Unless you've been hauled up in a bunker, eating MREs and watching Doomsday Preppers marathons, you've likely heard of the recent compromise of over 1.5 million.

1. Passwords

The analysis shows some of the popular types of passwords used on eHarmony. SpiderLabs An analysis of passwords stolen from eHarmony and leaked to the Web recently reveals several problems with the way the dating site handled password encryption and policies, according to a security expert. The biggest problem clearly was that the passwords, although encrypted and obscured with a hashing algorithm, were not 'salted,' which would have increased the amount of work password crackers would need to do, writes Mike Kelly, a security analyst at Trustwave SpiderLabs, in a today. But there were two other less obvious problems. First, the lowercase characters in passwords were converted to uppercase before hashing, Kelly says, writing: This drastically reduces the time it takes to crack, as there are far less possibilities. Using a full 95 character keyboard, brute forcing an 8 character password gives us 6.6342x1015 possibilities.

For eHarmony, this is reduced to 5.13798374 x 1014, due to the loss of the lowercase characters. And secondly, during resets the passwords were changed to a five-character password using only letters and digits, he said, adding: During our tests, we reset the password for an eHarmony account several times.

Each time, we found that the passwords were reset to a five-character password using only letters and digits. While the password appears to be using uppercase and lowercase letters, we know that the hashes use only uppercase. Bruteforcing five characters, under these circumstances, can be done in less than 10 seconds while utilizing at least one GPU. EHarmony spokeswoman Becky Teraoka provided this comment to the SpiderLabs post: 'The security of our users is of the utmost importance to us. Due to our ongoing investigation and cooperation with law enforcement authorities, we cannot comment on these specific points.' The company, along with LinkedIn and Last.fm, found that user passwords were among earlier this month. It appears that while they were hashed, they were not salted, which experts say is a best practice that all e-commerce sites should follow.

The companies have notified users, reset passwords and said they are beefing up the security of their password systems. The SpiderLabs analysis uncovered some interesting facts about the types of passwords used on eHarmony. For instance, 99.5 percent of the passwords on the list do not contain a special character, which strengthens the protection, but 57 percent contained letters and numbers.

Also, the word 'love' was the most commonly occurring password of those that were examined, the analysis found. Kelly said he couldn't designate what the most common passwords were because no password was seen more than three times on the list. Meanwhile, most of the passwords on the list were seven characters long, followed by six and eight characters in length, he noted. 'The eHarmony dump is just further proof that organizations need to not only store passwords in stronger, salted formats than was previously acceptable, but also need to enforce stronger case-sensitive password policies,' the post concludes. 'Users, as a whole, still do not understand the need for strong passwords, and will continue to set passwords that meet only the minimum requirements.'

Passwords

The online dating site eHarmony confirmed late Wednesday that passwords for its members were exposed in a breach, a second major compromise following LinkedIn's password exposure. 'After investigating reports of compromised passwords, we have found that a small fraction of our user base has been affected,' Becky Teraoka, of eHarmony's corporate communications. EHarmony didn't say how many of its users may have been affected.

The website said it had reset the passwords. As with LinkedIn, eHarmony's exposed data is cryptographic representations of passwords called hashes, which are generated by an algorithm. But the hashes can be converted into the original password using free decoding software. The shorter the password, the higher the chance it can quickly be cracked. EHarmony's 1.5 million password hashes were released in a forum of a Russian password-cracking website called InsidePro, Ars Technica.

Hackers on InsirePro asked for help cracking the password hashes, Ars reported. But by late Wednesday, those threads on the forum appeared to have been deleted and were not available in Google's cache. LinkedIn confirmed on Wednesday that some of its passwords were compromised. Security researchers put the figure at 6.5 million, although some of the password hashes were duplicates, bringing the number down to around 5.8 million. LinkedIn, which has not said how the breach occurred, is notifying people affected and resetting their passwords. Send news tips and comments to jeremykirk@idg.com.