Technology is confusing but encryption and the
mysterious world of hacking exist on a whole other level. It’s Matrix-like tech
voodoo.
Hackers are a 21st-century
boogeyman. They possess incomprehensible powers, ninja-like access to any
digital domain they choose. They can outsmart your cleverest developer. If a
hacker wants your company’s data, you are powerless to stop it. Right?
Probably, yes (sorry, this post isn’t about
reassurances). But that’s not the lesson of the LinkedIn debacle.
LinkedIn was hacked. It happens. But the
encoded passwords that the hackers posted revealed something much more
disconcerting: LinkedIn’s password encryption was awful. Borderline criminally
negligent, in fact.
And let me preface this by saying that I’m
not a security expert. I’m a developer-turned-entrepreneur who had to google “encryption
best practices” to figure out how to secure user passwords for my company,
EssayTagger.com. In all honesty, I’d call myself a security novice. But after
ten minutes of surfing the web I developed a better security policy than
LinkedIn did. That’s pathetic.
It turns out that password security is
actually fairly straightforward. There are just a handful of best practices to
follow. Unfortunately LinkedIn only followed the first one.
Password Best Practice #1: Don’t store the user’s password.
Instead of storing your password directly,
any sane site will store an encoded version of your password:
91dfd9ddb4198affc5c194cd8ce6d338fde470e2 =
“mypassword”
The hacker can’t just read your password,
even if he gets access to the database. Yay!
However, the encoding used is completely standard. So all the hacker has to do is compile a list of common passwords (aka a “dictionary”),
compute the encoding for each one, and just do a simple compare. Here’s our hacker’s list:
5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 =
“password”
e38ad214943daad1d64c102faec29de4afe9da3d =
“password1”
82ab876d1387bfafe46cc1c8a2ef074eae50cb1d =
“thepassword”
91dfd9ddb4198affc5c194cd8ce6d338fde470e2 =
“mypassword”
Ding! Ding! Found a match! His “91dfd9ddb4198affc5c194cd8ce6d338fde470e2”
gobbledygook matched your gobbledygook and so now he knows that your password is
“mypassword”. What’s worse, every user that used “mypassword” has the exact
same gobbledygook. So you’ve all been compromised.
This is so simple that a human can do it by
hand if he really wanted to. That’s awful security. This is the level of
security LinkedIn used.
Can you blame someone for not being a security super-ninja?
No. But you don’t need to be a ninja to do
better than this.
Read how in part 2.
