LinkedIn Password Leak: Salt Their Hide

CowboyRobot writes "Following yesterday's post about Poul-Henning Kamp no longer supporting md5crypt, the author has a new column at the ACM where he details all the ways that LinkedIn failed, specifically related to how they failed to 'salt' their passwords, making them that much easier to crack. 'On a system with many users, the chances that some of them have chosen the same password are pretty good. Humans are notoriously lousy at selecting good passwords. For the evil attacker, that means all users who have the same hashed password in the database have chosen the same password, so it is probably not a very good one, and the attacker can target that with a brute force attempt.'"

Standard practice?

Isnt salting and hashing a standard practice for passwords even for low security stuff?
With something as high profile as Linkedin, how did it get missed?
Arent there audits,etc to check for this type of stuff?
Isnt it similar to releasing a range of cars, all of which have the same key (or something similar. Analogies are my weak point, as is the English language)

Re:Standard practice?

[Nittle]

I think everyone fails to keep this in perspective.
This is LinkedIn, not your bank, not the government, nothing important.
If you use the same password on some bunk website as important things, then you deserve what you had, but if, for some reason, I used the same password for slashdot as LinkedIn, and someone hacks my slashdot, whatever. The thing to really worry about is what these companies do with all of our personal information.

Re:Standard practice?

For those with paid Linkedin accounts, linkedin is like any paid service and must be secured appropriately
Even for others, its an important career development resource

Re:Standard practice?

[PIBM]

What ? All the banks I've used (3 so far) allows me to transfer money directly from their web site. Yes it can be tracked, but I'm quite sure it can be hard to reverse.

Re:Standard practice?

[HapSlappy_2222]

Not taking a jab at you personally, but I've never understood the "you deserve what you got, silly victim!" mentality. No victims *deserve* to be victimized. Sure, they could have taken better steps to protect themselves, but I can just as easily say "you deserve that cancer you got" for not getting regular boob or prostate squashings. It's technically true that many people are vulnerable because they don't know how important it is to protect themselves, but directly blaming them for it is counter-productive.

Education of users is a very, very good goal, especially when so many users don't fully understand the risks out there, but the first step in educating them is having empathy for their plight. Sure, victims learn the most valuable of lessons, but it would far better to have them learn to protect themselves *before* the damage is done.

Re:Standard practice?

[MobyDisk]

Isnt salting and hashing a standard practice for passwords even for low security stuff?

It is.

I have worked for 4 companies where I was involved with a database that contained user passwords. Before I arrived, none of those companies used salts, and only one even hashed the passwords. When I explained it to my fellow programmers, it was the first time they had ever heard of the concept.

Security and best practices are an academic concepts that are not taught in school. Most people don't really care about security until it affects them. Slashdot is an unusual cross-section of people who tend to be security-minded so what appears to be common knowledge here is not representative of the software industry.

Re:Standard practice?

[ShanghaiBill]

This is LinkedIn, not your bank, not the government, nothing important.

Many (most?) people use the same id/password combination on multiple accounts. If I know everyone's id/password for Linkedin, then for maybe half those people I can now login to their bank.

People are stupid. Expecting them to be non-stupid is unrealistic. So good security has to accommodate stupidity. That is why even throw-away sites need to have good security.
 

Re:Standard practice?

[TubeSteak]

It's technically true that many people are vulnerable because they don't know how important it is to protect themselves, but directly blaming them for it is counter-productive.

Your whole argument fails because LinkedIn isn't "many people".
LinkedIn is a multi-million user networking site for professionals.

Education of users is a very, very good goal, especially when so many users don't fully understand the risks out there, but the first step in educating them is having empathy for their plight.

LinkedIn has a goddamn team of coders and server monkeys.
Salting your hashes is really really basic stuff. It's at the level of "look both ways before crossing the street."
If you don't look both ways before crossing the street, it's your own damn fault for stepping in front of a car.
And yes, I'm comparing malicious hackers to cars. They will run you over if you give them a chance.

Re:Standard practice?

[Kyrene]

I was a contractor at a place where they had an application where there was NO hashing, no encryption, just bare text in the database. When I brought it up to their architect, he informed me that his "philosophy" was that if they were going to hack the database, wouldn't they go after other data than passwords? He refused to believe such a thing would have any validity. It was a very classic case of the stubbornly and willfully ignorant. Glad I'm not there anymore.

Re:Standard practice?

[thoth]

Security and best practices are an academic concepts that are not taught in school. Most people don't really care about security until it affects them.

And in turn, corporations don't care about security until is costs them money. Look at Microsoft, they didn't give a flip about security until sometime after Windows XP when that OS was getting owned left and right by malware. Which started to cost them, albeit indirectly.

