Leaky LinkedIn
6:10 AM
Justin
, Posted in
So since I heard about the leak of the LinkedIn passwords, I've been waiting to see what the first analysis of the dumped hashes would reveal. Theoretically LinkedIn is a bit of a different beast to other sites that have been breached, as the target users are working professionals, the type of people who have more than likely been educated again and again on passwords by their employers.
And here are some results from Qualys, where they pretty quickly obtained 2 million passwords with not a great deal of effort, including gems such as 'm0c.nideknil.' Overall something like 98% of the hashes have now been cracked.
As for LinkedIn, using unsalted hashes to store passwords? This is security 101 stuff and quite frankly, embarrassing for a company of their size and age. Of course the unsalted part may not be the worst, the big question still remains about how the passwords got stolen in the first place.
As Richard previously posted - change your password! And if you are interested in seeing if your password was included* in the released ones: http://www.leakedin.org/
(*not specifically YOUR password, but a hash of the same password as the one you were using.)
This is an interesting take: http://krebsonsecurity.com/2012/06/how-companies-can-beef-up-password-security/. I probably would've just used sha with a large random salt or, in reality, probably a third part authentication provider.
And an interesting counter argument:
http://www.analyticalengine.net/2012/06/should-we-really-use-bcryptscrypt/
Both valid arguments. Salting is designed to make it harder for the bad guys to crack the passwords, but we know it won't make it impossible (or even improbable). It does (potentially) buy you enough time to have your users/customers change their passwords before they're all cracked and exploited. A better move is to not let the bad guys get the hashes to start with...
We read your blog website, share most practical information in blog. antivirus protection brisbane