
Massive fail
Complete and utter Database 101 fail
LinkedIn has confirmed that the list of 6.5 million user passwords leaked yesterday is genuine. The social network for suits said it was still investigating the situation, but it said the SHA-1-hashed password list posted on a Russian Dropbox-alike site contained real user data. LinkedIn has chucked compromised users' …
Although I have built a few small web-facing systems, these have pretty much all used standard CMS tools.
I have written one web app from scratch and that only ever had me and one other person access it. From day one that app stored salted hashes of passwords.
Either I am over-qualified, or someone needs to spend some time experiencing the BOFH cattle-prod!
Don't worry, at least websites (in the UK anyway) have to ask permission to use cookies these days. Who needs to worry about passwords and whether the hashes are salted or not? Our privacy has been protected by our tech-expert overlords.
Methinks there needs to be some new rules regarding this sort of thing, something like a company with X Million users, or one that stores personal info, must demonstrate they're doing things right or get shut down.
Waiting for a class action against LinkedIn in 3...2...1... because even if the LinkedIn passwords get changed the users probably repeat the same pw on multiple sites. Yes, yes, technically that's pretty stupid, but it wouldn't be an issue if LinkedIn's developers weren't a bunch of thicko code monkeys.
LinkedIn's the one at fault and a nice fat public bitchslap may get others to wise up. Then again I thought the same when Sony got done over...
Why are people trying to confuse two issues - cookies and passwords? Your statement is false - permission is not required for essential cookies, ie. where state must be persisted.
While I think some kind of legal action is necessary to determine whether not observing certain procedures can be counted as negligent, I'm petrified that some judge or committee gets to come up with definitive procedures in much the same way that financial regulation tries to prevent the last crisis. However, there will be considerable inertia to overcome before any such suit can be launched as any judgement would set a precedent for every website out there inviting serial copycat suits.
Passwords are flawed. Support for secure two-factor authentication must become universal but the governments are dead against it as they will argue that only they or naughty terrorists need to keep anything truly secret. Viz. the case brought against someone who refused to give the Truecrypt password for their disk drive.
Good lord lighten up. I was just trying to be funny in comparing two areas of current tech affairs and saying how they are being handled is grossly disproportionate to the dangers involved with them.
Obviously my 'wit' was a bit wide of the mark for some.
My point was that there's been all this fuss and legislation over cookies, which except in a few circumstances (advertising most obviously) really don't impact user privacy, yet something like a company storing millions of passwords in a stupid way is apparently perfectly permissible no matter how many times we see this sort of thing happen.
BTW take a look at the average site and see how many cookies really are essential - usually it's zero and therefore in theory the site should ask permission or at least wait for an implied consent action.
Not me. It was actually a secure password randomly generated by a tool and unconnected to any other sites. Mostly because I was trying to use the site to do job searches so it needed to contain real data, and real data I protect much more aggressively than my run of the mill commenting passwords.
True - but when I checked my password that I've never changed until this morning, it wasn't on the list (according to the instructions here: http://news.ycombinator.com/item?id=4073309). Therefore, there are users whose password does not appear encoded in the leaked file.
"Salting is entirely a back end operation and has nothing to do with you changing your password"
Ummm no. If they have your password stored as a hash then they can't salt it - they have no idea what it is. To salt it you need to add salt to the passphrase, hash it, then pre/append the salt to the hash (so they can use the right one for comparisons in the future).
Unless and until you change your pass it cannot be salted.
I just don't understand the logic of these said social media companies. Yes, they may not have much to lose except your own data, however; it's ridiculous they should make reactionary changes. If it took days/weeks to implement the salt to hashed passwords (assuming they knew about the attack and sat waiting for the passwords to be released), who sat on this technical change?
Paris would like to know. Post-haste.
Not salting (and peppering) passwords is completely and utterly unforgivable for any login system but particularly so for a high-traffic website with so many registered users.
Hashed with SHA-1? SHA-256 should be a minimum these days.
And how on earth has someone been able to dump such a large amount of data from their databases?
Surely LinkedIn has enough dosh to buy someone who knows about this stuff?
Rather than wasting everyones time with the cookie warning laws maybe it would be a good idea to force website operators to state their password security procedures on the signin/registration pages.
...for a setup like LinkedIn, totally web-based, and operating in the 21st Century. Why do they always fix things AFTER the horse has bolted? The Company I work for has a dedicated Security Team constantly looking for weaknesses, vulnerabilities, loopholes and the like, and the company in question does not even use the web as its main source of business! They even engage 3rd parties to attempt hacks, so they don't miss anything.
Shame on you, LinkeIn, for the anguish you have caused and for the hassle of changing passwords on a number of sites as a result. I won't be trusting you again any time soon with any personal information.
This post has been deleted by its author
Also:
6. Security
Personal information you provide will be secured in accordance with industry standards and technology. Since the internet is not a 100% secure environment, we cannot ensure or warrant the security of any information you transmit to LinkedIn. There is no guarantee that information may not be accessed, copied, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards.
OK so not only do they get compromised but then they decide to let everyone know that their password needs changing....by EMAIL!! Absolute idiots. Have they never heard of Phishing.
So for the people who's passwords weren't initially compromised they could still fall foul of a phishing scam.
Bad bad form LinkIn!
/SecBoyUK
I don't have an issue with a site asking a user to change their password via email. It depends on how they do it.
If they have a link in the email that anyone can use to reset the password, umm...
But if it's just a notification, and the user has to prove they have the old credential first, not too bad.
I reserve my highest disdain for the sites that SEND your password/license info/login credentials etc in an unencrypted email..
Dear Linkedin Member,
You will have scene in the News that your pw is been hack by evil hackers, but we are here to help you recover with easyness.
Just e-mail your old pw and your new pw in e-mail to linkedinpwchange@lagos419.ng and we will fix it for you with no stress immediately.
Sincerely,
The Linkedin Support Team.
linkedinpwchange@lagos419.ng
"members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases,"
You can't salt the passwords when you've only got the hashed ones.
Though It wouldn't surprise me if have they got their own un-hashed versions of our passwords stored somewhere, just in case of this exact eventuality... :-/
Or am I completely missing something?
They could use double hashing, for example:
sha1 ( sha1(Password) + salt )
If they did it this way, they could upgrade the old database by just taking the current hash, adding a salt, and rehashing.
That said, using a single static salt on a database the size of linked in, wouldn't really be sufficient for my piece of mind.