Is 'change your linkedin password' bad advice?

4 points

14 years ago

I'm going to assume the leak is real, and that Linkedin is currently storing unsalted password digests. I'm also going to assume that people will continue to use poor passwords, just different ones.

If a non-tech user changes their password after reading http://thenextweb.com/socialmedia/2012/06/06/bad-day-for-linkedin-6-5-million-hashed-passwords-reportedly-leaked-change-yours-now ("What should you do? For starters, change your password."), have they improved their situation? I think there's a good chance they have not, unless their new password is significantly longer -- which is unlikely. Their situation might even be worse, if the old password wasn't on the list but the new password happens to be. Or just because they're now more complacent and assume everything is ok.

I think people should wait to change their passwords until Linkedin acknowledges the leak and starts salting passwords. Or change to a really long (12-16 character) password. Can experts weigh in on this analysis?

9 comments