I deleted my Linkdin account yesterday. For those that don’t know, they suffered a security breach and 6.5 million passwords were posted to the web. That isn’t the reason I deleted my account though. Although it is annoying, large sites get hacked from time to time. Such is life. This is why we all are supposedly using different passwords for every web site we visit. Here are the actual reasons I deleted my account:
- Their handling of the event was inept. When I logged in I was presented with a captcha prompt and then forced to change my password based on an e-mail link they sent me FOUR times (they sent one to each of my registered e-mail addresses). I was then presented with another captcha prompt. Let me give you a little hint right here. captcha is USELESS as a security measure. The only thing it did for me was cause me to be annoyed, and to think that they were just dumping “solutions” at the problem to make someone happy and not doing any research into how they can actually protect my data.
Once I was done with the second prompt I was asked to enter in a new password without *any* other type of unique identification. So if I had of been an attacker who followed the unique link from my e-mail and correctly typed in the stupid captcha response, then I would have had free reign over the account. To round things off, they had a list of suggestions for how to build a password, and said my password was only “fair” because I didn’t use their suggestions. Here is what is wrong with that. Publishing password guidelines like that REDUCE security. Because the majority of users are going to follow the suggestions, it is in effect telling attackers how to build their next attack. I am quite certain that my 9 digit misspelled non-sense word which I can remember would have been more than adequate.
Especially since the break-in didn’t happen because one of Linkdin’s users had a bad password.
*Note to anyone in the position to make security choices. HACKERS DON’T TARGET INDIVIDUAL USERS ANY MORE. Why bother when you can just go to Linkdin or Sony and get 6.5 million passwords for the same amount of effort.
- Spam. I cannot count the number of times that I told Linkdin not to send me e-mail (mostly because I wasn’t counting, it was more than two though, which is two more times than I should have had to). I followed their unsubscribe process several times, and it never worked. What is worse? I am still getting the spam after I deleted my account. If I try to unsubscribe then I am prompted to log in and change my communication preferences. Guess what I can’t do with a deleted account. See the problem? (Hint: you can’t log in if you don’t have an account).
- The site was worthless to me. I had a completely filled out account with my entire resume posted and I did not ever have a single person contact me that wasn’t either someone I’d never heard of looking for an unsolicited recommendation, an ex-girlfriend spying on me (you can see who visits your page), or someone trying to scam me. I’d had my account since 2006. I have a fairly impressive resume. I should have had at least one valid contact in that amount of time. I published my resume on Monster on accident once and was hired within a week (true story). I hate Monster (with a passion, I don’t use that word lightly). Guess who still has my account.
- I just didn’t want there to be only three reasons.