Friday, June 8, 2012

LinkedIn's response: Weak

After LinkedIn's password hacking fiasco this week, they released a blog post describing the incident and the steps they're taking to recover from it.

It's not very impressive.

They write:
Yesterday we learned that approximately 6.5 million hashed LinkedIn passwords were posted on a hacker site. Most of the passwords on the list appear to remain hashed and hard to decode, but unfortunately a small subset of the hashed passwords was decoded and published.

This is inaccurate. They make it sound like the hashing is a sufficient security measure that continues to protect those leaked passwords, when in fact the only ones that remain "hard to decode" are the passwords that were reasonably strong to begin with (8 or more characters long, not using dictionary words or other predictable input). Sure, you can criticize users for not choosing strong passwords, but LinkedIn effectively did nothing to protect naive users from these hackers.

They assure users that only "a small subset of the hashed passwords was decoded" based on evidence in the leak, but that list of uncracked passwords is now outdated. The list was leaked by the hackers so that the rest of the hacker community could join in on the fun and get to work on the remaining undecoded passwords. These hackers are part of a community and will
gather to pool their expertise and sometimes vast amounts of computing resources. 
"Please help to uncrack [these] hashes," someone with the username dwdm wrote in a June 3 post that contained the 1.5 million hashes. "All passwords are UPPERCASE." 
Less than two and a half hours later, someone with the username zyx4cba posted a list that included almost 1.2 million of them, or more than 76 percent of the overall list. Two minutes later, the user LorDHash independently cracked more than 1.22 million of them and reported that about 1.2 million of the passwords were unique. As of Tuesday, following the contributions of several other users, just 98,013 uncracked hashes remained. (ArsTechnica)

LinkedIn also said that "our current production database for account passwords is salted as well as hashed, which provides an additional layer of security."As we learned in my previous post, salting is a no-brainer security measure that should have been in place from day one, but it is still not sufficient on its own. They make no mention of the final, necessary piece of the puzzle: iterating the encoding, which is also trivial yet significantly hardens the system against hackers. 

They say that they "continue to learn more as a result of our ongoing investigation"; let's hope that one of the things they've learned is to salt and iterate their password hashing.


Again, no pity here
The fact that LinkedIn has finally at least salted its database is no cause for praise. This is akin to someone finding their house robbed and then deciding to lock the door. No, wait, it's more like they were robbed because they'd never installed a door at all and now they finally realize they need one (though it's still not clear if they know how to lock the new door).

eHarmony has also been hacked and their password security has been revealed to have been just as amateurish and irresponsible as LinkedIn's was. Last.fm reports a similar breach.

None of these companies were helpless victims to criminal masterminds. They were simply incompetent and grossly irresponsible when it came to basic password security. At the very least their respective CTOs should step down in shame or, better yet, be fired immediately by their board of directors.