Slashdot Mirror

← Back to Stories (view on slashdot.org)

LinkedIn Password Leak: Salt Their Hide

Posted by Soulskill on from the i-see-what-you-did-there dept.

CowboyRobot writes "Following yesterday's post about Poul-Henning Kamp no longer supporting md5crypt, the author has a new column at the ACM where he details all the ways that LinkedIn failed, specifically related to how they failed to 'salt' their passwords, making them that much easier to crack. 'On a system with many users, the chances that some of them have chosen the same password are pretty good. Humans are notoriously lousy at selecting good passwords. For the evil attacker, that means all users who have the same hashed password in the database have chosen the same password, so it is probably not a very good one, and the attacker can target that with a brute force attempt.'"

4 of 192 comments (clear)

  1. Standard practice? by Anonymous Coward · · Score: 5, Insightful

    Isnt salting and hashing a standard practice for passwords even for low security stuff?
    With something as high profile as Linkedin, how did it get missed?
    Arent there audits,etc to check for this type of stuff?
    Isnt it similar to releasing a range of cars, all of which have the same key (or something similar. Analogies are my weak point, as is the English language)

    1. Re:Standard practice? by HapSlappy_2222 · · Score: 5, Insightful

      Not taking a jab at you personally, but I've never understood the "you deserve what you got, silly victim!" mentality. No victims *deserve* to be victimized. Sure, they could have taken better steps to protect themselves, but I can just as easily say "you deserve that cancer you got" for not getting regular boob or prostate squashings. It's technically true that many people are vulnerable because they don't know how important it is to protect themselves, but directly blaming them for it is counter-productive.

      Education of users is a very, very good goal, especially when so many users don't fully understand the risks out there, but the first step in educating them is having empathy for their plight. Sure, victims learn the most valuable of lessons, but it would far better to have them learn to protect themselves *before* the damage is done.

    2. Re:Standard practice? by MobyDisk · · Score: 5, Insightful

      Isnt salting and hashing a standard practice for passwords even for low security stuff?

      It is.

      I have worked for 4 companies where I was involved with a database that contained user passwords. Before I arrived, none of those companies used salts, and only one even hashed the passwords. When I explained it to my fellow programmers, it was the first time they had ever heard of the concept.

      Security and best practices are an academic concepts that are not taught in school. Most people don't really care about security until it affects them. Slashdot is an unusual cross-section of people who tend to be security-minded so what appears to be common knowledge here is not representative of the software industry.

  2. Re:Faulty Logic by exploder · · Score: 5, Insightful

    I think you might be missing the point about duplicate passwords--it's an argument FOR salting the hashes.

    --
    Yo dawg, I heard you like the Ackermann function, so OH GOD OH GOD OH GOD