Friday, June 8, 2012

The Real Lesson of the LinkedIn Password Hack, pt1

Technology is confusing but encryption and the mysterious world of hacking exist on a whole other level. It’s Matrix-like tech voodoo. 

Hackers are a 21st-century boogeyman. They possess incomprehensible powers, ninja-like access to any digital domain they choose. They can outsmart your cleverest developer. If a hacker wants your company’s data, you are powerless to stop it. Right?

Probably, yes (sorry, this post isn’t about reassurances). But that’s not the lesson of the LinkedIn debacle.

LinkedIn was hacked. It happens. But the encoded passwords that the hackers posted revealed something much more disconcerting: LinkedIn’s password encryption was awful. Borderline criminally negligent, in fact.
I’ll do my best to keep the techie stuff to a bare minimum here. But I want you to be able to appreciate at a visceral oh-god-that’s-awful level just how bad their security was.

And let me preface this by saying that I’m not a security expert. I’m a developer-turned-entrepreneur who had to google “encryption best practices” to figure out how to secure user passwords for my company, In all honesty, I’d call myself a security novice. But after ten minutes of surfing the web I developed a better security policy than LinkedIn did. That’s pathetic.

It turns out that password security is actually fairly straightforward. There are just a handful of best practices to follow. Unfortunately LinkedIn only followed the first one.

Password Best Practice #1: Don’t store the user’s password.
Instead of storing your password directly, any sane site will store an encoded version of your password:

91dfd9ddb4198affc5c194cd8ce6d338fde470e2 = “mypassword”

The hacker can’t just read your password, even if he gets access to the database. Yay!

However, the encoding used is completely standard. So all the hacker has to do is compile a list of common passwords (aka a “dictionary”), compute the encoding for each one, and just do a simple compare.  Here’s our hacker’s list:

5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 = “password
e38ad214943daad1d64c102faec29de4afe9da3d = “password1
82ab876d1387bfafe46cc1c8a2ef074eae50cb1d = “thepassword
91dfd9ddb4198affc5c194cd8ce6d338fde470e2 = “mypassword

Ding! Ding! Found a match! His “91dfd9ddb4198affc5c194cd8ce6d338fde470e2” gobbledygook matched your gobbledygook and so now he knows that your password is “mypassword”. What’s worse, every user that used “mypassword” has the exact same gobbledygook. So you’ve all been compromised.

This is so simple that a human can do it by hand if he really wanted to. That’s awful security. This is the level of security LinkedIn used.

Can you blame someone for not being a security super-ninja?
No. But you don’t need to be a ninja to do better than this.

Read how in part 2.