woensdag 6 juni 2012

The sense or nonsense of changing your password

By now everybody has caught on to the (presumed) LinkedIN breach, except the people at LinkedIN themselves but they're probably digging through their treasure trove of social big data in the cloud. However, the most heard comment today must've come from several people saying that it doesn't make sense to change your password because the attackers could just get it again. While not an invalid point, I believe it's the worst advice to give.

There are three main components to this attack :
1. finding the vulnerability enabling the attacker to extract the data.
2. extract the data
3. crack the password

Assuming your password was cracked, the attacker has succesfully performed all three steps. If you change your password now, the attacker will have to perform step 2 and step 3 again. Given that this was a wake-up call for you, you probably chose a much more complex password and thus making step 3 much much harder for the attacker. Even though the vulnerability was not fixed (yet), changing your password does make you safer.

A good analogy would be your seatbelt (I know it's old but it works ...). After a minor crash, you may finally make a habit of wearing your seatbelt. There is obviously still a (big) chance that you'd die in a major crash but it will be much less likely.

Update : 
Someone remarked that, if the attacker still has access to LinkedIN, step 1 and 2 become unnecessary. Especially if the attacker has access to the plaintext stage of chpass.  Obviously, we don't know how they got owned so any theory goes. I'm placing my bet on SQLi but in case it is worse than that, I might go back to my rolodex :-)

Rock on,

Geen opmerkingen:

Een reactie posten