LinkedIn password hacking = STUPID AND AVOIDABLE!

Darren Dirt · June 09, 2012, 07:48:25 AM

(and e-Harmony is apparently even worse, somehow!)

Quote
...For hackers around the world, the huge trove of new leaked passwords is an opportunity to update their ?rainbow tables??vast databases that serve as a digital key for cracking encrypted passwords, called ?hashes.? The most-secure websites use an extra layer of password encryption, called ?salting,? so that two users with the same password?say, ?123456??will have different hashes. But LinkedIn didn?t do that, so the same key will unlock the accounts of every user who has that password, not only on LinkedIn but on any other site that uses the same hashing algorithm. (eHarmony apparently used an even weaker algorithm, also sans salt.)

hashing without salting = might as well be stored as plaintext :sigh:

a different Slate article responds with The old, still very good way to fix your terrible passwords

Quote
Come up with a short phrase you?re likely to remember. Just like in school, it helps to make your mnemonic really bizarre?the stranger the phrase, the easier it?ll be to remember. For example, Kim Kardashian is the most amazing woman in all 50 states, or Mitt Romney and Barack Obama decided to make 10 waffles. Notice that my phrases use a mix of capitalized and lowercase words, and I added some numbers as well.
To make a password, just take the first letter of each word in your phrase. The sentences above would turn into KKitmawia50s and MRaBOdtm10w. Both of those passwords are extremely strong?they?re long, and they?re free of common English words that can be guessed by a computer.

(or even easier -- use the actual phrase as your password ... presuming the site is not stupid enough to restrict the LENGTH of the password or disallow spaces, or require you to include "at least one" of UpperCase Letter, Number, Symbol, etc...) (or maybe not so much easier, when it comes to tablets and mobile devices with onscreen keyboards click click click DAMMIT!)

easiest idea ever?

Quote from: Comments@SlateArticle
PsyberZombie
More & more sites are requiring mandatory characters i.e. "Your password must be at least 8 characters and contain at least 1 cap, 1 lower case letter, 1 special character, and 1 number"

So here's my system: first, create a 4 character base that meets these requirements, like "Xx&7". Then use the first and last 2 letters of the site at the beginning and end of that base. Your password for, say, amazon.com would be: amXx&7on .... this easy to remember and creates a unique password for each site.

Clarification: someone just asked me, how is that "easy to remember?"

Answer: you use THE SAME BASE for every password.... for google it's goXx&7le ; for slate it's slXx&7te , etc ....

Yer Welcome .....

Mr. Analog · June 09, 2012, 05:33:21 PM

Yup, had a good old laugh about this in the office, which made me look at how are security is handled...

One of the things I like about where I work is we do security reviews every two weeks as part of our sprint.

Thorin · June 09, 2012, 11:49:10 PM

goddammit it's so easy to @%&# up security. This is why I'll never claim to be a security expert. However, even as a security non-expert I _know_ you salt and hash that @%&#!

Lazybones · June 10, 2012, 12:22:48 AM

Way back when I was still developing, I knew to at last hash, when unfortunately it was common for plain text passwords to be stored.

Near the end of my development career I had already learned that hashing was not enough and salting was supposed to be done.

That was 7-10 years ago! at least they used sha1 instead of md5 however as we know now sha1 already has weaknesses and rainbow tables are not hard to find or make for it. Even with a currently secure hash salting is necessary.

Darren Dirt · June 10, 2012, 08:00:29 PM

all of the above. Plus a reminder that the BEST salting is to make the salt different for each record, i.e. make it get generate randomly (truly randomly!) based in part on the source string as well as something unique to the particular system... so if someone gets "inside" the system and try a few common strings and look at the resulting hashed+salted string they can't then look for that result in another record.

Heck the ideal (and easy enough to code, just add something to the source string!) is to make your salt also include something related to a time[r] as well, so that way an internal hacker would get different results with the same source string.

