Forgot your password?
typodupeerror
Security IT

LinkedIn Password Leak: Salt Their Hide 192

Posted by Soulskill
from the i-see-what-you-did-there dept.
CowboyRobot writes "Following yesterday's post about Poul-Henning Kamp no longer supporting md5crypt, the author has a new column at the ACM where he details all the ways that LinkedIn failed, specifically related to how they failed to 'salt' their passwords, making them that much easier to crack. 'On a system with many users, the chances that some of them have chosen the same password are pretty good. Humans are notoriously lousy at selecting good passwords. For the evil attacker, that means all users who have the same hashed password in the database have chosen the same password, so it is probably not a very good one, and the attacker can target that with a brute force attempt.'"
This discussion has been archived. No new comments can be posted.

LinkedIn Password Leak: Salt Their Hide

Comments Filter:
  • Standard practice? (Score:5, Insightful)

    by Anonymous Coward on Friday June 08, 2012 @01:04PM (#40259361)
    Isnt salting and hashing a standard practice for passwords even for low security stuff?
    With something as high profile as Linkedin, how did it get missed?
    Arent there audits,etc to check for this type of stuff?
    Isnt it similar to releasing a range of cars, all of which have the same key (or something similar. Analogies are my weak point, as is the English language)
    • Re: (Score:3, Insightful)

      by Nittle (1356899)
      I think everyone fails to keep this in perspective.
      This is LinkedIn, not your bank, not the government, nothing important.
      If you use the same password on some bunk website as important things, then you deserve what you had, but if, for some reason, I used the same password for slashdot as LinkedIn, and someone hacks my slashdot, whatever. The thing to really worry about is what these companies do with all of our personal information.
      • Re: (Score:3, Insightful)

        by Anonymous Coward
        For those with paid Linkedin accounts, linkedin is like any paid service and must be secured appropriately
        Even for others, its an important career development resource
      • by HapSlappy_2222 (1089149) on Friday June 08, 2012 @01:31PM (#40259797)
        Not taking a jab at you personally, but I've never understood the "you deserve what you got, silly victim!" mentality. No victims *deserve* to be victimized. Sure, they could have taken better steps to protect themselves, but I can just as easily say "you deserve that cancer you got" for not getting regular boob or prostate squashings. It's technically true that many people are vulnerable because they don't know how important it is to protect themselves, but directly blaming them for it is counter-productive.

        Education of users is a very, very good goal, especially when so many users don't fully understand the risks out there, but the first step in educating them is having empathy for their plight. Sure, victims learn the most valuable of lessons, but it would far better to have them learn to protect themselves *before* the damage is done.
        • by TubeSteak (669689)

          It's technically true that many people are vulnerable because they don't know how important it is to protect themselves, but directly blaming them for it is counter-productive.

          Your whole argument fails because LinkedIn isn't "many people".
          LinkedIn is a multi-million user networking site for professionals.

          Education of users is a very, very good goal, especially when so many users don't fully understand the risks out there, but the first step in educating them is having empathy for their plight.

          LinkedIn has a goddamn team of coders and server monkeys.
          Salting your hashes is really really basic stuff. It's at the level of "look both ways before crossing the street."
          If you don't look both ways before crossing the street, it's your own damn fault for stepping in front of a car.
          And yes, I'm comparing malicious hackers to cars. They will run you over if you give them a chance

          • Your whole argument fails because LinkedIn isn't "many people". LinkedIn is a multi-million user networking site for professionals.

            Uhm.... I think you may be mis-informed. LinkedIn is simply Facebook for your career. No more and no less. Whether you're linked to highly professional expert and/or leadership types or somebody that flips burgers all day, it's all in the groups and contacts you make.

            Because of this, you can be pretty sure not everybody with a LinkedIn account knows proper password selection techniques, or that their chosen professions require this knowledge anyway. Many of my contacts are technical contacts, but man

        • by mopower70 (250015)

          Not taking a jab at you personally, but I've never understood the "you deserve what you got, silly victim!" mentality. No victims *deserve* to be victimized. Sure, they could have taken better steps to protect themselves, but I can just as easily say "you deserve that cancer you got" for not getting regular boob or prostate squashings. It's technically true that many people are vulnerable because they don't know how important it is to protect themselves, but directly blaming them for it is counter-productive.

          Would you feel better if I said you "earned" being victimized? You smoke two cartons of Camels a week in this day and age, and you don't just deserve cancer, you earned it. You evidently put a lot of effort into pretending that the fact that your cancer was all but inevitable somehow didn't apply to you. Enjoy your winnings!

