Back in 2012 LinkedIn suffered a breach wherein 6.5 million passwords were exposed. LinkedIn responded by forcing a password reset on all 6.5 million impacted accounts. This week reports have surfaced about an additional dataset of email and hashed passwords of more than 100 million LinkedIn members (please copy and paste https://blog.linkedin.com/2016/05/18/protecting-our-members). This additional dataset is believed to be sourced from that same 2012 data breach. As a result, LinkedIn will most likely be responding by again forcing a password reset of a subset of its customer base.

The top 20 passwords from this dataset (now publicly available) is below:

Rank  |  Password  |  Frequency

1             123456           753,305

2            linkedin          172,523

3            password       144,458

4          123456789        94,314

5          12345678          63,769

6           111111                  57,210

7            1234567           49,652

8           sunshine           39,118

9            qwerty             37,538

10          654321            33,854

11          000000           32,490

12       password1         30,981

13         abc123             30,398

14         charlie              28,049

15          linked             25,334

16         maggie            23,892

17         michael            23,075

18         666666           22,888

19        princess           22,122

20        123123             21,826

 

These passwords were stored in a hashed form (encrypted by running through a mathematical function to generate a completely different value) but the bad guys were able to reverse engineer the passwords because these passwords contained commonly used words and numbers.

Malicious hackers use easily available tools that obtain real passwords by comparing against databases of hashes of known words, also called a dictionary attack.

This is a good reminder to not use simple and easy to guess passwords. The top 20 password list in the LinkedIn hack above contain simple words that were easily hacked.

Use a unique password instead of a commonly used word or set of numbers. The more the number of characters and the more irregular the combination of the characters, the more difficult and tougher it is to crack a password.

So how do you make your password longer without then running the risk of forgetting your password in the first place?

Information Security recommends the use of pass-phrases which are sentences that are complex and much more difficult to break. A pass-phrase such as “I have a 2012 mustang!” is difficult to break because it has characters such as a space and exclamation mark and it is longer than a regular 8 character password. Remember that not all online sites will support pass-phrases, so use pass-phrases wherever supported.

If you haven’t changed your LinkedIn password since 2012, it is a good idea to change your password now. We hope the LinkedIn easily guessed password list is an eye opener and a good reason for you to consider to moving from a simpler password to a uniquely longer and safer and easier to remember pass-phrase!