Darren Dirt · June 14, 2012, 09:59:12 AM

"If you want to find out if your password was one of the 6.5 million leaked passwords, enter it below."
http://leakedin.org

^ 'splained here: http://shiflett.org/blog/2012/jun/leakedin

found via http://java.dzone.com/articles/i%E2%80%99d-share-my-linkedin-password

...and from the above tool I found out about "Bcrypt", a Java implementation and differently-worded explanation here: http://www.mindrot.org/projects/jBCrypt/

btw in case you care, LinkedIn blog sez "nothing to fear, we were already moving towards a better system before the leak..."

http://blog.linkedin.com/2012/06/09/an-update-on-taking-steps-to-protect-our-members/

Quote3. What is LinkedIn doing to protect its members?
We have built a world-class security team here at LinkedIn including experts such as Ganesh Krishnan, formerly vice president and chief information security officer at Yahoo!, who joined us in 2010. This team reports directly to LinkedIn?s senior vice president of operations, David Henke.

Under this team?s leadership, one of our major initiatives was the transition from a password database system that hashed passwords, i.e. provided one layer of encoding, to a system that both hashed and salted the passwords, i.e. provided an extra layer of protection that is a widely recognized best practice within the industry. That transition was completed prior to news of the password theft breaking on Wednesday. We continue to execute on our security roadmap, and we?ll be releasing additional enhancements to better protect our members.

Thorin · June 14, 2012, 10:35:23 AM

Well of course they were already fixing their security! I mean, why would they ever admit to _not_ already being active on improving their security? Admitting that would be a huge blunder.

Pretty @%&#ty that they're advertising that a world-class former chief information officer joined them in 2010 and in 2012 they're announcing that although the leaked passwords were only hashed, they're now salting and hashing. Yeah, sure, that work was completed before the leak was announced, but I'm guessing it wasn't completed before the leak happened. So only two years to add a second step in password storage. Yep, the CIO they're pimping there, he really took the bull by the horns and improved the security landscape at LinkedIn from day one. Or, you know, not.

Tom · June 14, 2012, 06:45:42 PM

Odd..

Well at least it doesn't think my password was leaked.

But today someone posted some porn to my facebook feed? Did anyone see that? A relative of mine did and complained. I've since changed my password, but who knows. facebook's security is probably a joke.

Lazybones · June 14, 2012, 07:35:35 PM

Quote from: Tom on June 14, 2012, 06:45:42 PM
Odd..

Well at least it doesn't think my password was leaked.

But today someone posted some porn to my facebook feed? Did anyone see that? A relative of mine did and complained. I've since changed my password, but who knows. facebook's security is probably a joke.

Hmm did it get removed or did you see it? Was it posted by an app or did it appear to have been posted by you directly?

Tom · June 14, 2012, 07:43:09 PM

Quote from: Lazybones on June 14, 2012, 07:35:35 PM
Quote from: Tom on June 14, 2012, 06:45:42 PM
Odd..

Well at least it doesn't think my password was leaked.

But today someone posted some porn to my facebook feed? Did anyone see that? A relative of mine did and complained. I've since changed my password, but who knows. facebook's security is probably a joke.

Hmm did it get removed or did you see it? Was it posted by an app or did it appear to have been posted by you directly?

I have no idea. My aunt says it was from me, but she's not the most computer literate. All I know is apparently something appeared with my name attached, and that its gone now.

Mr. Analog · June 14, 2012, 10:24:03 PM

That's scary...

Tom · June 15, 2012, 01:13:29 AM

Quote from: Mr. Analog on June 14, 2012, 10:24:03 PM
That's scary...

You ain't kidding. It isn't every day that an aunt messages you saying you posted something lewd.

Lazybones · June 15, 2012, 01:18:31 AM

It could be the other way around, maybe she installed a facebook app that is putting junk in her feed?

Tom · June 15, 2012, 01:21:05 AM

It could be. That would suck.

Darren Dirt · July 04, 2012, 11:33:06 AM

best secure password ever?
"17346721476C3278977763T732V731?171888732476789764376"
http://www.youtube.com/watch?v=rAUVUUhf7U0 (ST:TNG)

...then again, only alpha and numeric? no symbols? :shock: I guess the length is helpful though...

http://howsecureismypassword.net/

Quote
It would take a desktop PC about
666 novemvigintillion years
to crack your password
Length: 52 characters
Character Combinations: 130
Calculations Per Second: 4 billion
Possible Combinations: 84 quinquatrigintillion