          • by anethema (99553)
            It is like winning the lottery! But the odds are better. And instead of money you get, you know, cancer. Woo!
      • This is LinkedIn, not your bank, not the government, nothing important.

        Many (most?) people use the same id/password combination on multiple accounts. If I know everyone's id/password for Linkedin, then for maybe half those people I can now login to their bank.

        People are stupid. Expecting them to be non-stupid is unrealistic. So good security has to accommodate stupidity. That is why even throw-away sites need to have good security.
         

        • by Algae_94 (2017070)
          People need to stop password reuse. Usually the first argument against that is inability to remember a different password for every site. My solution to that is a variation on password reuse. Use the same base password and come up with your own "salt" algorithm that combines your base password with the sites name (not simply adding the site name to the end of your password, but even that would work) to come up with the unique site password.
          • by b4dc0d3r (1268512)

            They need to stop password reuse, but they won't. Users do not get paid for choosing passwords, but coders do get paid for writing code. If coders do their job poorly, blame lies with the coders. Expect stupidity, allow for genius.

            I'm paranoid enough that I make up fake answers for security questions, and password hints are intentionally misleading, while still enough for me to figure out what it means. I also do not re-use passwords.

            But I am not normal. That is why, when I have to write some sort of a

      • This is LinkedIn, not your bank, not the government, nothing important.

        Except my bank has security questions that ask would-be infiltrators for personal information about me--the sort of personal information that can be found on LinkedIn, or that contacts on LinkedIn are likely to know.

        • by rthille (8526)

          My security question answers are randomly generated, twelve char alpha-numerics, just like my passwords (like, but different), unique for every site. It can be a PITA, but given the lousy security on sites I use, keeping them separate as much as possible just seems like a good idea.

      • by blueg3 (192743)

        I think everyone fails to keep this in perspective.
        This is LinkedIn, not your bank, not the government, nothing important.

        That argument might hold water if salting user passwords was difficult, expensive, or not commonly-known best practice. (All of which really translate to "expensive" -- either in developer time or server resources.) Then you'd have a justification -- a low-security site is expending less effort on security. But it's not. It's simple, it's cheap, and anyone who is allowed to make a password database should already know that it needs to be done.

    • by MobyDisk (75490) on Friday June 08, 2012 @01:34PM (#40259851) Homepage

      Isnt salting and hashing a standard practice for passwords even for low security stuff?

      It is.

      I have worked for 4 companies where I was involved with a database that contained user passwords. Before I arrived, none of those companies used salts, and only one even hashed the passwords. When I explained it to my fellow programmers, it was the first time they had ever heard of the concept.

      Security and best practices are an academic concepts that are not taught in school. Most people don't really care about security until it affects them. Slashdot is an unusual cross-section of people who tend to be security-minded so what appears to be common knowledge here is not representative of the software industry.

      • by Bogtha (906264)

        Security and best practices are an academic concepts that are not taught in school.

        Best practices aren't academic concepts, they are industry concepts. It's true that there are a lot of cowboys in any industry that don't follow best practices, but that doesn't mean they are "academic".

        • by Rich0 (548339)

          I wouldn't say that password-hashing is a best practice in my industry. Note, that my industry has nothing to do with making computer software, though it makes a lot of computer software in the process, and buys quite a bit from other companies who have incentive to deliver the features customers are looking for, and not the ones they should be looking for.

          If I had to guess I'd imagine that the majority of systems at my company that store passwords do not hash them. At best they encrypt them, which is vir

      • by Necroman (61604)

        The 2 companies I've worked at were both very security focused. Though, one was big expensive SAN systems (they had been encrypting network traffic since at least 1998 for the device management), and the other company does network security (IPS/IDS) and they are extremely paranoid with how data is stored and transmitted around.

        I guess it's a matter of the type of company you work at and the background/enthusiasm of the people you work with.

        • by MobyDisk (75490)

          To further one of my anecdotes: One of the companies in my list was very paranoid. They used big expensive SAN systems and had been encrypting network traffic forever. They even escrowed customer data they thought they should not hold themselves. Yet they still didn't salt passwords.

          I can only conclude that hashing and salting is less well known than encrypting.

      • by Kyrene (624175) *
        I was a contractor at a place where they had an application where there was NO hashing, no encryption, just bare text in the database. When I brought it up to their architect, he informed me that his "philosophy" was that if they were going to hack the database, wouldn't they go after other data than passwords? He refused to believe such a thing would have any validity. It was a very classic case of the stubbornly and willfully ignorant. Glad I'm not there anymore.
      • by thoth (7907)

        Security and best practices are an academic concepts that are not taught in school. Most people don't really care about security until it affects them.

