“ROT8000 is the Unicode equivalent of ROT13. What’s clever about it is that normal English looks like Chinese, and not like ciphertext (to a typical Westerner, that is).”
(via)
Tag: cryptography
I Have Been Pwned; You Probably Have, Too (Alt Title: “God Fucking Dammit, LinkedIn!!!”)
THE SHORT VERSION
If you use LinkedIn, then your email and LinkedIn password have probably been compromised. If you reuse the same password across several sites, then you are likely a total sitting duck waiting to get exploited. Go change passwords NOW!
THE LONG VERSION
This breach seems to have gotten less press than usual, even though it’s liable to have a broader impact on folks, so I want to make sure it’s on everyone’s radar:
An enormous hack of LinkedIn accounts has surfaced (details). Crackers snagged ~164mil login credentials; since the passwords were stored as a unsalted hashes (i.e. “not securely”), the vast majority of these passwords were cracked.
I took the liberty of checking a couple friend/client email addresses while I checked mine (using this tool), and found that most of the emails I checked were included in the hack (as was I). LinkedIn hasn’t proactively informed anyone I’ve contacted about this. So, I’m spreading the word.
The immediate problem is losing control of your LinkedIn account (which, let’s be real, doesn’t necessarily mean much for most people). The bigger problem is that many folks reuse the same password on many sites. If the email:password you used on LinkedIn is the same as the one you used on Twitter or Facebook or Gmail, then those accounts are now also up for grabs. While a LinkedIn account may be of limited value to criminals, a Twitter or Gmail account can be much more useful, and a bank or credit card account—let’s not dwell on it. Did you start changing passwords yet? Go change passwords NOW.
THINGS TO DO RIGHT NOW
- Go here (Yeah, it looks sketchy; it’s legit) https://haveibeenpwned.com/
- Plug in the email address you use to log into LinkedIn (or any email you use to log in to any site; this service tracks many data breaches)
- If you get a green bar, you lucked out. If you get a red bar with “oh no!” in it, continue to step #4
- Read whatever details the site offers about the breach(es) you’ve been included in, and change your password(s) immediately.
- Also set a new password anywhere else that you used that same password
EXTRA CREDIT
Passwords are inherently crappy. It’s just a fact of life. Consider upping your security in two ways:
- Set up “two-factor authentication” (also called “2FA”) on any account that lets you do so. Different sites have different systems (and, alas, call them different things), but they all boil down the same: Once 2FA is set up, logging into your email account (or whatever) will have an extra step. First you enter your username and password and hit submit (like normal). Then they ding your phone (either with a txt or via app) and wait for your to respond (either by clicking “accept” on the app or entering the six digit code they’ve texted you). If you don’t respond, you can’t get in. This makes it impossible for someone to log into your account unless they have your username, password, and your phone. Much more secure. (I’ve added 2FA to several personal web tools I depend on, as I was getting hammered with a brute force attack a couple weeks back.)
- Please seriously consider using a “password manager” or “password locker.” This is a piece of software (or service) that securely stores your usernames and passwords for all of your accounts. That way, you don’t have to chose easily remembered passwords for all of your accounts. Instead, you choose one very good password for your locker, and then let the locker generate insanely hard passwords for your individual accounts (all of my passwords are now 20+ characters long and randomly generated). Lots of folks like LastPass and 1Password. I prefer KeePassX and use MiniKeePass on my phone (I have lots of nit-picky reasons, but the tl;dr: The software implements good encryption algorythms in a secure way; it’s open source and well vetted; it’s not “cloud based”—”the cloud” is just “some other dude’s computer” [with all that implies, viz. security risks], and a cloud computer full of the master keys to folks’ online lives strikes me as an attractive nuisance, at best).
Sorry to be your bad news bear today; I hope you all get green bars and nonetheless CHANGE YOUR PASSWORDS, GET A PASSWORD MANAGER, AND START USING 2FA WHENEVER YOU CAN!!!