Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Security IT

LinkedIn Password Leak: Salt Their Hide 192

Posted by Soulskill from the i-see-what-you-did-there dept.
CowboyRobot writes "Following yesterday's post about Poul-Henning Kamp no longer supporting md5crypt, the author has a new column at the ACM where he details all the ways that LinkedIn failed, specifically related to how they failed to 'salt' their passwords, making them that much easier to crack. 'On a system with many users, the chances that some of them have chosen the same password are pretty good. Humans are notoriously lousy at selecting good passwords. For the evil attacker, that means all users who have the same hashed password in the database have chosen the same password, so it is probably not a very good one, and the attacker can target that with a brute force attempt.'"
This discussion has been archived. No new comments can be posted.

LinkedIn Password Leak: Salt Their Hide More

LinkedIn Password Leak: Salt Their Hide

Comments Filter:

  • How about stop using passwords (Score:4, Interesting)

    by Galestar ( 1473827 ) on Friday June 08, 2012 @01:07PM (#40259435) Homepage
    I'll say it again: OpenID.

  • or BrowserID (Score:5, Interesting)

    by gQuigs ( 913879 ) on Friday June 08, 2012 @01:13PM (#40259539) Homepage

    https://www.browserid.org/ [browserid.org]

    It's the closest I've seen to SSH Keys. That's all I want, SSH Keys for web auth.

  • The significance of LinkedIn (Score:5, Interesting)

    by sir-gold ( 949031 ) on Friday June 08, 2012 @01:19PM (#40259633)

    This LinkedIn hack could lead to even more high-profile hacks, due to the unique user base that LinkedIn has

    On most sites (like Facebook) most of the stupid passwords will belong to stupid 13 year old kids with nothing of value to hackers, but on a site like LinkedIn you are more likely to get the password for some computer illiterate corporate executive. In many cases this is the same simplistic password he uses at work, where he insisted he be given admin-level access on all of their servers "because hes an executive"

    Computer security is always about the weakest link in the chain, and when one of those "links" partied his way though business college and never thinks twice about password reuse, you have a pretty weak chain. LinkedIn is like an x-ray showing the hackers who the weak links are.

  • Re:Standard practice? (Score:4, Interesting)

    by element-o.p. ( 939033 ) on Friday June 08, 2012 @02:53PM (#40260919) Homepage

    Security and best practices are an academic concepts that are not taught in school...Slashdot is an unusual cross-section of people who tend to be security-minded so what appears to be common knowledge here is not representative of the software industry.

    ^^THIS!!!^^

    I took a senior-level computer security class while working on my C.S. degree in college, and it was largely a waste of time. We spent half the semester working our way through various historical encryption algorithms trying to get *to* asymmetrical encryption (you know, Caesar's belt, various ROT-x ciphers, etc. -- i.e., stuff that should have been covered in the first week, maybe). We spent most of the rest of the semester dissecting DSA and RSA, and maybe two weeks talking about covert channels. We spent next to no time talking about one-way hashes, and salts were a completely foreign concept to me when I discovered them two or three years later when I started using Linux. As far as best practices for real-world computer security? I don't think that was ever even a FOOTNOTE in any of my C.S. courses.

    Maybe I just went to a crappy school, but IMHO, my college education was woefully inadequate for the real world. Pretty much everything I use on a day-to-day basis was learned on my own, outside of college.

Slashdot Top Deals

"Gravitation cannot be held responsible for people falling in love." -- Albert Einstein

Close