TechSpot

LinkedIn password database leaked, company confirms intrusion

By Rick
Jun 6, 2012
Post New Reply
  1. LinkedIn may have suffered a serious blow in terms of the security and safety of its users today. Hackers claim to have leaked over 6.5 million password hashes originating from...

    Read the whole story
  2. Great...and I just joined 2 days ago. Absolutely fantastic!
    now to have a look...
  3. Zeromus

    Zeromus TS Enthusiast Posts: 231   +7

    I'm worried about using the same password for sites, as long as other sites utilize random salting it won't be so bad right?
  4. Horse has already bolted. If you use the same password, a dictionary attack on these hashes will give them the password then it doesn't matter if other sites salt or use SHA-512 or whatever...

    Really it's just smart security to use a salt for ANY hash algorithm or symmetric or asymmetric cryptography...
  5. It's incredible that LinkedIn failed to use a salt. That makes attacks 6.5 million times faster, assuming the attacker tries dictionary entries against each of the 6.5 million hashes. The difference is even worse if the attacker already has a file of SHA-1 hashes of every entry in his dictionary.

    It's equally incredible that they just used SHA-1. They should have used something slower, such as iterating SHA-1 a million times, which would have made the attack slower by another factor of a million.

    It's also bad that they used the actual SHA-1 algorithm rather than a slight variant, in order to prevent attackers from using existing libraries or hardware implementations of SHA-1.

    This isn't rocket science. We've known these things for decades. What this really shows is that LinkedIn never bothered to hire even one person who understands computer security to review their security plans. That mistake is MUCH worse than the other mistakes. It means they simply don't care about the security of their users. Period.
  6. If you're worried just log into your account / settings using this link https://www.linkedin.com/settings/?trk=hb_acc or go to the top right hand corner and it's under your name :)



    Then under your primary email address is password change and set a new one, heh presto fixed - move along :)



    James

    The Linked In Man
  7. I just finished an it security class, and while not claiming to be an expert, it certainly made me rethink my proposed entry into the field. just because they didn't try any variations of sha-1, or salting the hashes doesn't mean they don't have security experts. our instructor told us that even though you have all of these security measures that work, doesn't mean that the ceo's will use them. so while the breach is unexcusable, don't jump to conclusions and blame the security folks.
  8. mario

    mario Ex-TS Developer Posts: 399   +17

  9. Maybe I'm ignorant here, but what good is having a password if you don't have a username/email to tied to it?
  10. mario

    mario Ex-TS Developer Posts: 399   +17

    @Guest maybe the hackers didn't release the usernames only the hashes just to show that they were indeed hacked
  11. I actually have to thank Linkedin, I had been thinking about changing my passwords to something more secure, and random for each site. Now I have a password manager in place, and all the sites have secure passwords (even some sites I almost forgot before).

    So thanks LinkedIn, you kicked me in the pants to finally do something about it.
     
  12. It's a bunch of poop anyways.

    Closed my account months ago.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.