Complete and utter Database 101 fail
LinkedIn has confirmed that the list of 6.5 million user passwords leaked yesterday is genuine. The social network for suits said it was still investigating the situation, but it said the SHA-1-hashed password list posted on a Russian Dropbox-alike site contained real user data. LinkedIn has chucked compromised users' passwords …
Complete and utter Database 101 fail
Wait, as an organisation with millions of users, LinkedIn didn't salt its password hashes? W.T.F.
Aw, c'mon. Cut them some slack. We've only known about salt for 34 years: http://cm.bell-labs.com/cm/cs/who/dmr/passwd.ps
Although I have built a few small web-facing systems, these have pretty much all used standard CMS tools.
I have written one web app from scratch and that only ever had me and one other person access it. From day one that app stored salted hashes of passwords.
Either I am over-qualified, or someone needs to spend some time experiencing the BOFH cattle-prod!
Yeah, too late. Account canceled. Don't know why I ever had one in the first place
Methinks there needs to be some new rules regarding this sort of thing, something like a company with X Million users, or one that stores personal info, must demonstrate they're doing things right or get shut down.
Waiting for a class action against LinkedIn in 3...2...1... because even if the LinkedIn passwords get changed the users probably repeat the same pw on multiple sites. Yes, yes, technically that's pretty stupid, but it wouldn't be an issue if LinkedIn's developers weren't a bunch of thicko code monkeys.
LinkedIn's the one at fault and a nice fat public bitchslap may get others to wise up. Then again I thought the same when Sony got done over...
Why are people trying to confuse two issues - cookies and passwords? Your statement is false - permission is not required for essential cookies, ie. where state must be persisted.
While I think some kind of legal action is necessary to determine whether not observing certain procedures can be counted as negligent, I'm petrified that some judge or committee gets to come up with definitive procedures in much the same way that financial regulation tries to prevent the last crisis. However, there will be considerable inertia to overcome before any such suit can be launched as any judgement would set a precedent for every website out there inviting serial copycat suits.
Passwords are flawed. Support for secure two-factor authentication must become universal but the governments are dead against it as they will argue that only they or naughty terrorists need to keep anything truly secret. Viz. the case brought against someone who refused to give the Truecrypt password for their disk drive.
Good lord lighten up. I was just trying to be funny in comparing two areas of current tech affairs and saying how they are being handled is grossly disproportionate to the dangers involved with them.
Obviously my 'wit' was a bit wide of the mark for some.
My point was that there's been all this fuss and legislation over cookies, which except in a few circumstances (advertising most obviously) really don't impact user privacy, yet something like a company storing millions of passwords in a stupid way is apparently perfectly permissible no matter how many times we see this sort of thing happen.
BTW take a look at the average site and see how many cookies really are essential - usually it's zero and therefore in theory the site should ask permission or at least wait for an implied consent action.
Not me. It was actually a secure password randomly generated by a tool and unconnected to any other sites. Mostly because I was trying to use the site to do job searches so it needed to contain real data, and real data I protect much more aggressively than my run of the mill commenting passwords.
Even if your password is not on the list published, how can you be sure that there isn't an unpublished file of the remaining 153.5M passwords?
Have changed mine, even though it wasn't in the file published.
6.5m unique hashes. It doesn't take many of those passwords to be reused - 'password', 'p1ssword' and 'linkedin' were all in there, for example, and probably used by dozens, if not hundreds of people - before that becomes a significant percentage of their database.
Also, yes you're right. The only sane response is to assume that if the hackers have these then they have everything.
True - but when I checked my password that I've never changed until this morning, it wasn't on the list (according to the instructions here: http://news.ycombinator.com/item?id=4073309). Therefore, there are users whose password does not appear encoded in the leaked file.
Maybe change it again unless you're sure the change now has added salt.
Salting is entirely a back end operation and has nothing to do with you changing your password.
"Salting is entirely a back end operation and has nothing to do with you changing your password"
Ummm no. If they have your password stored as a hash then they can't salt it - they have no idea what it is. To salt it you need to add salt to the passphrase, hash it, then pre/append the salt to the hash (so they can use the right one for comparisons in the future).
Unless and until you change your pass it cannot be salted.
No, actually you could just add the salt to the password hash, and then hash it again. This would allow you to salt the previously-created hashes.
I just don't understand the logic of these said social media companies. Yes, they may not have much to lose except your own data, however; it's ridiculous they should make reactionary changes. If it took days/weeks to implement the salt to hashed passwords (assuming they knew about the attack and sat waiting for the passwords to be released), who sat on this technical change?
