And now it’s last.fm


Last.fm have had a security breach and advised all their users (such as me) to change their passwords. As with LinkedIn, having passwords hashed may not be enough to keep them secure.

I don’t know what has happened here and will refrain from commenting on Last.fm in particular, but one does begin to feel that these companies need some form of forceful reminder of their duty to hold these things as securely as possibly. People should just not be able to filch masses of passwords. Not even the chief executive (again, for the avoidance of doubt I am certainly not accusing any chief executive of having done so – the point is a general one).

What can be done? Two piece authentication, as practised by GitHub – the machines I use GitHub on have to have access to a public key I have registered with them as well as a per session password – would be one form. But can you see users of mass social network sites generating public keys and registering them? Neither can I and more importantly I don’t think the companies can either: but if they are not going to implement that then they need to tighten things up considerably at the server side.

Why you should change your LinkedIn password


Several million LinkedInpasswords have been stolen and posted online. The fact that they are “encrypted” does not mean they are safe.

Image representing LinkedIn as depicted in Cru...
Image via CrunchBase

The encryption – hashing – means that a lone password cracker trying to “brute force” the passwords would probably take a very long time to get through any significant number.

But the point is that they don’t have to do that. Instead they can look up the hashed password in a “rainbow table” of pre-cracked passwords and look it up that way.

Not everybody’s password will be one that has been “pre-cracked” and stuck in a rainbow table, but how confident are you that’s yours isn’t?

So, you have to change the password for LinkedIn and change that password anywhere else you use it – because the password will be associated with your email address and crackers are not likely to stop just because they locked them out of LinkedIn.

It’s a pain but surely not as big a pain as having your identity stolen.