back to article LinkedIn admits site hack, adds pinch of salt to passwords

LinkedIn has confirmed that the list of 6.5 million user passwords leaked yesterday is genuine. The social network for suits said it was still investigating the situation, but it said the SHA-1-hashed password list posted on a Russian Dropbox-alike site contained real user data. LinkedIn has chucked compromised users' …

COMMENTS

This topic is closed for new posts.
  1. g e
    FAIL

    Massive fail

    Complete and utter Database 101 fail

  2. mafoo
    WTF?

    wtf

    Wait, as an organisation with millions of users, LinkedIn didn't salt its password hashes? W.T.F.

    1. Detective Emil

      Re: wtf

      Aw, c'mon. Cut them some slack. We've only known about salt for 34 years: http://cm.bell-labs.com/cm/cs/who/dmr/passwd.ps

    2. GettinSadda
      WTF?

      Re: wtf

      Although I have built a few small web-facing systems, these have pretty much all used standard CMS tools.

      I have written one web app from scratch and that only ever had me and one other person access it. From day one that app stored salted hashes of passwords.

      Either I am over-qualified, or someone needs to spend some time experiencing the BOFH cattle-prod!

  3. Z-Eden
    Windows

    Yeah, too late. Account canceled. Don't know why I ever had one in the first place

  4. Anonymous Coward
    Anonymous Coward

    Priorities

    Don't worry, at least websites (in the UK anyway) have to ask permission to use cookies these days. Who needs to worry about passwords and whether the hashes are salted or not? Our privacy has been protected by our tech-expert overlords.

    Methinks there needs to be some new rules regarding this sort of thing, something like a company with X Million users, or one that stores personal info, must demonstrate they're doing things right or get shut down.

    Waiting for a class action against LinkedIn in 3...2...1... because even if the LinkedIn passwords get changed the users probably repeat the same pw on multiple sites. Yes, yes, technically that's pretty stupid, but it wouldn't be an issue if LinkedIn's developers weren't a bunch of thicko code monkeys.

    LinkedIn's the one at fault and a nice fat public bitchslap may get others to wise up. Then again I thought the same when Sony got done over...

    1. Charlie Clark Silver badge

      Re: Priorities

      Why are people trying to confuse two issues - cookies and passwords? Your statement is false - permission is not required for essential cookies, ie. where state must be persisted.

      While I think some kind of legal action is necessary to determine whether not observing certain procedures can be counted as negligent, I'm petrified that some judge or committee gets to come up with definitive procedures in much the same way that financial regulation tries to prevent the last crisis. However, there will be considerable inertia to overcome before any such suit can be launched as any judgement would set a precedent for every website out there inviting serial copycat suits.

      Passwords are flawed. Support for secure two-factor authentication must become universal but the governments are dead against it as they will argue that only they or naughty terrorists need to keep anything truly secret. Viz. the case brought against someone who refused to give the Truecrypt password for their disk drive.

      1. Anonymous Coward
        Anonymous Coward

        Re: Priorities

        Good lord lighten up. I was just trying to be funny in comparing two areas of current tech affairs and saying how they are being handled is grossly disproportionate to the dangers involved with them.

        Obviously my 'wit' was a bit wide of the mark for some.

        My point was that there's been all this fuss and legislation over cookies, which except in a few circumstances (advertising most obviously) really don't impact user privacy, yet something like a company storing millions of passwords in a stupid way is apparently perfectly permissible no matter how many times we see this sort of thing happen.

        BTW take a look at the average site and see how many cookies really are essential - usually it's zero and therefore in theory the site should ask permission or at least wait for an implied consent action.

    2. Tom 13

      Re: ...LinkedIn passwords get changed the users probably repeat the same pw on multiple sites.

      Not me. It was actually a secure password randomly generated by a tool and unconnected to any other sites. Mostly because I was trying to use the site to do job searches so it needed to contain real data, and real data I protect much more aggressively than my run of the mill commenting passwords.

  5. JetSetJim
    Black Helicopters

    Why only 6.5M entries?

    Even if your password is not on the list published, how can you be sure that there isn't an unpublished file of the remaining 153.5M passwords?

    Have changed mine, even though it wasn't in the file published.