How exactly will this cost LinkedIn? If it is being ridiculed in the press, they'll just ride it out and not care. If people leave in droves and their service becomes less valuable, or advertisers/customers jump ship, then they'll give a crap.

Re:Standard practice?

[MobyDisk]

To further one of my anecdotes: One of the companies in my list was very paranoid. They used big expensive SAN systems and had been encrypting network traffic forever. They even escrowed customer data they thought they should not hold themselves. Yet they still didn't salt passwords.

I can only conclude that hashing and salting is less well known than encrypting.

Re:Standard practice?

[element-o.p.]

Security and best practices are an academic concepts that are not taught in school...Slashdot is an unusual cross-section of people who tend to be security-minded so what appears to be common knowledge here is not representative of the software industry.

^^THIS!!!^^

I took a senior-level computer security class while working on my C.S. degree in college, and it was largely a waste of time. We spent half the semester working our way through various historical encryption algorithms trying to get *to* asymmetrical encryption (you know, Caesar's belt, various ROT-x ciphers, etc. -- i.e., stuff that should have been covered in the first week, maybe). We spent most of the rest of the semester dissecting DSA and RSA, and maybe two weeks talking about covert channels. We spent next to no time talking about one-way hashes, and salts were a completely foreign concept to me when I discovered them two or three years later when I started using Linux. As far as best practices for real-world computer security? I don't think that was ever even a FOOTNOTE in any of my C.S. courses.

Maybe I just went to a crappy school, but IMHO, my college education was woefully inadequate for the real world. Pretty much everything I use on a day-to-day basis was learned on my own, outside of college.

Re:Standard practice?

[durdur]

Half the trouble I had as a security developer was trying to educate/convince other developers that making an effort in this area was necessary. Some of them weren't familiar with the basic concepts, but even they were, it's hard to drive home the idea of defense in depth. There is a tendency to think that if the information is inside your database, or behind your firewall, or protected by other means, then it's not worth spending a lot more effort in additional protection. But of course, you are one exploit away from having an intruder inside your database, behind your firewall, etc.

Re:Standard practice?

[mopower70]

Not taking a jab at you personally, but I've never understood the "you deserve what you got, silly victim!" mentality. No victims *deserve* to be victimized. Sure, they could have taken better steps to protect themselves, but I can just as easily say "you deserve that cancer you got" for not getting regular boob or prostate squashings. It's technically true that many people are vulnerable because they don't know how important it is to protect themselves, but directly blaming them for it is counter-productive.

Would you feel better if I said you "earned" being victimized? You smoke two cartons of Camels a week in this day and age, and you don't just deserve cancer, you earned it. You evidently put a lot of effort into pretending that the fact that your cancer was all but inevitable somehow didn't apply to you. Enjoy your winnings!

Re:Standard practice?

[b4dc0d3r]

They need to stop password reuse, but they won't. Users do not get paid for choosing passwords, but coders do get paid for writing code. If coders do their job poorly, blame lies with the coders. Expect stupidity, allow for genius.

I'm paranoid enough that I make up fake answers for security questions, and password hints are intentionally misleading, while still enough for me to figure out what it means. I also do not re-use passwords.

But I am not normal. That is why, when I have to write some sort of authentication, I assume the user is a complete and utter tool, incapable of reading or understanding any information or suggestion. At the same time, I also assume they are clever enough to want to defeat my clever scheme of forcing them to be smarter. "Don't reuse passwords" becomes "I must ensure that if a user does re-use passwords, I keep them as safe as I can."

Re:Faulty Logic

[exploder]

I think you might be missing the point about duplicate passwords--it's an argument FOR salting the hashes.

Re:Faulty Logic

[ProDeveloper]

Exactly. Both the summary and article are being stupid about the reason for salting in hashed passwords. It's main benefit isn't hiding two same password. It's main purpose is to make brute force much more work, even if the user supplied short password. Even Google isn't stupid enough to pull stuff like that. The salt should consist of general site wide salt, and personal salt calculated from user values that do not change (UID, birth date, some extra field in db).

How about stop using passwords

[Galestar]

I'll say it again: OpenID.

Re:How about stop using passwords

Not gonna happen. All big sites want to be OpenID *provider*, but none of them will accept OpenID Logins.

Time to start scrambling passwords

[cpu6502]

I think I will start visiting websites I no longer use, and deactivate my accounts. If that doesn't work, I'll fill the "user profile" with a bunch of nonsense & scramble the password. It worries me that over the last ~20 years I've visited a bunch of places and left behind details about myself. I never used linked-in but I imagine if I did, I'd be in potential trouble now (leaked info).

