$6.5 million. That's how much richer I would be if I had a dollar for every LinkedIn encrypted password publicly posted on a Russian website. While we never want our information to be compromised, we LinkedIn users can take some comfort in the fact that the passwords were encrypted. We now have a small window of time to change our passwords, as LinkedIn has advised us to do. But let's stop for a minute and ponder the impact of encryption in this scenario. What if the passwords were not encrypted?
First, that small window of time for damage control would be slammed shut. Someone would now know one of the passwords that we likely use for more than just our linked in profile. What can they do with that information? The list is endless. And it’s exactly that type of vulnerability that is opened by database drivers that do not encrypt credentials. So let's take a breath and return to the reality, which is, the passwords were encrypted and we are not powerless to prevent any further potential damage. But what lessons should IT professionals take from this?
I advise that IT folks choose a database with an encryption option, ensure they set the encryption option on the database, and use a driver that encrypts passwords sent across the network. Unlike other drivers, Progress DataDirect drivers support both kerberos authentication and encrypting all user credentials across the network. Similar to the Global payments security breach I wrote about last month, we need to be proactive in addressing security concerns.
How do we stop hackers from trying to compromise security? That question, I cannot answer - tougher jail sentences maybe? The LinkedIn example appears to be a lesson we didn't have to learn the hard way - thanks to encryption. Luckily, LinkedIn took appropriate measures to ensure their users' security. Customers of companies who, unlike LinkedIn, play fast and loose with data might not be so lucky.