LinkedIn 'salts' passwords after mass breach
New Zealand software expert it is "extraordinary" LinkedIn had not taken the security step before.
Hot Topic
NBR Focus: GMO
Following last week's theft of around 6.5 million passwords - around 300,000 of which were decoded by hackers - LinkedIn has moved to upgrade its security.
A local software expert told NBR ONLINE it was "extraordinary" it took a mass security breach for the business network to move beyond basic protection.
In a post on its official site, LinkedIn says is now "salting" its passwords.
Previously, it only "hashed" them.
Marker Metro practice lead Ben Gracewood explains: "Salting passwords, unlike salting a lamb roast, makes the resulting 'hash' less tasty for hackers."
"Hackers would normally attempt to encode, for example, 'mypassword', to create a 'hash' and see if that hash matches one of the leaked LinkedIn hashes.
"If they get a match, they know what your password is. Easy.
"Now that LinkedIn has added salt, 'mypassword' will never result in a match, because LinkedIn's servers have made it 'mypasswordAndSomeRandomSalt' behind the scenes before encoding it.
"Only LinkedIn's servers know what 'AndSomeRandomSalt' is."
Salting makes so called "dictionary" or "brute force" attempts to crack a password slower, and more difficult.
"It really is quite extraordinary that LinkedIn were not salting passwords prior to the leak," Mr Gracewood said.
"Assuming they were using a common hashing algorithm, storing unsalted passwords is barely more secure than storing passwords in plain-text."
LinkedIn says there is no evidence of any accounts being accessed with stolen passwords.
However - a couple of questions remain. How did the passwords get stolen in the first place? And did user names get leaked as well? LinkedIn won't confirm or deny.
Chris Keall
Thu, 14 Jun 2012
Thu, 14 Jun 2012
© All content copyright NBR. Do not reproduce in any form without permission, even if you have a paid subscription.
LinkedIn 'salts' passwords after mass breach
21414