Jun 06 2012
*** Dire Warning ***
If you’re in the habit of reusing passwords AT ALL, 1) stop it! 2) if you have a LinkedIn account change your password immediately on as many sites as you can remember. Then get yourself a password management program (like 1Password or LastPass) with a random password creator and learn to use it for all sites.
*** Dire Warning ***
Now that the dire warnings are out of the way, let’s look at what happened. This morning it was disclosed that 6.5 million LinkedIn password hashes were posted online. LinkedIn was not using a salted hash for storing passwords, which means that while the passwords can’t be decrypted in any way, attacking the password file by dictionary attacks and other similar methods are very effective. Additionally, the 6.5 million hashes are each unique, meaning that they represent a much larger portion of the LinkedIn passwords, possibly even the entire database. One of the best analysis of the password hashes and what they mean was done over at Hacker News and covers a lot of what the disclosed hashes mean in really geeky terms. Another great resource, thrown up by Robert Graham this morning, lets you take a password to see if your password is amongst those stolen. If you don’t find your password in the database, try replacing the first 5-6 characters with zeros and look again.
The other point I wanted to make was that while LinkedIn’s response (1, 2) to this compromise hasn’t been atrocious, it’s been far from being a good example of how to do compromise disclosure. If you want a good example, look at the recent post mortem writeup by CloudFlare, stating in great detail how they’d been compromised so others could learn from their problems. I’m willing to give the LinkedIn team and Vicente Silveira the benefit of the doubt and assume they learned about the password file at the same time as everyone else, but their initial reaction was to say they were looking into it, even though a number of security professionals had already stated their passwords were definitely in the file. When they did admit it was their database a few hours later, they stated they had ‘enhanced’ their security to include hashing and salting of the database. I can only assume the enhanced security measures were put in place this morning, and I’d give them more credit if they’d admitted that instead of making it seem like it was something they’d already planned to do. I do have to give them kudo’s for reacting quickly and giving users concrete steps to take in response to the compromise, but they lose at least as many points for not being up front about what’s really happening. Of course, that may be because of the Marketing and PR departments more than anything, but I’m not willing to cut either of those departments any slack for a security incident.
Of course, this is all injury added to the assault that was disclosed yesterday, the fact that the LinkedIn mobile application collects all of your calendar notes. And since they had your calendar data and there’s a possibility your account was compromised, if you’re using the LinkedIn iPhone app, you’d better assume all of your calendar data is also compromised. I hope you didn’t have any important or sensitive information in your calendar!