Eharmony and LinkedIn User Passwords Stolen

June 7, 2012 - Eharmony and LinkedIn announced today that millions of user passwords were stolen then leaked online on a Russian hacking site. Because only passwords were stolen and not the usernames, there does not appear to have been a serious threat to any of the users. However, both sites are encouraging people to change their passwords immediately. Eharmony, in fact, has reset the passwords of affected users, and sent out emails instructing them on how to create new passwords. LinkedIn took similar action as well. Of the two sites, it appears that eHarmony had a fewer number of passwords stolen. It is estimated 1.5 million eHarmony passwords were stolen, while LinkedIn appeared to have around 4.5 - 5 million passwords stolen.

With the passwords leaked, we now have some insight in what kinds of passwords people were using. What is most surprising is how many users to this day continue to use extremely weak passwords. Many people had passwords such as "linkedin" for their LinkedIn account. Sequential, numeric passwords such as "12345" were also surprisingly common. The greatest danger is that many people use the same password across multiple sites, making it easier for an information thief to compromise more serious accounts such as banking accounts once they get their hands on a certain user's information.

While this incident does not appear to have negatively affected users other than inconveniencing them with the necessity to set up new passwords, it does highlight the fact that many people need to set up stronger passwords, even for seemingly benign accounts such as the ones used for online dating. Here are some guidelines to creating a strong password:

  1. Use variety:
    Don't use only numbers or only letters. Instead, try to mix things up and use numbers, upper and lower case letters, and symbols as well.

  2. Make it long:
    4 or 6 character passwords won't cut it anymore. Aim for a minimum of 7 or 8 characters. In general, the longer the password, the better.

  3. Don't use words or sequential numbers:
    Your password should appear completely random. Avoid using phrases, words, or repeating numbers as well as sequential numbers.

Once you have selected a password, you may want to test its strength using sites such as Password Meter. Try to shoot for a password complexity of "strong" or better.

Although it's unfortunate that so many people continue to use weak passwords in an age that is replete with information and identity theft, the silver lining of this story is that no harm was done, and perhaps after this incident, some people will learn to start using more robust passwords in the future.