LinkedIn Password Leak: Salt Their Hide 192
CowboyRobot writes "Following yesterday's post about Poul-Henning Kamp no longer supporting md5crypt, the author has a new column at the ACM where he details all the ways that LinkedIn failed, specifically related to how they failed to 'salt' their passwords, making them that much easier to crack. 'On a system with many users, the chances that some of them have chosen the same password are pretty good. Humans are notoriously lousy at selecting good passwords. For the evil attacker, that means all users who have the same hashed password in the database have chosen the same password, so it is probably not a very good one, and the attacker can target that with a brute force attempt.'"
Re:Faulty Logic (Score:4, Informative)
Re:Do they understand how hashes work? (Score:5, Informative)
Do they understand how hashes work?
Yes, Poul-Henning Kamp understand how hashes work. Much, much, much better than you do. But if you feel compelled to lecture the writer of MD5crypt on your wonderful insights into how hashes work, please, feel free.
Re:Time to start scrambling passwords (Score:4, Informative)
Re:Faulty Logic (Score:5, Informative)
Salting does not make brute forcing one password more work. It does make bruteforcing a list of passwords more work, however.