmony.” These hashes found on the list do not contain the corresponding login names, making it impossible for anyone to use them to gain access to a particular user’s account.

Here is eHarmony’s response on their blog

“The security of our customers’ information is extremely important to us, and we do not take this situation lightly. After investigating reports of compromised passwords, we have found that a small fraction of our user base has been affected. We are continuing to investigate but would like to provide the following actions we are taking to protect our members. we have reset affected members passwords. Those members will receive an email with instructions on how to reset their passwords.

[They then list the usual password advice most companies try to provide to customers]

Please be assured that eHarmony uses robust security measures, including password hashing and data encryption, to protect our members’ personal information. We protect our networks with state-of-the-art firewalls, load balancers, SSL and other sophisticated security approaches. We deeply regret any inconvenience this causes any of our users.”

Last.fm is a British-based social music website that launched in London before being purchased by US media giant CBS in 2007. On Thursday, Last.fm, which recommends music to users based on the songs they already listen to, warned its website visitors to change their passwords after a leak which may have resulted from a hacking attack. Last.fm, with almost 40 million users, will update customers on the status of the breach through its Twitter account, Luke Fredberg, director of international corporate communications for owner CBS in London.

###

PortalGuard is a context based authentication platform focused on enhancing usability, while maintaining a balance between security, auditing and compliance.

http://www.PortalGuard.com

LinkedIn Password Breach Outcomes

Following the attack on LinkedIn’s password, the company has higher security standards including “hashing and salting of our current password databases,“ wrote Vicente Silveira, LinkedIn’s director in LinkedIn’s blog. The company locked down and protected the accounts associated with the decoded passwords, invalidated them, that were at the greatest risk. LinkedIn members are being contacted by LinkedIn with instructions on how to reset their passwords.

Affected members will receive an email with instructions on how to reset their passwords; current passwords will not work. They will receive an email with more information on what happened.The company did not confirm how many passwords were involved, it reportedly affected about 6 million of LinkedIn’s 161 million users. LinkedIn has “a broad cross-functional team” working on resolving the password-breach problem and associated security concerns. The company is also in contact with FBI.

###

PortalGuard is a context based authentication platform focused on enhancing usability, while maintaining a balance between security, auditing and compliance.

http://www.PortalGuard.com

Advice from LinkedIn

Here is a list directly from LinkedIn’s blog about how to best protect yourselves:

1.“Make sure you update your password on LinkedIn (and any site that you visit on the Web) at least once every few months.

2.Do not use the same password for multiple sites or accounts.

3.Create a strong password for your account, one that includes letters, numbers, and other characters.

4.Watch out for phishing emails and spam emails requesting personal or sensitive information.

5.Our efforts to protect LinkedIn members impacted by this incident are ongoing and we will continue to keep you posted here.”

###

PortalGuard is a context based authentication platform focused on enhancing usability, while maintaining a balance between security, auditing and compliance.

http://www.PortalGuard.com

LinkedIn Passwords Potentially Leaked

Many sources are posting today about LinkedIn passwords that potentially leaked online from about 5% users (6.5 million out of 150 million LinkedIn users worldwide). A hacker has leaked 118 Mb file of the hashed passwords  to a Russian forum. Fellow hackers have begun to decrypt the hash. The forum is currently offline. It looks as though some of the weaker 300,000 passwords may have been cracked already. LinkedIn fails to find evidence so far of password leak. The passwords are encrypted with the SHA-1 cryptographic hash function, used in SSL and TLS. Here are LinkedIn’s responses:

To be safe, Change your LinkedIn password ASAP. As always it’s better to be safe about these things. It’s also unclear if the hackers got hold of LinkedIn usernames.

1. To change your LinkedIn password, log onto your account.

2. Click on your name in the upper right corner and then click on the link for Settings.

3. In the Settings section, click on the Change link next to Password.

In other news, LinkedIn’s iOS app potentially violates user privacy by sending detailed calendar entries to its servers. According to LinkedIn’s mobile app head Joff Redfern:

In order to provide our calendar service to those who choose to use it, we need to send information about your calendar events to our servers so we can match people with LinkedIn profiles. That information is sent securely over SSL and we never share or store your calendar information.