        And in turn, corporations don't care about security until is costs them money. Look at Microsoft, they didn't give a flip about security until sometime after Windows XP when that OS was getting owned left and right by malware. Which started to cost them, albeit indirectly.

        How exactly will this cost LinkedIn? If it is being ridiculed in the press, they'll just ride it out and not care. If people leave in droves and their service becomes less valuable, or advertisers/customers jump ship, then they'll give a c

      • by element-o.p. (939033) on Friday June 08, 2012 @02:53PM (#40260919) Homepage

        Security and best practices are an academic concepts that are not taught in school...Slashdot is an unusual cross-section of people who tend to be security-minded so what appears to be common knowledge here is not representative of the software industry.

        ^^THIS!!!^^

        I took a senior-level computer security class while working on my C.S. degree in college, and it was largely a waste of time. We spent half the semester working our way through various historical encryption algorithms trying to get *to* asymmetrical encryption (you know, Caesar's belt, various ROT-x ciphers, etc. -- i.e., stuff that should have been covered in the first week, maybe). We spent most of the rest of the semester dissecting DSA and RSA, and maybe two weeks talking about covert channels. We spent next to no time talking about one-way hashes, and salts were a completely foreign concept to me when I discovered them two or three years later when I started using Linux. As far as best practices for real-world computer security? I don't think that was ever even a FOOTNOTE in any of my C.S. courses.

        Maybe I just went to a crappy school, but IMHO, my college education was woefully inadequate for the real world. Pretty much everything I use on a day-to-day basis was learned on my own, outside of college.

      • by durdur (252098)

        Half the trouble I had as a security developer was trying to educate/convince other developers that making an effort in this area was necessary. Some of them weren't familiar with the basic concepts, but even they were, it's hard to drive home the idea of defense in depth. There is a tendency to think that if the information is inside your database, or behind your firewall, or protected by other means, then it's not worth spending a lot more effort in additional protection. But of course, you are one exploi

    • by steelfood (895457)

      No. Hashing is, but salting is not.

      Most people barely understand that passwords need to be hashed, and how to use the hash value. These people certainly don't understand why. If they did, they'd know that salting is important.

      There are still plenty of places where passwords are stored in plain text. Sometimes, it's appropriate. Sometimes, it's not. But knowing when is appropriate for what situation is the key, and that's what most people (in general, not just developers and authentication) lack.

    • Isnt salting and hashing a standard practice for passwords even for low security stuff?
      With something as high profile as Linkedin, how did it get missed?
      Arent there audits,etc to check for this type of stuff?
      Isnt it similar to releasing a range of cars, all of which have the same key (or something similar. Analogies are my weak point, as is the English language)

      Just because something is standard practice means it is followed. It seems to me like security practices are the first to be thrown out because "well none of the users will notice it anyhow." Best security is to assume you are going to get hacked or suffer data theft and design the system such that nothing critical can be gleaned from looking at a simple dump of the database. The fact that they got caught on something so horrifically basic is inexcusable.

      The CTO should probably be updating his resume. Oh so

  • by Galestar (1473827) on Friday June 08, 2012 @01:07PM (#40259435)
    I'll say it again: OpenID.
    • or BrowserID (Score:5, Interesting)

      by gQuigs (913879) on Friday June 08, 2012 @01:13PM (#40259539) Homepage

      https://www.browserid.org/ [browserid.org]

      It's the closest I've seen to SSH Keys. That's all I want, SSH Keys for web auth.

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      Not gonna happen. All big sites want to be OpenID *provider*, but none of them will accept OpenID Logins.

      • by gbjbaanb (229885)

        Not gonna happen. All big sites want to be OpenID *provider*, but none of them will accept OpenID Logins.

        true, but with more and more reputation-busting exploits like this, you'd think they'd be happy to pass the password-storage problem to someone else. No more "we were hacked and lost all our passwords" news.

        Maybe the issue is that they just don't trust the providers to be secure themselves, though if that's the case, it's still better for the site (but not the user).

      • by Galestar (1473827)
        Yes, because so many people are going to jump at the opportunity to use LinkedIn as their provider for their own closed federated login protocol now that theyve been hacked.
    • Correct Horse Battery Staple

    • I'll one-up you on that -- client-side browser certificates have been possible since the first days of SSL on the Internet.

      Why aren't we using them to authenticate users and completely secure a link?

