Archive

Posts Tagged ‘linkedin’

Hashed Passwords

Something making a lot of news in the papers recently is compromised usernames and passwords. This has been seen from companies such as LinkedIn, Yahoo and DropBox. In some of these cases they are storing passwords unencrypted, so that once someone captures the data, they know you actual password. And since many people share passwords among accounts (using the same password for LinkedIn and Facebook) it opens your account to be compromised on multiple systems. This is made worse when more sensitive logins, for back accounts or your work e-mail is the same password you used on Facebook.

One common technology used by web developers and programmers in general is to NOT store your actual password but rather to use a hashed version of your password. Hashing is a form of one-way encryption where once has been hashed it cannot be reversed out (hence the one way part). It also is specifically designed so that there is no two inputs which can create the same output. In fact, even a single character difference usually results in radically different outputs. So this often used so that nobody, not even the database needs to know your real password. All that they do is when you enter your password at login, it will run the password through the same hashing algorithm and then make sure the output matches what is stored in the database for your password.

To make this more secure, many web developers will also add “salt” to the hashing process. That is, they add some extra information to your input before it is hashed. Then benefit of this is that as long as the salt is kept secret, it makes it significantly more difficult for your actual password to be discovered.

What brings this to mind was something I recently encountered today. I forgot the password for a specific online portal that I rarely use, and since I never document passwords, it is really all left up to my memory to recall. Typically when you go to a website and click “forgot password” they will e-mail you a new password or a link to create a new password. However in this case, they e-mailed me my password. What this illustrates to me is that they don’t actually hash their passwords, and don’t likely encrypt them either. With this, I can know, for certain, that it is possible for someone at that company (or someone with malicious intent) can access my passwords. This is very concerning.

In the day that we live in, it is very important that we ask our vendors to be using more secure methods for storing our passwords. If they can tell us what our passwords are, this is concerning.

Also, since we cannot always force a vendor to do something, please remember to be vigilant in how you handle passwords. Avoid using the same passwords online, and ensure that you are changing them periodically. If one of the services you use (such as LinkedIn) has a data breach, be sure to change all passwords for places which you used that password at.

Enjoy!

Advertisements

Unsolicited Resumes

A business associate of mine was describing a new leveraging of the Linked In technology. The concept is simple, use Linked-In to discover the name of key people: recruiter, directors, principles, etc., for the company you’d like to work for and directly submit your resume to them via e-mail or postal mail. The rationale behind this is that often when submitting your resume through the proper channels on the corporate website, or via Monster/Dice/etc your resume may be automatically filtered out because of some negative keyword. However, by directly submitting a resume, it will increase the likelihood of it being read by a human and therefore you have a higher chance of being contacted.

However, on the other end of the spectrum, I cannot count the number of times I’ve received a unsolicited resume, for a position we don’t have or have then need for. It frequently makes me wonder how much they really want to work for my company, instead of just “some” company.

I guess the reason for the offense is my perspective of the hiring process:

1) You should be looking for a job position which specifically matches your skill set;

2) You should be looking for a company which matches your work culture/ethic;

3) You should want to work specifically for our company for a specific reason. If it came down simply to businesses (title, pay, etc., all the same) I want you to have a reason to want us.

Sending out an unsolicited resume says that you’re willing to take anything from anyone – that it really simply comes down to price. But the reality is most people leave their jobs for reasons other than money. Sure, we all would like to get paid more. But frequently there are other underlying problems. If pay is what will make you choose me, then you might simply leave when it suits you.

What are your thoughts? How have you received resumes lately?