nanog mailing list archives

Re: Dear Linkedin,

From: Ted Cooper <ml-nanog090304q () elcsplace com>
Date: Sat, 09 Jun 2012 10:59:46 +1000

On 09/06/12 05:48, Michael Thomas wrote:

Linkedin has a blog post that ends with this sage advice:

 * Make sure you update your password on LinkedIn (and any site that you
visit on the Web) at least once every few months.

I have accounts at probably 100's of sites. Am I to understand that I am
supposed to remember
each one of them and dutifully update them every month or two?

 * Do not use the same password for multiple sites or accounts.

So the implication is that I have 100's of passwords all unique and that
I must
change every one of them to be something new and unique every few months.
And remember each of them. And not write them down.

 * Create a strong password for your account, one that includes letters,
numbers, and other characters.

And that each of those passwords needs to be really hard to guess that I
change to every
few months on 100's of web sites.

I'm sorry, my brain doesn't hold that many passwords. Unless you're a
savant, neither does
yours. So what you're telling me and the rest of the world is impossible.

What's most pathetic about this is that somebody actually believes that
we all really
deserve this finger wagging.


They have some things correct in this and some are complete hogwash.

Changing your password does not provide any additional security. It is
meant to give protection against your credentials having being
discovered, but if they have been compromised in that way, they'll have
the one you change it to in next to no time too. If the hashes have been
compromised, then yes, it's time to change the password.

Having a different password for every website is very important though,
as demonstrated many times when these lists of passwords and associated
usernames turn up. Anyone who uses the same password on multiple sites
will find that they have their accounts on multiple services accessed
instead of just the original.

What is needed are unique, highly difficult to guess passwords for each
of them and that's where something like a password safe comes in.
KeePassX is a cross platform and can be configured so that it needs a
key file and password. I keep several of them with varying levels of
importance. My banking details safe is only opened on a very secure
computer.

What LinkedIn need to do is improve their security so that they don't
leak hashed passwords. Giving mostly correct advice like this shouldn't
need to be prompted by a large security event.

Current thread:

Re: Password Safes, (continued)
- - - Re: Password Safes JC Dill (Jun 10)
- Re: Dear Linkedin, Alec Muffett (Jun 08)
  - Re: Dear Linkedin, John Levine (Jun 08)
    - Re: Dear Linkedin, Alec Muffett (Jun 08)
- Re: Dear Linkedin, Joe Maimon (Jun 08)
- Re: Dear Linkedin, John Adams (Jun 08)
- Re: Dear Linkedin, Simon Perreault (Jun 08)
  - Re: Dear Linkedin, valdis . kletnieks (Jun 08)
- Re: Dear Linkedin, Jay Ashworth (Jun 08)
- Re: Dear Linkedin, [and proposed mitigation approach] Rich Kulawiec (Jun 08)
- Re: Dear Linkedin, Ted Cooper (Jun 08)
  - Re: Dear Linkedin, Michael Thomas (Jun 08)
- Re: Dear Linkedin, Terje Bless (Jun 09)
- Re: Dear Linkedin, Scott Weeks (Jun 08)
  - Re: Dear Linkedin, John Adams (Jun 08)
  - Re: Dear Linkedin, Lyndon Nerenberg (Jun 08)
  - Re: Dear Linkedin, Paul Graydon (Jun 08)
  - Re: Dear Linkedin, elijah wright (Jun 09)
    - Re: Dear Linkedin, joseph . snyder (Jun 09)
    - Re: Dear Linkedin, Scott Howard (Jun 09)
    - Re: Dear Linkedin, Jimmy Hess (Jun 09)

(Thread continues...)