Paris would like to know. Post-haste.
So how much else was taken? I've already spotted junk email on an address only given to Linked-in.
Now we can expect a deluge of phishing emails, pretending to be changing a linkedIn password.
I already get enough spam to the email address that only LinkedIn has been given.
They hardly needed to have the list to try that one. I get that kind of mail regularly from PayPal, Ebay and sometimes from Linked in as well.
Oh, and from a few banks I have never had an account in and probably never will since I don't live in North America.
Not salting (and peppering) passwords is completely and utterly unforgivable for any login system but particularly so for a high-traffic website with so many registered users.
Hashed with SHA-1? SHA-256 should be a minimum these days.
And how on earth has someone been able to dump such a large amount of data from their databases?
Surely LinkedIn has enough dosh to buy someone who knows about this stuff?
Rather than wasting everyones time with the cookie warning laws maybe it would be a good idea to force website operators to state their password security procedures on the signin/registration pages.
For that particular application, MD5 would probably be good enough, provided there is a salt. It is easy to generate two strings with the same MD5 sum, but, as far as I know, there is still no easy way to generate a string with a given MD5 sum.
You get what you pay for I guess.
...for a setup like LinkedIn, totally web-based, and operating in the 21st Century. Why do they always fix things AFTER the horse has bolted? The Company I work for has a dedicated Security Team constantly looking for weaknesses, vulnerabilities, loopholes and the like, and the company in question does not even use the web as its main source of business! They even engage 3rd parties to attempt hacks, so they don't miss anything.
Shame on you, LinkeIn, for the anguish you have caused and for the hassle of changing passwords on a number of sites as a result. I won't be trusting you again any time soon with any personal information.
Does El Reg salt & hash our passwords?
Oh, and why is it still not using HTTPS, so we are susceptible to cookie-jacking?
Best of luck with that one.
My password is not in there, and I joined LinkedIn earlier this year in February.
...joined LinkedIn earlier this year in February.
so you got a note about losing your job in January???
wtf is in Linked In apart from dismal bloated CVs
Had to laugh at their own news page, telling me about how great they are at security, and at apps as well... Screen grab: http://iam.a2w.at/wp-content/uploads/2012/06/lifail1.jpg
Unfortunately duplicate passwords have been stripped out, I was going to find the most common ones. Maybe these 6.5M are all of the passwords, but lots are duplicated.
Last.FM investigating a security issue now apparently.
At least I heard it from them first
It's quite ironic to hear it first from a company called last.
if you go to www.linkedin.com/home it says this:
'We will not store your password or email anyone without your permission.'
Methinks they might be buffoons.
Personal information you provide will be secured in accordance with industry standards and technology. Since the internet is not a 100% secure environment, we cannot ensure or warrant the security of any information you transmit to LinkedIn. There is no guarantee that information may not be accessed, copied, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards.
Just gotta love that silver-lining trawl "It is worth noting that even those people who by some fantastic chance didn't get reamed by our lack of attention to detail will benefit from our finally getting a clue".
I paraphrase, of course.
OK so not only do they get compromised but then they decide to let everyone know that their password needs changing....by EMAIL!! Absolute idiots. Have they never heard of Phishing.
So for the people who's passwords weren't initially compromised they could still fall foul of a phishing scam.
Bad bad form LinkIn!
I don't have an issue with a site asking a user to change their password via email. It depends on how they do it.
If they have a link in the email that anyone can use to reset the password, umm...
But if it's just a notification, and the user has to prove they have the old credential first, not too bad.
I reserve my highest disdain for the sites that SEND your password/license info/login credentials etc in an unencrypted email..
Dear Linkedin Member,
You will have scene in the News that your pw is been hack by evil hackers, but we are here to help you recover with easyness.
Just e-mail your old pw and your new pw in e-mail to email@example.com and we will fix it for you with no stress immediately.
The Linkedin Support Team.
"members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases,"
You can't salt the passwords when you've only got the hashed ones.
Though It wouldn't surprise me if have they got their own un-hashed versions of our passwords stored somewhere, just in case of this exact eventuality... :-/
Or am I completely missing something?
They could use double hashing, for example:
sha1 ( sha1(Password) + salt )
If they did it this way, they could upgrade the old database by just taking the current hash, adding a salt, and rehashing.
That said, using a single static salt on a database the size of linked in, wouldn't really be sufficient for my piece of mind.
Am I the only one who does not know what a salted password means? It's already encrypted, so what is salting?