Sometimes it takes a group of Russian hackers to remind us of the important things in life. Like having a good password. So, on behalf of the 6.5 million LinkedIn users whose passwords you guys stole last week: спасибо — thanks.

And thanks for nothing to LinkedIn for not doing a better job of protecting the privacy of its users. A recent report from Dagens IT broke the news that nearly 6.5 million encrypted LinkedIn passwords had found their way onto a Russian hacker forum.

And now everyone and their grandmother can download the 270 MB list of all the hacked passwords (and no, we’re not providing the link).

So, if you haven’t changed your LinkedIn password yet, you had better change it ASAP at linkedin.com/settings.

Think your LinkedIn password is too strong to steal? You might want to head over to LeakedIn.org to see if it was among those stolen. The site has a list of all the pirated passwords, but not the corresponding user name; apparently only the Russian hackers know which password belongs to which user name. At least for now, that is.

Just enter your LinkedIn password in the field.

If you get this message:

Let out a huge sigh of relief. And change your LinkedIn password.

If you get this message:

Let out a huge sigh of frustration. And change your LinkedIn password.

See where I’m going here?

And since you have to take the time to change your LinkedIn password, you might as well come up with a good one. You’re going to have to do a lot better than:

The Top 10 Worst Passwords of all times

1. password
2. 1234567
3. qwerty
4. abc123
5. monkey
6. letmein
7. trustno1
8. dragon
9. baseball
10. 111111

(Personally, I find “monkey”, “dragon” and “baseball” surprising, but maybe it’s just me.)

As of June 6, nearly 300,000 of the 6.5 million stolen passwords had already been decrypted, according to Dagens IT. By now, this number is surely much higher, as more and more people are sharing the stolen file.

The passwords are stored as unsalted SHA-1 hashes, and Twitter reports claim that users have found their own hashes buried in the massive text dump. Although unsalted hashes aren’t nearly as secure as their salted counterparts, decrypting them will still take some time (provided it’s not “monkey” or “dragon”).

5 Password Best Practices

Microsoft has come up with some best practices. A strong password should:

1. Be at least seven characters long
2. Not contain your user name, real name or company name.
3. Not contain a complete dictionary word.
4. Be significantly different from other passwords. Avoid incremental passwords (password 1, password 2, password 3, etc.)
5. Contain a combination of upper AND lower case letters, numbers AND keyboard symbols (*^%+@{<”, etc.)

So just how strong is this new password you’ve come up with? You can find out how many seconds (or millions of years) it would take a computer to crack it at: http://howsecureismypassword.net/.

Of course, you should also be careful about saving passwords on your computer. Some dialogue boxes give you the option to save or remember your password, which can obviously pose a potential security threat.

Some might argue that 6.5 million out of LinkedIn’s reported 150 million users adds up to less than 5% of LinkedIn’s total user base, and that the odds of someone’s LinkedIn password being stolen is small. But do you really want to play Russian roulette (forgive the pun) with your password?