Re:Time to start scrambling passwords

[sideslash]

If you've used the same password at multiple sites, you've already exposed yourself to cross-site mischief if one was compromised. LinkedIn looks bad right now, but you know there are a lot of sites that store passwords in plaintext.

Re:Time to start scrambling passwords

[HapSlappy_2222]

I just hope my "leaked" LinkedIn info gets passed on to a potential overseas employer!! This new "automatic international networking" feature they implemented is going to be GREAT!

Re:Do they understand how hashes work?

Do they understand how hashes work?

Yes, Poul-Henning Kamp understand how hashes work. Much, much, much better than you do. But if you feel compelled to lecture the writer of MD5crypt on your wonderful insights into how hashes work, please, feel free.

or BrowserID

[gQuigs]

https://www.browserid.org/

It's the closest I've seen to SSH Keys. That's all I want, SSH Keys for web auth.

Daft Question

[rufty_tufty]

This may well be a very daft question but:
It appears that the default is to use a simple solution when people are first developing their websites.
Isn't this what libraries are for? Why isn't the default secure method in development environments/website template/distros etc to use a much more secure method?
Why is there no standard library that I just say (for example) store_user_password($user_name); and it takes care of it?
If there is such a thing why isn't it more universally used and why blame the website implementers for what is a dev environment/toolkit/whatever problem?
If the technology the article talks about has been known since the 80s why isn't it the standard in all the modern environments? And whatever the answer I'm not sure the blame rests in the users of however they develop this(unless they are writing their website in C based CGI...).

Re:Daft Question

[Hotawa+Hawk-eye]

There ARE libraries like that. From the article:

As I said, md5crypt [a hashing function based on MD5] is pretty much the "default" password scrambler for a lot of people, but even though it fulfilled all relevant criteria back in 1995, I no longer consider it safe enough (see: http://phk.freebsd.dk/sagas/md5crypt_eol.html).

But what was secure back in 1995, when computers had processors like Pentiums or Pentium Pros operating at around 200 MHz, is not secure in 2012, when computer processors in the Sandy Bridge family are operating between 1.6 and 3.6 GHz (1600 to 3600 MHz) and likely have GPUs they can call upon for extra computing power. [My use of the list of Intel processors only is not intended to be a slight against other processor manufacturers, but just the first list I found.]

Re:Faulty Logic

Or more important, makes it so you would have to try to brute force each one because the hash won't exist in previously generated rainbow tables.

Resume

[tanujt]

So if I crack other people's passwords on Linkedin, can I put that up as a skill in my resume on Linkedin?

Re:Resume

[SydShamino]

You can put it on everybody's resume!

Re:Resume

[HapSlappy_2222]

No, but you can steal other people's resumes and append them to your own. Resumes are like sausage or cocktail waitress bustlines; the bigger the better!

The significance of LinkedIn

[sir-gold]

This LinkedIn hack could lead to even more high-profile hacks, due to the unique user base that LinkedIn has

On most sites (like Facebook) most of the stupid passwords will belong to stupid 13 year old kids with nothing of value to hackers, but on a site like LinkedIn you are more likely to get the password for some computer illiterate corporate executive. In many cases this is the same simplistic password he uses at work, where he insisted he be given admin-level access on all of their servers "because hes an executive"

Computer security is always about the weakest link in the chain, and when one of those "links" partied his way though business college and never thinks twice about password reuse, you have a pretty weak chain. LinkedIn is like an x-ray showing the hackers who the weak links are.

Re:The significance of LinkedIn

[steelfood]

On the flip side, if you don't reuse your passwords, you're never going to remember how to access all 200 sites that require it. Most people barely remember their username, nevermind their password.

There's a bigger problem here than just password reuse. It has to do with passwords as an authentication factor in general.

Re:The significance of LinkedIn

[Sir_Sri]

Even if you change your password now what does that get you? If they're still unsalted SHA1 any minimally competent man in the middle attack will be able to get the hash, and then your password, as if it was part of this release.

If linkedIn actually has a different security system live and these are all old accounts who haven't changed passwords or the like, well then you have some idea what's going on. But changing your password from one unsalted SHA1 hash not tied to an account to another unsalted SHA1 hash doesn't get you a whole lot.