In an effort to make that algorithm for matching people with profiles increasingly smarter we pull the complete calendar event, including email addresses of people you are meeting with, meeting subject, location and meeting notes.

The company has already promised that it will no longer pick up meeting notes from your calendar and add a “learn more” link to explain how your calendar data is being used.

###

PortalGuard is a context based authentication platform focused on enhancing usability, while maintaining a balance between security, auditing and compliance.

http://www.PortalGuard.com

Password Study across Various Demographics

Joseph Bonneau, PhD, University of Cambridge, analyzed the password strength of 70 million Yahoo users. The data was protected using hashing (a security technique), which ensured that he did not have access to the individuals’ accounts. He was then able to measure and calculate relative strength of passwords across various demographics. Password strength is measured in bits, where cracking one bit is equivalent to the chance of correctly calling a fair coin toss and each additional bit doubles the password’s strength. These are interesting (if not unexpected) results.

* People over the age of 55 pick passwords double the strength of those chosen by people under 25 years old. German and Korean speakers choose the strongest passwords. Indonesians pick the weakest.

* People who change their password from time to time tend to select the strongest ones.

* People with a credit card stored on their account do little to increase their security other than avoiding weak passwords such as 123456. This had no effect on whether the password associated with the card would be stronger.

* The average password would take only 1,000 random attempts before it was guessed. A randomly chosen six-character password composed of digits and upper and lower case letters should offer 32 bits of security. People often pick much easier passwords than those theoretically allowed.

* People who have the strongest passwords are also in the same category as people who change their passwords occasionally.

How can businesses use this information?

One pointer Bonneau’s research discussed was that businesses should make users pick tougher passcodes, for instance, assigning people randomly chosen nine-digit numbers (the length of a phone number). Each character of that 9 digit “telephone” password has 10 possible values. This means there are only 10^9 = 1,000,000,000 (0.001 trillion) possible passwords. This would also create WAY too many forgotten passwords which causes Help Desk calls and productivity losses.

We, here at PortalGuard, had a thought that a much better approach is to encourage “pass phrases.” Using “my dog has fleas” is MUCH easier to remember and constraining the example to only allow spaces and lower case ASCII characters results in a purely random* password “space” of:

27^16 = 79,766,443,076,872,509,863,361 ~= 79,000,000,000 trillion ~= 79 billion trillion

for a 16 character phrase (note: 26 letters + space = 27). Obviously, this pass phrase is also MUCH more difficult to crack.

* – We used “purely random” to simplify the math since some letters occur more frequently than others. The “actual” password space would be lower than that number, but still multiple orders of magnitude greater than the phone number example.

Bonneau presented the findings at the Symposium on Security and Privacy in San Francisco, California, on 23 May (http://www.ieee-security.org/TC/SP2012/). For more Joseph Bonneau and his work, please see here (http://www.cl.cam.ac.uk/~jcb82/).

The image was taken from http://xkcd.com/936/

###

PortalGuard is a context based authentication platform focused on enhancing usability, while maintaining a balance between security, auditing and compliance.

http://www.PortalGuard.com


Top 8 Tips for Password Management

Here are 8 great tips from PortalGuard Team on a Monday morning:

1. Never share account

2. Never use the same password for multiple systems

3. Never tell a password to anyone, including those claiming to be from security or customer service within organization

4. Never write down a password

5. Never provide a password over the phone, e-mail or instant messaging

6. Make sure to log off or lock workstation before leaving a computer unattended

7. Change password whenever you suspect it may have been compromised

8. Passwords should be alpha-numeric at a minimum

###

PortalGuard is a context based authentication platform focused on enhancing usability, while maintaining a balance between security, auditing and compliance.

http://www.PortalGuard.com