SOUTHFIELD — Earlier this summer, nearly 6.5 million LinkedIn password hashes were posted on an online forum by a hacker asking for help reversing the hashes into valid passwords.
Shortly after, another hacker publicized passwords from the online dating site eHarmony. In July, Formspring and Yahoo confirmed their sites’ passwords were also compromised.
Incidents such as these are a wake-up call for businesses and individuals to get serious about password security, say technology experts at Plante Moran, the Southfield-based certified public accounting and business advisory firms.
“It took hours for some sites to acknowledge and respond to compromised accounts and some companies have yet to confirm how hackers accessed sites or determined what the vulnerabilities are and how they will be fixed,” said Raj Patel, an expert in information security and a partner specializing in technology.
While most companies immediately sent emails for customers to reset passwords, they missed the real intent of the hack, says Tom Ervin, an information security consultant at Plante Moran. Hackers don’t actually want LinkedIn passwords. What hackers want is email addresses and account passwords used to log in to sites like LinkedIn.
“Hackers hope that users have the same password across many or all of the sites they visit,” Ervin said. “After gaining access to an individual’s email, the hacker has the ability to view other sites that were activated using that email address. The danger comes from their ability to locate accounts such as online banking, shopping and payment sites like Google Checkout or Paypal. In the case of LinkedIn, a hacker could purchase goods and sell them for cash using the information originally gained from accessing the site.”
What can the public do to protect from password vulnerabilities? Patel offers the following simple steps:
* Use tiered passwords. Don’t use the same password for all sites. Just like you have different keys for different doors, you need to use different passwords for different sites.
* Change your passwords frequently. When was the last time you changed your password for your online banking account or Facebook? It is recommended that users change passwords to sensitive accounts at least every 30 days.
* Set strong passwords. Setting long passwords that contains letters, numbers and characters for numerous websites can be difficult to memorize. Use paraphrases like “MyBirthDate?June15,90.” It’s long, has all the letters, numbers and characters, and it’s easy to remember.
“Breaches will continue to occur, so getting into the habit of changing things regularly can mean the difference between security and vulnerability,” Patel said.