Not exactly

[ptrourke]

If you're looking for hash collisions, you're not going to target a particular hash; you're going to leverage the magic of the birthday paradox and hash your way through a dictionary with passwords listed in order of decreasing probability (with "password" and "12345" listed first, then "p@ssw0rd" and "OU812", etc.) and match the resulting hash with entries in the password file. And you're going to do this once, building one rainbow table, and try it on every unsalted, SHA1 hashed password list you can get your grubby hands on, until you have a nice little dictionary of username / password pairs - and try it on whatever services you're targeting, because most people tend to reuse the same password over and over again (usually Joshua97 or MaryJune05 or some other combination of their kids' names and birthdates).

low-salt

[Megane]

With all the talk these days about low-sodium diets, they just wanted to provide their users with a healthy alternative.

seems the md5crypt guy just posted to bugtraq

[spottedkangaroo]

Don't use his md5crypt and think you did anything useful he says. http://phk.freebsd.dk/sagas/md5crypt_eol.html

Re:Faulty Logic

[Goaway]

Salting does not make brute forcing one password more work. It does make bruteforcing a list of passwords more work, however.

Re:Faulty Logic

[Vellmont]

Both the summary and article are being stupid about the reason for salting in hashed passwords. It's main benefit isn't hiding two same password. It's main purpose is to make brute force much more work,

Yes, but you should also mention that salts with a large amount of entropy also protect against Rainbow tables and other forms of pre-computed hashed passwords. Make sure you have enough entropy in your salt(128 bits is very high) to prevent these kinds of attacks.

I'd recommend a randomly generated salt for each password, and not based on some user details. This guarantees a large amount of entropy in the salt. Some people also recommend an added site wide salt as well that's not stored in the same place as the password (embedded in the code for instance). This might increase your security a bit, but it's going to cost you quite a bit in added complexity.

Re:Learned that in Udacity cs253 webapps

[Stickybombs]

No, as he said, we learned to "always salt your passwords," and given a simple example. Then we were told that if we are in a position of authority for an important website, further research and understanding would be required in order to maintain security. You need multiple classes on the topic, not just an hour of instruction. Duh.

Re:Faulty Logic

[tlim]

Even though salting makes it "much more work", your algorithm could be not CPU(GPU) intensive enough. That's the largest flaw in most systems, and that includes, like the author of MD5crypt stated, too computationally simple to break. So on one simple box, even when salted, we're talking about 2 days time to crack MD5crypt to brute force and 8 character password (probably less with better hardware). Without the salt of course, I suspect that all 6.5M accounts were cracked that day (especially if they can scale it to say 50 ordinary boxes). Use Blowfish or Twofish, and it would take years to even do brute force as each calculation takes in the tenths of seconds (given 12 rounds or greater).

Re:What difference does it make?

[zzsmirkzz]

Salting only protects you from precomuted "rainbow" brute force methods which means if you have a big enough table your password is cracked in seconds to minutes rather than oh I don't know what is the average for your typical password? Hour, day..two days? week tops...? Does this difference really mean anything substaintial to the vicitim?

Now I may be wrong, but that would only be the case if the salt was stored with the hashes, correct? Which to me seems rather dumb (from a security perspective, not a performance one). To maximize the benefit of salts, the password hashed and their associated salts should be stored in two different databases, running on different servers so that a hacker would have to compromise both to get access to the list. Lock down the Salt DB server so that's it's only able to communicate with the Hash DB server (and nothing else) and will only return one hash request at a time to it.

Re:What difference does it make?

[silas_moeckel]

Your not really adding security by splitting it up, a well protected server that only stored uuid and salted hashes would do the same.

Re:What difference does it make?

[Sir_Sri]

Salting only protects you from precomuted "rainbow" brute force methods which means if you have a big enough table your password is cracked in seconds to minutes rather than oh I don't know what is the average for your typical password? Hour, day..two days? week tops...? Does this difference really mean anything substaintial to the vicitim?

To a single victim no. But you've taken the complexity of the problem from hacking a password to hacking 6 million passwords each taking as long. So to the 'average' victim your expectation time before being hacked is 3 million times longer, on a 6 million element set, than one that wasn't salted. There are just over 31 million seconds in a year. So even if your password takes 1 second to crack you've still bought yourself about a month. If it takes a day... well you'll be dead before it's brute forced so who cares.

I only expect to live exactly 50 more years. So if it takes 525.95 seconds to crack my password I have a 50/50 chance of being dead before they manage to brute force it under salting (at 525.95 seconds per they will be able to hack about 3 million in 50 years, and the other 3 million in the next 50 years). If on the other hand it takes 525 seconds for the first one, and small fractions of a second for the next 6 million, I could reasonably expect to have been compromised already.

Re:Faulty Logic

[slashmydots]

Actually, they didn't miss just that, they missed the entire story. Honestly, who wrote this? The article SHOULD have said that because they're unsalted, you can get ALL the passwords up to 22 characters turned back into their original text extremely quickly without brute forcing anything. There's no comparison or anything necessary. If they were salted, THEN you'd have to compare them and brute force them. Otherwise you run them all through a rainbow table database on a system with a buttload of RAM and tada, you can reverse them at a very high rate of speed.
So, I already changed my linkedin password.