(MoneyWatch) COMMENTARY Last week, LinkedIn (LNKD) (along with unrelated sites like eHarmony and Last.fm) suffered a massive data breach when millions of user accounts and passwords were leaked and posted to hacker sites. Is there a way to know if you were affected? And what should you do about it?
First, the good news: The odds are in your favor. Even though a staggering 6.5 million passwords were stolen from LinkedIn, that represents only about 4 percent of the site's 150 million users. And if you were one of the unlucky few whose information was lifted, you should have been informed by now. LinkedIn sent messages to affected members last week indicating that their passwords had already been invalidated, with instructions on how to set up new passwords.
If you're still worried, password manager company LastPass has set up a Web page where you can enter your LinkedIn password to find out immediately if it was one of the ones which were compromised. (Worried about the security of entering a password into LastPass's Website? There are copious details on the page about the technical considerations, but it does indeed appear to be safe.)
Now the bad news. This is the latest string of hacks that illustrate the dangers of using the Web in 2012. LinkedIn bears a significant amount of responsibility in this case, since the site didn't properly encrypt its password database (Read the LinkedIn blog for their response to the issue.) But security problems are pervasive, and any site that requires a password is susceptible to this sort of thing -- or worse -- from cloud storage to social media to job sites.
That's why it's time to review the essential requirements to keeping your passwords safe and secure:
Make your password strong. The first passwords to be cracked from the LinkedIn theft were simple, single-word passwords that could be found in a dictionary, or basic word-and-number combinations.
Make your password unrelated to you personally. Don't use names of spouses, pets, or old high schools. Also, no birthdays or social security numbers.
Mix upper and lower case. And if possible throw in at least one non-alphanumeric symbol, like !, @, or ?. That's what we mean by a strong password.
It's a good idea to base your password on an extended phrase rather than a single word. You can then abbreviate the phrase and mix up the case, such as: 2bon2b*Titq. Discerning Shakespeare lovers will recognize that mouthful of gibberish as coming from Hamlet's memorable line, "To be or not to be; that is the question."
Make all of your passwords different. I can't emphasize this enough --- even if you have a great password, don't use it in more than one place. Every password you generate should be unique, so if someone hacks your LinkedIn account, they don't also get your bank account login at the same time.
Use a password manager like RoboForm or LastPass. Neither you nor I can track and manage dozens of unique passwords. Rather than taking shortcuts in password quality or using the same one over and over, use a manager to store them all for you.