Retelling a Password Nightmare in the Wake of the LinkedIn Password Leak

Don't be a victim, use a password manager.

Today's news of over 6 million passwords to LinkedIn being potentially compromised has caused ripples through the security community. Beyond access to innocent bystanders' LinkedIn accounts, the bigger danger is the fact that many people use the same passwords over and over again. So any site that uses email as a username (as LinkedIn does) with the same password you have used for LinkedIn is also at risk of being hacked into.

This is exactly why I have been advocating and speaking out for the use of password managers for years, ever since I myself was a victim of password hacking.

My password nightmare happened about 6 or 7 years ago. I had just returned home from a trip to the Black Hat conference in Las Vegas. I received a call early in the morning from one of the parents on my son's Little League team that I coached. They said that they had just received an "interesting" email from my email account that had some Yiddish/Hebrew words in the subject line and contained some really vile, disgusting pornographic images. They didn't think the email was in character for me (thank goodness for that) and wanted to let me know. I said thank you and set out to look into it.

RELATED: LinkedIn investigating compromised passwords

MORE: The Best Tweets in Response to LinkedIn's Password Leak

The first thing I did was try to log into my Yahoo mail account. Funny thing, my password wouldn't get me into my system. I was sure I was using the right password, after all I used the same password for almost all of my online accounts. In the meantime, I pulled up my personal ashimmy.com blog and was horrified at what I saw. There were more disgusting porno pictures all over my blog and a bunch of anti-Semitic posts all over the place. I went to log into my blog provider account and you guessed it, couldn't log in there either. Funny, same password I used everywhere else too.

I couldn't leave that web site up, so I went to my GoDaddy domain account and figured I would point the DNS to a parking page. You know the answer. I could not get in there either. Same thing for my Google account, Skype, Hotmail, etc. This was very serious indeed. Then I was made aware that the hack of my accounts was part of a series of hacks against known security folks as a "statement" by some hackers. They made their announcement on one of the popular security mailing lists, along with some personal information they had pilfered from my mail account.

So this was turning into a nightmare and quickly. I had to do some damage control and get this situation right. First thing was to regain control of my accounts. I followed the normal channels and quickly realized that this was a form of torture. You couldn't get anyone from these large web properties on a phone to discuss this. You could write an email to some anonymous email address and wait for them to respond. With my reputation being killed second by second, that wasn't going to work.

Luckily, as a result of being in the security community, I reached out to some friends for help. It pays to have friends. At almost all of the companies that I was locked out of my account at, I knew or was introduced to someone higher up who I was able to go to and get some help. Without that help I am not sure how or what I would have done. But I will tell you that within a day or two, I had regained control of every one of my accounts with the exception of Skype, which to this day I never was able to unlock. I wound up just making a new account.

Another good thing about having friends in security is that they were able to backtrack and find out who the culprits were. Unfortunately, because I couldn't prove the requisite dollar sum in damages, I could not get the authorities to prosecute. I also found out that filing cybercrime reports with local authorities was largely a waste as well. Suffice to say we had to take some matters into our own hands in the security industry to deal with these folks. I don't know if this situation has gotten any better since then.

Anyway, I learned my lesson. After this I installed a password manager. Since then I have tried several and use them religiously. I not only store all of my passwords, but have them generate a unique, strong password every time I need one (I probably have over 100 passwords, all told). I have no idea what my passwords are. I only remember my master password which gets me into my password manager. If someone did get my LinkedIn password, my damage is limited to LinkedIn only. That password won't work at any other site. I sleep easy.

The lesson is clear. Don't wait until after you are a victim. Go install and use a password manager today. Many are free and do the job. Weak, repetitive passwords are one of the biggest weak spots in our security profile. Learn from my mistakes.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2012 IDG Communications, Inc.

IT Salary Survey: The results are in