if you have an account at linkedin.com, your password is probably on sale to criminals. Might you have used the same password anywhere else? Then you will want change your password wherever you have used it. In August 2016 there was a pattern of GreenNet email accounts being compromised and used to send spam. It turned out people had reused their familiar GreenNet mail account passwords when setting up accounts on LinkedIn. In 2012 117 million LinkedIn passwords were leaked and now four years later, the price of this data is within the reach of small groups of fraudsters. If you have ever had the same password for GreenNet as for LinkedIn, please change your GreenNet password as soon as possible. You may also want to check your email address (or that of friends and colleagues) on the site have i been pwned? to see if your data has been leaked in one of the well-known website security breaches including LinkedIn, MySpace or Adobe or MoneyBookers.
The rest of this article explains why changing the compromised password is important and gives some ideas about how to manage passwords. There are four main ways an email password can be obtained for malicious or abusive purposes:
- There may be malware or a keylogger on a computer you have used to check email. This grabs passwords and other sensitive information and sends them to unauthorised people to be exploited later. Particularly if you use a Windows computer, you should be running an up-to-date antivirus like AVG or Avast, but no anti-virus detects all new malware, so you still have to be careful of unexpected links or attachments. Some cases of email password compromise have been associated with bank details also being taken, or ransomware, which encrypts all your files and demands payment to restore access.
- You may have inadvertently typed your password into a phishing page that has been designed to look like GreenNet (yes, we've had several of those) or some generic webmail login. A phishing link typically arrives in an email telling you that you need to upgrade or restore access to your account. People can fall for this when they are hurried or panicked.
- Your password may have been copied off the network if you aren't using encryption, particularly if you use an open wi-fi network. This is one reason we strongly recommend using 'TLS' encryption for checking or sending your GreenNet email. See other support pages and your email software settings to ensure you have encryption turned on.
- You've typed the password - or something very like - it into a genuine website that is insecure or later becomes insecure. Occasionally this could be when you type the password for a more secure service (such as your email) by accident, but more often it's because the site stores a 'hashed' version of your password, and that data has then been accessed illicitly. This is what we're dealing with here. The 'hash' is a one-way mathematical transformation from which it is supposedly much harder to see the password: this means that the site can recognise you by comparing the hash of the password you are typing to log in against the hash of the password on record, without having to store an unprotected 'plain text' password. So hashing can provide some protection against use of compromised data, depending exactly how it is done, but as explained further below, a strong password is not nearly so strong if its hash is known.
Passwords aren't recyclable!
Nowadays, there are obviously a huge number of websites – and a small number of huge ones – trying to gather your comments and 'user-generated content' and personal data for advertising or other purposes. If every website requires a password, the temptation to use the same one for each site may be hard to resist. How can you remember a different one for each site? This is an important point, because sharing passwords between sites means that if one site is compromised, someone you don't know may have access to a whole range of facilities and data in your name, and maybe use your details for further identity fraud. So at least all your higher-security passwords should be unique for each site, even if all you have one base password that you use for lower-security things like posting comments to forums. Not only does 'higher-security' mean things like online banking - and advanced users know it also means things like decryption or keyring phrases – but it should include your email accounts. Your email credentials may give access to personal information and are also the key by which many other passwords can be retrieved or reset, maybe allowing intruders to disrupt any website or domain name you have. In some cases, personal LinkedIn passwords have been used taking remote control of an organisation's computers. So your passwords should be:
- memorable - of course, as a misremembered password is useless isn't it? But you can use tricks or technology to remember.
- unique to the service - as mentioned above your GreenNet password by default is reasonably strong. Please don't weaken it by allowing a secondary breach.
- long - for reasons explained below involving the hash
Out of memory
The human brain can store a lot of information, but it does so in a fluid way that depends a lot on repetition and meaning. So can't you just get a computer to store the trivial stuff like passwords? You may have noticed that a web browser asks you if you want to save the username and password you just used or created. Now that is helpful for creating unique passwords for the many low-security sites you might use, and you might trust it with medium-security sites as well, but what if someone steals the device you were using? Therefore if you do use this feature, you will want to add a 'Master Password' (Mistress Password if you prefer) to your web browser. In Firefox, you can to this by going to your preferences or options, selecting Security and ticking 'Use a master password'. If you use a browser without this feature or have reason to believe someone is after your data in particular, APC suggests software that is entirely separate from the browser, KeePassX. There are also online password managers, but KeePassX is entirely under your control, and has handy features such as generating a long pronouncable (and therefore more memorable) password.
Some sites allow you to log in using an OpenID that can be provided from a single source, or link your account to a WordPress or Google login. This option saves having to remember too many passwords, but of course if your central ID is compromised, then so are the other accounts linked to it. For some services there is two-factor authentication (2FA) which requires not just memorising a PIN or something, but also having access to a physical card or device: this can be more secure but less convenient if you're not carrying the device with you.
