According to recent reports LinkedIn took something of a shortcut in their password protection (in addition to whatever allowed the breach in the first place). LinkedIn was using basic SHA-1 encryption which creates hashed version of the password that can be reversed fairly quickly. Although this level of protection is still better than nothing (clear text) it is far from secure and for a large network like LinkedIn to be using just SHA-1 is pretty embarrassing.
Now LinkedIn has added an extra level of protection called Salting. This appends extra characters to the ends of a password. The characters are randomly selected so that even identical passwords would show as unique items. The length and complexity of the salting can be adjusted to make things even more difficult. Salting is one of those things that should be a standard used to protect user account passwords especially with an organization like LinkedIn (or any publicly accessible service).
The Linked in breach shows one of the dangers of cloud services. The users of these services rely on the companies running them to protect their personal information. Salting and Hashing passwords is not a complicated, expensive or difficult thing to use or implement. The fact that a company as big as LinkedIn was not using this makes us wonder what other online services are using the least amount of protection possible to protect user information.
As of this writing LinkedIn has only acknowledged that “some” of their member passwords have been compromised. They have not disclosed the nature of the breach or if there is still a danger for further intrusion. LinkedIn has now implemented Salting of user passwords, but is that the only item that was left in such a poorly secured state? We know that Last.fm has issued a warning for users to change their passwords and eHarmony might also have had their passwords stolen. This issue is clearly much larger than just a breach for a single service.
Discuss this in our Forum