Great...and I just joined 2 days ago. Absolutely fantastic!
now to have a look...

 

I'm worried about using the same password for sites, as long as other sites utilize random salting it won't be so bad right?

 

Horse has already bolted. If you use the same password, a dictionary attack on these hashes will give them the password then it doesn't matter if other sites salt or use SHA-512 or whatever...

Really it's just smart security to use a salt for ANY hash algorithm or symmetric or asymmetric cryptography...

 

It's incredible that LinkedIn failed to use a salt. That makes attacks 6.5 million times faster, assuming the attacker tries dictionary entries against each of the 6.5 million hashes. The difference is even worse if the attacker already has a file of SHA-1 hashes of every entry in his dictionary.

It's equally incredible that they just used SHA-1. They should have used something slower, such as iterating SHA-1 a million times, which would have made the attack slower by another factor of a million.

It's also bad that they used the actual SHA-1 algorithm rather than a slight variant, in order to prevent attackers from using existing libraries or hardware implementations of SHA-1.

This isn't rocket science. We've known these things for decades. What this really shows is that LinkedIn never bothered to hire even one person who understands computer security to review their security plans. That mistake is MUCH worse than the other mistakes. It means they simply don't care about the security of their users. Period.

 

If you're worried just log into your account / settings using this link https://www.linkedin.com/settings/?trk=hb_acc or go to the top right hand corner and it's under your name



Then under your primary email address is password change and set a new one, heh presto fixed - move along



James

The Linked In Man

 

I just finished an it security class, and while not claiming to be an expert, it certainly made me rethink my proposed entry into the field. just because they didn't try any variations of sha-1, or salting the hashes doesn't mean they don't have security experts. our instructor told us that even though you have all of these security measures that work, doesn't mean that the ceo's will use them. so while the breach is unexcusable, don't jump to conclusions and blame the security folks.

 

Check if your password was compromised here: https://lastpass.com/linkedin/

 

Maybe I'm ignorant here, but what good is having a password if you don't have a username/email to tied to it?

 

@Guest maybe the hackers didn't release the usernames only the hashes just to show that they were indeed hacked

 

I actually have to thank Linkedin, I had been thinking about changing my passwords to something more secure, and random for each site. Now I have a password manager in place, and all the sites have secure passwords (even some sites I almost forgot before).

So thanks LinkedIn, you kicked me in the pants to finally do something about it.

 

It's a bunch of poop anyways.

Closed my account months ago.