  • by cpu6502 (1960974) on Friday June 08, 2012 @01:09PM (#40259465)

    I think I will start visiting websites I no longer use, and deactivate my accounts. If that doesn't work, I'll fill the "user profile" with a bunch of nonsense & scramble the password. It worries me that over the last ~20 years I've visited a bunch of places and left behind details about myself. I never used linked-in but I imagine if I did, I'd be in potential trouble now (leaked info).

    • by sideslash (1865434) on Friday June 08, 2012 @01:21PM (#40259655)
      If you've used the same password at multiple sites, you've already exposed yourself to cross-site mischief if one was compromised. LinkedIn looks bad right now, but you know there are a lot of sites that store passwords in plaintext.
      • ...and you don't even hear about when those little sites get breached, if they're even aware of the fact at all.

        • by 1s44c (552956)

          ...and you don't even hear about when those little sites get breached, if they're even aware of the fact at all.

          And I'll bet some of the big ones.

    • I just hope my "leaked" LinkedIn info gets passed on to a potential overseas employer!! This new "automatic international networking" feature they implemented is going to be GREAT!
    • by MobyDisk (75490)

      I find that very few sites have a deactivate option. I think your backup plan will be the most common approach.

    • If you were to delete your account... it'd probably stay in their database. Got to have something for the advertising statistics table to refer to.
  • Daft Question (Score:5, Insightful)

    by rufty_tufty (888596) on Friday June 08, 2012 @01:13PM (#40259541) Homepage

    This may well be a very daft question but:
    It appears that the default is to use a simple solution when people are first developing their websites.
    Isn't this what libraries are for? Why isn't the default secure method in development environments/website template/distros etc to use a much more secure method?
    Why is there no standard library that I just say (for example) store_user_password($user_name); and it takes care of it?
    If there is such a thing why isn't it more universally used and why blame the website implementers for what is a dev environment/toolkit/whatever problem?
    If the technology the article talks about has been known since the 80s why isn't it the standard in all the modern environments? And whatever the answer I'm not sure the blame rests in the users of however they develop this(unless they are writing their website in C based CGI...).

    • There ARE libraries like that. From the article:

      As I said, md5crypt [a hashing function based on MD5] is pretty much the "default" password scrambler for a lot of people, but even though it fulfilled all relevant criteria back in 1995, I no longer consider it safe enough (see: http://phk.freebsd.dk/sagas/md5crypt_eol.html [freebsd.dk]).

      But what was secure back in 1995, when computers had processors like Pentiums or Pentium Pros [wikipedia.org] operating at around 200 MHz, is not secure in 2012, when computer processors in the Sandy Bri [wikipedia.org]

    • There are a lot of libraries. Some of them are simple, and some aren't. Most developers probably don't know which library would be easiest to drop in. So, it's easiest for them to just use the md5() function or something like that. Especially because library developers usually have no sense of when their library is simple or when it's complex.

      I can't tell you how many times I've just implemented something for which a library already existed. And it probably took longer than using the library would have, but

      • This still sounds like a weak argument. Heck, even PHP has single-call [php.net] salted hashing with Blowfish these days. The problem is poor education - developers don't even know what hashing and salting is, or why it's important for passwords, so they don't even bother to look up how to do it right.

        • by Sir_Sri (199544)

          Or they did that in 2002, to launch a website in 2003, and have no idea how to transition a hashed password database from one system to another, which is a more difficult problem.

          The thing is: we still don't know where this hack is from. 6.5 million of 160 million is a very small set of the data. Are *all* linkedin passwords SHA1 with no salting? If so changing your password doesn't do a whole lot of good, and that's a huge disaster for the whole outfit. Is one of their services (say LinkedIn syria) usi

          • Or they did that in 2002, to launch a website in 2003, and have no idea how to transition a hashed password database from one system to another, which is a more difficult problem.

            If you design things properly [wikipedia.org], not hard at all [kernel.org].

            Basically, all hashes in the database should be stored in the format of:

            $id$salt$encrypted

            "id" is a code that tells you which hash was used. You can use the standard "crypt" identifiers, or make up your own if those aren't good enough.

