Slashdot Mirror

← Back to Stories (view on slashdot.org)

LinkedIn Password Leak: Salt Their Hide

Posted by Soulskill on from the i-see-what-you-did-there dept.

CowboyRobot writes "Following yesterday's post about Poul-Henning Kamp no longer supporting md5crypt, the author has a new column at the ACM where he details all the ways that LinkedIn failed, specifically related to how they failed to 'salt' their passwords, making them that much easier to crack. 'On a system with many users, the chances that some of them have chosen the same password are pretty good. Humans are notoriously lousy at selecting good passwords. For the evil attacker, that means all users who have the same hashed password in the database have chosen the same password, so it is probably not a very good one, and the attacker can target that with a brute force attempt.'"

2 of 192 comments (clear)

  1. or BrowserID by gQuigs · · Score: 4, Interesting

    https://www.browserid.org/

    It's the closest I've seen to SSH Keys. That's all I want, SSH Keys for web auth.

  2. The significance of LinkedIn by sir-gold · · Score: 5, Interesting

    This LinkedIn hack could lead to even more high-profile hacks, due to the unique user base that LinkedIn has

    On most sites (like Facebook) most of the stupid passwords will belong to stupid 13 year old kids with nothing of value to hackers, but on a site like LinkedIn you are more likely to get the password for some computer illiterate corporate executive. In many cases this is the same simplistic password he uses at work, where he insisted he be given admin-level access on all of their servers "because hes an executive"

    Computer security is always about the weakest link in the chain, and when one of those "links" partied his way though business college and never thinks twice about password reuse, you have a pretty weak chain. LinkedIn is like an x-ray showing the hackers who the weak links are.