Updating Your Password on LinkedIn and Other Account Security Best Practices

<i>Substitute numbers for letters that look similar (for example, substitute “0″ for “o” or “3″ for “E”.</i><p>Am I correct in thinking that the amount of entropy added with cute tricks like this is essentially nil? Is this advice even remotely valid?<p><i>Never give your password to others or write it down.</i><p>I don't think the advice to never write your password down is very useful unless coupled with a better way to manage all of your passwords besides memorizing them (like a password manager).

Seems foolish for them to have posted this. It's not very good advice on choosing a password and feels like the wrong response to the story about passwords apparently having been leaked.

This is getting silly now, the hash for my unique strong password was in the list. And there are many others who have stated the same. It should have taken them a whole of 5 minutes to find if these hashes were from their database. It's shameful and shows an utter disrespect for security that they didn't bother salting them (and sha1 really?).<p>Now it's time for them to own up to the mistake and inform their users, before anyone has anything else compromised.

From the updated blog entry:<p><i>"It is worth noting that the affected members who update their passwords and members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases."</i><p>Still doing it wrong I see.

The Dropbox post on passwords (and their password strength estimation tool) is much better at describing what strong passwords actually are.<p><a href="http://tech.dropbox.com/?p=165" rel="nofollow">http://tech.dropbox.com/?p=165</a><p>The advice from LinkedIn like "Don't use a word from the dictionary" and "Substitute numbers for letters that look similar (for example, substitute “0″ for “o” or “3″ for “E”." are security theater.

" <i>At this time, we’re still unable to confirm that any security breach has occurred</i> ..."<p>Really? How long does it take to verify that this breach is accurate and sound an alarm?