    1. TonyHoyle

      Re: Why only 6.5M entries?

      6.5m unique hashes. It doesn't take many of those passwords to be reused - 'password', 'p1ssword' and 'linkedin' were all in there, for example, and probably used by dozens, if not hundreds of people - before that becomes a significant percentage of their database.

      1. TonyHoyle

        Re: Why only 6.5M entries?

        Also, yes you're right. The only sane response is to assume that if the hackers have these then they have everything.

      2. JetSetJim

        Re: Why only 6.5M entries?

        True - but when I checked my password that I've never changed until this morning, it wasn't on the list (according to the instructions here: http://news.ycombinator.com/item?id=4073309). Therefore, there are users whose password does not appear encoded in the leaked file.

    2. Adam Nealis

      Re: Why only 6.5M entries?

      Maybe change it again unless you're sure the change now has added salt.

      1. Tom 13

        Re: change it again unless you're sure the change now has added salt.

        Salting is entirely a back end operation and has nothing to do with you changing your password.

        1. Ross 7

          Re: change it again unless you're sure the change now has added salt.

          "Salting is entirely a back end operation and has nothing to do with you changing your password"

          Ummm no. If they have your password stored as a hash then they can't salt it - they have no idea what it is. To salt it you need to add salt to the passphrase, hash it, then pre/append the salt to the hash (so they can use the right one for comparisons in the future).

          Unless and until you change your pass it cannot be salted.

          1. SYNTAX__ERROR
            Boffin

            Re: Salt a hash

            No, actually you could just add the salt to the password hash, and then hash it again. This would allow you to salt the previously-created hashes.

  6. the-it-slayer
    Paris Hilton

    Why should companies sit tight and wait?

    I just don't understand the logic of these said social media companies. Yes, they may not have much to lose except your own data, however; it's ridiculous they should make reactionary changes. If it took days/weeks to implement the salt to hashed passwords (assuming they knew about the attack and sat waiting for the passwords to be released), who sat on this technical change?

    Paris would like to know. Post-haste.

  7. BristolBachelor Gold badge

    Only passwords?

    So how much else was taken? I've already spotted junk email on an address only given to Linked-in.

  8. Adrian Jones

    Oh Joy.

    Now we can expect a deluge of phishing emails, pretending to be changing a linkedIn password.

    I already get enough spam to the email address that only LinkedIn has been given.

    1. Pascal Monett Silver badge

      Re: Oh Joy.

      They hardly needed to have the list to try that one. I get that kind of mail regularly from PayPal, Ebay and sometimes from Linked in as well.

      Oh, and from a few banks I have never had an account in and probably never will since I don't live in North America.

  9. batfastad
    FAIL

    No salt or pepper?

    Not salting (and peppering) passwords is completely and utterly unforgivable for any login system but particularly so for a high-traffic website with so many registered users.

    Hashed with SHA-1? SHA-256 should be a minimum these days.

    And how on earth has someone been able to dump such a large amount of data from their databases?

    Surely LinkedIn has enough dosh to buy someone who knows about this stuff?

    Rather than wasting everyones time with the cookie warning laws maybe it would be a good idea to force website operators to state their password security procedures on the signin/registration pages.

    1. Anonymous Coward
      Anonymous Coward

      Hashed with SHA-1?

      For that particular application, MD5 would probably be good enough, provided there is a salt. It is easy to generate two strings with the same MD5 sum, but, as far as I know, there is still no easy way to generate a string with a given MD5 sum.

  10. Anonymous Coward
    Anonymous Coward

    And they say I'm crazy for NOT using social media

    You get what you pay for I guess.

  11. David Lawrence
    FAIL

    Not good enough

    ...for a setup like LinkedIn, totally web-based, and operating in the 21st Century. Why do they always fix things AFTER the horse has bolted? The Company I work for has a dedicated Security Team constantly looking for weaknesses, vulnerabilities, loopholes and the like, and the company in question does not even use the web as its main source of business! They even engage 3rd parties to attempt hacks, so they don't miss anything.

    Shame on you, LinkeIn, for the anguish you have caused and for the hassle of changing passwords on a number of sites as a result. I won't be trusting you again any time soon with any personal information.

