Last.fm have had a security breach and advised all their users (such as me) to change their passwords. As with LinkedIn, having passwords hashed may not be enough to keep them secure.
I don’t know what has happened here and will refrain from commenting on Last.fm in particular, but one does begin to feel that these companies need some form of forceful reminder of their duty to hold these things as securely as possibly. People should just not be able to filch masses of passwords. Not even the chief executive (again, for the avoidance of doubt I am certainly not accusing any chief executive of having done so – the point is a general one).
What can be done? Two piece authentication, as practised by GitHub – the machines I use GitHub on have to have access to a public key I have registered with them as well as a per session password – would be one form. But can you see users of mass social network sites generating public keys and registering them? Neither can I and more importantly I don’t think the companies can either: but if they are not going to implement that then they need to tighten things up considerably at the server side.
One response to “And now it’s last.fm”
Linkedin apparently didn’t even salt their hashes!
I don’t know about the others.