Creating a long, memorable, unique passphrase
So perhaps you have a password that you do share among services that don't seem that critical to you. You're aware it should not be something like 'password123' or '123456', or even based on something like your house name or car registration that might be known publicly or to people who've done a little research. It shouldn't be a dictionary word, because there are only so many words in a given language to try. Perhaps you have chosen as your ordinary, low-security password:
Drag0nfly
It at least meets a common requirement for upper and lower-case letters and a digit - the digit's also not at the end, which helps slightly. So you used this back in 2010 for, say, Faecbook and LinkedIn accounts. Now LinkedIn back then we know didn't store the password itself, but a hash of the password, using a specific algorithm called an unsalted SHA1 hash. When you logged in it took 'Drag0nfly' and used a one-way mathematical transformation to convert it to the hash, which looks like this:
0f920c12ee2408680d5d720d8a7a4b9a2279bd95
And each time you log in, it uses the same procedure to take your password, convert it to a hash and compare it to what is stored to see you are who you claim to be. Not only is the hash incomprehensible to humans, it's not possible for a machine to reverse a given hash in a realistic time. So even if someone did manage to copy the entire LinkedIn user database, it wouldn't in theory allow access even to the LinkedIn account.
You may already see the flaw in this. If the password produces the same hash every time, regardless of any other context, then you could calculate the hashes of all common dictionary words. You don't need to try to log into the website account thousands of times, you just compare the hashes that have been leaked to things like the hash of 'password123'. This is what is called a 'rainbow attack',. There are recommended ways to minimise risk of a rainbow attack, by including things like the username and other 'salt' in the information to be hashed, but that wasn't used by LinkedIn. So if your password were 'Drag0nfly', would your accounts be safe? Well, there are thousands of millions of unsalted SHA1 hashes known, and in fact there is an underground (but not intrinsically illegal) trade in access to this type of data. Maybe a website like 'Hashkiller.co.uk' has a public password that hashes to 0f920c12ee2408680d5d720d8a7a4b9a2279bd95? And indeed it has. A trick like replacing letters by digits that look similar is a trick that doesn't help add much randomness (which techies also call password entropy), and what should be a one-way hash function can reveal the original password 'Drag0nfly'. Facebook may use a more secure method of hashing, but that doesn't matter if you've used the same password, since the plaintext password is known. So in this example where you'd used that password on LinkedIn, the criminals also probably have access to your Facebook account for what it's worth.
So the answer to the question 'is "Drag0nfly" a strong enough password to be safe against a criminal website breach' appears to be 'no'. But actually, only just. More than 10 letters of 'entropy' or 'randomness' and you need over 100 million million hashes to get a match, which is beyond most people's resources. It turns out that about 86% of LinkedIn accounts have a hash that has been cracked. Probably that includes anyone who set a password of eight alphanumeric characters or less.
So one suggestion is just to make your websites password longer by adding other, unrelated elements, preferably that vary between sites. Say for example the Facebook logo for example reminds you of a acacia against a blue sky, you might make your Facebook password "Drag0nflyacaciaagainstblue" or "Drag0nflyaaabs". Taking initials or some other combination of letters from a phrase does seem to work, and the latter hashes to 'c8ce865f85ec105feb460b195b383a7fcb0b1d48' which is much less likely to be found in hash databases. Develop your own scheme. After a few uses, the password should stick in your memory, and a breach of one account should not affect the other. Similarly your LinkedIn password might become "Drag0nflyHaveYouGotAnythingWithoutSpam?". The imporant thing is that the password is long enough and the elements aren't obviously linked. Indeed a surreal phrase like 'camel1tractor2invariate3opossum' is going to be both more memorable and more secure than something like 'h@t1941Be3' (as pointed out in this XKCD cartoon).
The Have I Been Pwned website (HIBP) is the most well-known way to check if your data has been compromised: not just passwords, but anything like postal addresses or credit card numbers you may have stored on a website. To explain, 'pwned' means someone's 'owned' you and got unauthorised control of your account, usually pronounced 'owned' or 'poned'. HIBP responsibly doesn't show the actual stored data, but does allow lookups by associated email address. You can also subscribe so that if your email address is found in a dump of cloned details, you receive a warning by email. If you are an organisation with you own domain name, you can also check all addresses at the domain.
Update, October 2018
In October 2018 we started getting complaints about a more direct 'attack' – spam that quotes a password in the Subject line to get the potential vicitm's attention, implying that they know you have some embarrassing secret, and asking for payment to one of many bitcoin addresses. Another threatening spam that may be an attempted follow-up typically just has the Subject 'i saw what u did' and very little content.
By checking the recipients' addresses against HIBP, it looks like the passwords were again obtained from the LinkedIn data breach (some may have come from MySpace via an aggregated '"Anti Public" Combo List' from late 2016, but the only data breach all the addresses were involved in was LinkedIn). As of writing, we're about to block this spam, although it could be suggested that it's a good reminder of the password you need to change; subscribing to HIBP might be a less confusing way of getting this information.
If you have ever had the same password for GreenNet as for LinkedIn, please change your GreenNet password as soon as possible.