Dear Linkedin,

• Previous message (by thread): Choosing Passwords
• Next message (by thread): Dear Linkedin,
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 09/06/12 05:48, Michael Thomas wrote:
> Linkedin has a blog post that ends with this sage advice:
> 
>  * Make sure you update your password on LinkedIn (and any site that you
> visit on the Web) at least once every few months.
> 
> I have accounts at probably 100's of sites. Am I to understand that I am
> supposed to remember
> each one of them and dutifully update them every month or two?
> 
>  * Do not use the same password for multiple sites or accounts.
> 
> So the implication is that I have 100's of passwords all unique and that
> I must
> change every one of them to be something new and unique every few months.
> And remember each of them. And not write them down.
> 
>  * Create a strong password for your account, one that includes letters,
> numbers, and other characters.
> 
> And that each of those passwords needs to be really hard to guess that I
> change to every
> few months on 100's of web sites.
> 
> I'm sorry, my brain doesn't hold that many passwords. Unless you're a
> savant, neither does
> yours. So what you're telling me and the rest of the world is impossible.
> 
> What's most pathetic about this is that somebody actually believes that
> we all really
> deserve this finger wagging.

They have some things correct in this and some are complete hogwash.

Changing your password does not provide any additional security. It is
meant to give protection against your credentials having being
discovered, but if they have been compromised in that way, they'll have
the one you change it to in next to no time too. If the hashes have been
compromised, then yes, it's time to change the password.

Having a different password for every website is very important though,
as demonstrated many times when these lists of passwords and associated
usernames turn up. Anyone who uses the same password on multiple sites
will find that they have their accounts on multiple services accessed
instead of just the original.

What is needed are unique, highly difficult to guess passwords for each
of them and that's where something like a password safe comes in.
KeePassX is a cross platform and can be configured so that it needs a
key file and password. I keep several of them with varying levels of
importance. My banking details safe is only opened on a very secure
computer.

What LinkedIn need to do is improve their security so that they don't
leak hashed passwords. Giving mostly correct advice like this shouldn't
need to be prompted by a large security event.

• Previous message (by thread): Choosing Passwords
• Next message (by thread): Dear Linkedin,
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]