Friday, June 08, 2012

Chicken Little and LinkedIn

Unless you live under a rock (and I think even those people heard about it) you know that LinkedIn and eHarmony both reported the leak of millions of hashed passwords this week. Millions of your friends urged you to change those passwords. People you've never heard of offered to check to see if your password was one that was "stolen."

How gullible are you?

You were being urged to go to some website you didn't know and enter your LinkedIn and/or eHarmony password. The screen would shift and you'd be told whether or not your password was one of those taken. In the meantime, of course, you've handed you're unencrypted password to someone you don't even know. But, you say, they don't know your username, do they?

Well, the people who stole the passwords from LinkedIn and eHarmony don't know your username either - all they got were hashed passwords. As such, it's akin to stealing a specialized dictionary. Yes, if they discover (or guess) a valid username then they can test each and every one of the passwords against that account. But they don't need to steal passwords to do that - any half-baked dictionary attack would do as well.

The events at LinkedIn and eHarmony were data leaks - but they weren't information leaks. Data is simply binary bits which have little meaning in and of themselves. Had the hackers gotten usernames with the passwords, well, then they'd have information - usable data. But they didn't, so they don't.

Should you change your password? Probably, but not to another that was in the stolen data - that would leave you no  better off. Maybe you should just run around and yell "the sky is falling, the sky is falling!" like the technically illiterate media.

Comments: Post a Comment

© 2003-2006 The Virtual Quill, All Rights Reserved


[Powered by Blogger]