Passwords Under Attack at LinkedIn. Is Salting the Key?
Page 1 of 1
On Wednesday morning, the first reports of an alleged breach into social networking site LinkedIn were published. At risk were over six million passwords that has been posted to a Russian hacking site. LinkedIn did not confirm the breach until later in the day and to date has provided few details.
LinkedIn spokesperson Danielle Restivo told InternetNews.com that the only details that the company is currently providing is by way of blog postand updates listed on their Twitter account. In the blog post, LinkedIn's, Vicente Silveira does not explicitly provide a number associated with how many accounts were breached or how the attack occurred.
Those that have had their passwords leaked will no longer be able to access LinkedIn and will be directed to obtain a new login password. Silveira also noted that LinkedIn would be sending an email with instructions on how to update passwords. The email approach has led to a string of phishing copycats over the last day. Over the span of a 6 hours period, eSecurityPlanetreceived multiple phishing emails requesting LinkedIn password resets. The key difference between the legitimate LinkedIn email and the phishing one is that there are no links to click in the real email from LinkedIn.
There has been some speculation that the fact that LinkedIn does not 'salt' their passwords has made it easier for attackers to crack them. The leaked LinkedIn passwords were provided as SHA-1 hashes.
"Salting stored hashes increases the complexity of the encrypted password data, beyond the point where it can be cracked in a reasonable amount of time," Jim Walter, manager of the McAfee Threat Intelligence Service (MTIS) for McAfee Lab told InternetNews. " Failing to store passwords in a secure manner allows for quick and easy decryption of the hashes, reviling the plain-text passwords."