  12. This post has been deleted by its author

    1. Anonymous Coward
      Anonymous Coward

      Re: may we ask how El Reg does it?

      Best of luck with that one.

  13. Anonymous Coward
    Anonymous Coward

    Does anyone know when this hack happened?

    My password is not in there, and I joined LinkedIn earlier this year in February.

    1. Anonymous Coward
      Anonymous Coward

      Re: Does anyone know when this hack happened?

      ...joined LinkedIn earlier this year in February.

      so you got a note about losing your job in January???

      wtf is in Linked In apart from dismal bloated CVs

  14. Anonymous Coward
    FAIL

    And on their own news page

    Had to laugh at their own news page, telling me about how great they are at security, and at apps as well... Screen grab: http://iam.a2w.at/wp-content/uploads/2012/06/lifail1.jpg

  15. Jamie Kitson

    Shame

    Unfortunately duplicate passwords have been stripped out, I was going to find the most common ones. Maybe these 6.5M are all of the passwords, but lots are duplicated.

  16. Anonymous Coward
    Anonymous Coward

    Last.FM investigating a security issue now apparently.

    At least I heard it from them first

    1. Anonymous Coward
      Anonymous Coward

      http://www.last.fm/passwordsecurity

    2. LinkOfHyrule
      Coat

      At least I heard it from them first

      It's quite ironic to hear it first from a company called last.

  17. Alperian

    Nonsensical

    if you go to www.linkedin.com/home it says this:

    'We will not store your password or email anyone without your permission.'

    Methinks they might be buffoons.

    1. Phil Koenig

      Re: Nonsensical

      Also:

      6. Security

      Personal information you provide will be secured in accordance with industry standards and technology. Since the internet is not a 100% secure environment, we cannot ensure or warrant the security of any information you transmit to LinkedIn. There is no guarantee that information may not be accessed, copied, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards.

  18. Steve Mann

    Bah!

    Just gotta love that silver-lining trawl "It is worth noting that even those people who by some fantastic chance didn't get reamed by our lack of attention to detail will benefit from our finally getting a clue".

    I paraphrase, of course.

  19. SecBoyUK
    FAIL

    Epic Fail

    OK so not only do they get compromised but then they decide to let everyone know that their password needs changing....by EMAIL!! Absolute idiots. Have they never heard of Phishing.

    So for the people who's passwords weren't initially compromised they could still fall foul of a phishing scam.

    Bad bad form LinkIn!

    /SecBoyUK

    1. Phil Koenig

      Re: Epic Fail

      I don't have an issue with a site asking a user to change their password via email. It depends on how they do it.

      If they have a link in the email that anyone can use to reset the password, umm...

      But if it's just a notification, and the user has to prove they have the old credential first, not too bad.

      I reserve my highest disdain for the sites that SEND your password/license info/login credentials etc in an unencrypted email..

  20. Anonymous Coward
    Anonymous Coward

    The fix is in!

    Dear Linkedin Member,

    You will have scene in the News that your pw is been hack by evil hackers, but we are here to help you recover with easyness.

    Just e-mail your old pw and your new pw in e-mail to linkedinpwchange@lagos419.ng and we will fix it for you with no stress immediately.

    Sincerely,

    The Linkedin Support Team.

    linkedinpwchange@lagos419.ng

  21. 142
    Facepalm

    Eh, isn't this impossible???

    "members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases,"

    You can't salt the passwords when you've only got the hashed ones.

    Though It wouldn't surprise me if have they got their own un-hashed versions of our passwords stored somewhere, just in case of this exact eventuality... :-/

    Or am I completely missing something?

    1. KHobbits

      Re: Eh, isn't this impossible???

      They could use double hashing, for example:

      sha1 ( sha1(Password) + salt )

      If they did it this way, they could upgrade the old database by just taking the current hash, adding a salt, and rehashing.

      That said, using a single static salt on a database the size of linked in, wouldn't really be sufficient for my piece of mind.

  22. Anonymous Coward
    Unhappy

    Salt?

    Am I the only one who does not know what a salted password means? It's already encrypted, so what is salting?

This topic is closed for new posts.

Other stories you might like