So far, no one knows exactly how these attackers were able to get their hands on LinkedIn’s password database, though LinkedIn reports they are investigating the incident. If I had to guess, I would place my bet on a SQL injection attack, as it’s a great vector for leeching this kind of data from the database backend behind a complex, insecurely coded web application. According to many reports, Russian attackers have somehow gotten their hands on 6.5 million hashed LinkedIn passwords. They have posted the hashed passwords to a Russian hacking web site, asking the hacking community to help them crack the hashes. With the increases in computing power and cracking technology, I suspect it’s only a matter of time until they have actual passwords. LinkedIn users; change your passwords immediately!
So far, no one knows exactly how these attackers were able to get their hands on LinkedIn’s password database, though LinkedIn reports they are investigating the incident. If I had to guess, I would place my bet on a SQL injection attack, as it’s a great vector for leeching this kind of data from the database backend behind a complex, insecurely coded web application.
Next, let’s talk about the state of the passwords. As I mention earlier, the stolen LinkedIn password are “hashed.” In computing and cryptography, hash functions are usually one-way crytographic algorithms that map data sets (of any length) to a unique, fixed-length key. These one-way algorithms are designed so that the key should uniquely match one and only one data set, but also should not help you recreate the original data. Hashes only verify whether the data set you have is valid, it doesn’t encrypt the data.
The good news is that LinkedIn stored their customer’s passwords as hashes, which makes it harder for unauthorized users to figure out the clear text passwords. The bad news is LinkedIn used unsalted SHA-1 hashes. Without getting into all the technical details, a salt is essentially a little more random information you can mix with a one-way function to make it that much harder for certain cryptographic attacks (dictionary attacks) to succeed. At the risk of sounding like a cooking show host, LinkedIn should have salted their hashes.
Back to the state of LinkedIn’s passwords. The passwords posted on the Russian site are still hashed, so the bad guys don’t have your clear text password yet. However, between increased computing power, distributed computing, rainbow tables, and LinkedIn’s lack of salting, I expect motivated attackers will quickly crack many of these passwords any day. So don’t expect the hashes to protect you for long.
As I mentioned at the beginning of this post, if you have a LinkedIn account you should change your password immediately! Furthermore, if you use that password anywhere else (which you shouldn’t), you need to change your passwords on those accounts too. We’ve seen these sort of big password leaks before (Zappos), and will surely see them again. Security professionals have always realized the important of password security, but with so many businesses moving their assets to the cloud, password importance has become paramount! So, I’ll leave you a few “password best practice” tips I’ve dusted off from the last big password breach. If you didn’t follow this advice back then, I truly hope you consider doing so today.
- Change your password(s) after a security breach – If a site you use ever has a security breach where attackers gain access to passwords (hashed or not), change your password immediately.
- Use strong passwords – I believe passwords should be greater than 10 characters. One easy way you can create long passwords, with enough entropy, is by using passphrases, or more specifically something I call pass-sentences. WatchGuard’s Bud Logs In video talks about these concepts in more detail (and is good for basic end users).
- Use different passphrases on different web sites – This is crucial aspect of password security, especially when considering these types of web breaches. If you, like most people, use the same password for many different web sites, attacker could be able to gain access to all those accounts. If you have been using the same password everywhere, you should change it to a different password on every site. That said, many people find this advice hard to implement in practice; which brings me to the next tip…
- Leverage password vault software – Password vaults make it easier for you to manage multiple passwords securely. They are not perfect. If you use multiple machines and OSs, you may have trouble finding password management software that meets all your needs. Plus, password vaults become a single point of potential failure, as they almost literally store all the keys to your kingdom. It’s extremely important to use secure password vaults, and protect them. That said, they offer the only practical solution to managing multiple passwords today. This article suggests a few good ones to use (I have used 1password myself).