LinkedIn, a popular professional social networking website, and eHarmony, a paid subscription social networking dating site, both confirmed Wednesday their sites have been hacked. The breach in the database security was found when the hacker(s) posted the list of 8 million encrypted passwords on a hacker forum, asking for help to break the encryption code. According to Sophos security reports, more than 60% of the passwords have already been cracked. Tech news site Ars Technica said it found about 1.5 million of those leaked passwords to be from eHarmony users. It is possible that all the passwords have been compromised and hacked from the sites’ database, as Rick Redman, a security consultant for Kore Logic Security told Ars Technica, “It’s pretty obvious that whoever the bad guy was cracked the easy ones and then posted these, saying, ‘These are the ones I can’t crack.'” If you’re a user on either of these two social networking sites, it is best that you change your password asap – especially if you have been using the same password for different websites, and even worse for data-sensitive websites such as online banking, which is highly recommended against.
How did the hackers gain access to the sites’ database? Most likely there were security holes in their coding that need to be patched. Poorly formed mysql database queries, for example, can be taken advantage of and manipulated to print out database data to the hacker’s internet browser. Also, the storage of passwords were not secure enough. LinkedIn encrypted passwords, but did not “salt” them – a process whereby random characters are introduced in the encryption process to make the password cracking harder. LinkedIn has corrected this security weakness and now encrypts and salts new passwords. EHarmony apparently was also using weak encryption policies. While they are advising members how to choose strong passwords in their eHarmony blog, they make no mention of any security measures taken by the company to increase security. A strong password is not much use if the website is not storing it properly.
According to the Techlicious blog, “Because eHarmony has yet to adequately address the security measures they are putting in place to protect this breach from happening again, you should consider any password and personal information you post to eHarmony as insecure.” Anyways, we recommend the totally free dating site Friends Match Me. Built on Ultimate Web Builder software, it is also a free Facebook dating app and doesn’t store any user passwords in the website database…besides it is a really cool and awesome dating site!
How to handle member account/password security on your website? Ultimate Web Builder software uses the latest recommended security policies, employing an encryption process with “salting” for password database storage. Moreover, you can avoid brute force password guessing by setting limits on users trying to login unsuccessfully repeatedly, both on the members side and admin panel side.