            "salt" is the unique salt for each user
  • Resume (Score:5, Funny)

    by tanujt (1909206) on Friday June 08, 2012 @01:14PM (#40259553)
    So if I crack other people's passwords on Linkedin, can I put that up as a skill in my resume on Linkedin?
  • by sir-gold (949031) on Friday June 08, 2012 @01:19PM (#40259633)

    This LinkedIn hack could lead to even more high-profile hacks, due to the unique user base that LinkedIn has

    On most sites (like Facebook) most of the stupid passwords will belong to stupid 13 year old kids with nothing of value to hackers, but on a site like LinkedIn you are more likely to get the password for some computer illiterate corporate executive. In many cases this is the same simplistic password he uses at work, where he insisted he be given admin-level access on all of their servers "because hes an executive"

    Computer security is always about the weakest link in the chain, and when one of those "links" partied his way though business college and never thinks twice about password reuse, you have a pretty weak chain. LinkedIn is like an x-ray showing the hackers who the weak links are.

    • by steelfood (895457)

      On the flip side, if you don't reuse your passwords, you're never going to remember how to access all 200 sites that require it. Most people barely remember their username, nevermind their password.

      There's a bigger problem here than just password reuse. It has to do with passwords as an authentication factor in general.

      • by zzsmirkzz (974536)

        On the flip side, if you don't reuse your passwords, you're never going to remember how to access all 200 sites that require it.

        That's only if you do it without thinking about it first (i.e. use 200 random passwords). It's very easy to come up with your own system of starting with a base password then add things to the end (or beginning) that makes it unique for the particular site (i.e. using an abbreviation of the site name). You can even do this with different levels of base passwords (in case you are paranoid of a hacker specifically targeting you) one secure and one insecure. If you think that is still hard to remember, you can

        • Sounds complicated. Why not just use password reset every time you need to get in?
      • by Pope (17780)

        On the flip side, if you don't reuse your passwords, you're never going to remember how to access all 200 sites that require it. Most people barely remember their username, nevermind their password.

        That's what Keepass and 1Password are for.

      • On the flip side, if you don't reuse your passwords, you're never going to remember how to access all 200 sites that require it. Most people barely remember their username, nevermind their password.

        How many sites do you *really* need to log in to outside of your own personal machine? Memorize those and use some sort of mechanical system for remembering the rest.

        This could be as low-tech as a 3x5 index card that you keep tucked away in an envelope at home. Or a folded over scrap of paper in your walle
  • by ptrourke (529610) * on Friday June 08, 2012 @01:20PM (#40259641) Homepage
    If you're looking for hash collisions, you're not going to target a particular hash; you're going to leverage the magic of the birthday paradox and hash your way through a dictionary with passwords listed in order of decreasing probability (with "password" and "12345" listed first, then "p@ssw0rd" and "OU812", etc.) and match the resulting hash with entries in the password file. And you're going to do this once, building one rainbow table, and try it on every unsalted, SHA1 hashed password list you can get your grubby hands on, until you have a nice little dictionary of username / password pairs - and try it on whatever services you're targeting, because most people tend to reuse the same password over and over again (usually Joshua97 or MaryJune05 or some other combination of their kids' names and birthdates).
  • With all the talk these days about low-sodium diets, they just wanted to provide their users with a healthy alternative.
  • Somewhere, an astute, MBA-sporting LinkedIn user just proudly placed a salt shaker atop of their post-it note of passwords and smugly called it a day.
  • Don't use his md5crypt and think you did anything useful he says. http://phk.freebsd.dk/sagas/md5crypt_eol.html [freebsd.dk]
  • Experience: Director if IT Security for a large Social Media Product.

    Objective: A position where I can apply my experience and lessons learned in a fast paced and dynamic environment, targeting a large customer base. ::Hired:: By Facebook.

  • I suggest all premium users, who have paid for the service in some way or another, request some for of discount for a while. Any service that that effectively holds the keys to part of your public identity doesn't understand and implement basic credentials security (especially after the few high-profile cases that have hit in the few years prior to this incident) is simply not fit for purpose.
  • The file going around is simply a pile of hashes, no logins. Did the crackers get both? Or did they just get the hashes?

    Because the hashes may as well be piles of random data if you can't pair them with a login.

    I have not heard a peep about the logins themselves. Are we just assuming they were taken?

    --
    BMO

    • I have not heard a peep about the logins themselves. Are we just assuming they were taken?

      Yep - plan for the worst, hope for the best.

  • Think about it. 6 million unsalted password hashes without matching use data. If this is real password data, how big is the chance that someone would find their password in there?

    Perhaps as big as the chance that you get a Google hit when you search for your password?

    AFAIK all we have is:
    - Someone posting a list claiming it's from LinkedIn
    - Some people confirming that the hash of their LinkedIn password is on that list

    That doesn't really prove anything, right?
    - People tend to pick similar passwords
    - People

He who is content with his lot probably has a lot.

Working...