LinkedIn has confirmed, according to numerous sources, that someone managed to hack into their password database. A list of passwords (and passwords only. Whoever hacked LinkedIn posted them sans usernames) 6.5 million long was making its rounds in the nether regions of the internet earlier today. The list was secured with what I call data encryption for passwords — i.e., it was hashed. Unfortunately, it appears that it was unsalted.
Which leads to me ask this question: really? Honestly? (That should be read with a tone of incredulity.)
Hashes are Not Encryption
Despite what I said above about hashes and encryption, hashes are not encryption. It’s a security “mechanism” (I use that word loosely) that allows one to hide information from plain sight. Like encryption, it takes a string of characters and turns into gobbledygook. Unlike encryption, it will always convert the same string of characters into the same gobbledygook.
For example, if you pass the word “LinkedIn” you might get “6b6390a4416131f82b6ffb509f6e779e5dd9630f” as a result. The problem? You will always get 6b6390a4416131f82b6ffb509f6e779e5dd9630f as a result if you pass the word LinkedIn (I used a SHA-1 hash function, the same one LinkedIn used).
This makes it quite rudimentary to crack passwords: pass any set of characters through the hash, take the output, and compare it to the original list of hashed passwords. If something matches, you go back to the input and voila!
The answer to this obvious problem? Salt it. In other words, add a special string of characters, either at the end or beginning (or anywhere, really) of the password so that your results are unique to you. This is security 101. I’m surprised that LinkedIn has been using a hash algorithm without salting its input first.
How Do I Know It Wasn’t Salted?
I know that it wasn’t salted because security researchers and enthusiasts were quicker to confirm the breach than LinkedIn. How’d they make the confirmation? Essentially, they took the list that was passing around and compared the list with their own hashed LinkedIn passwords to see if there was a match. The fact that they found matches confirms the lack of salting; otherwise, the researchers’ password hashes wouldn’t show up (unless, of course, they were also aware of what LinkedIn was using as a salt).
This method of confirming a hack, of course, requires that a given set of passwords is unique to a site. Thankfully, if you can count on a group of people to have unique passwords for each site, it’s computer security researchers.
I’ve downloaded the list myself and will be working to see whether I’ve been affected as well. I’m keeping my fingers crossed.
But, at the end of the day, it’s not a big deal if I find my own password in that set. It’s unique to the site, so the only hassle is that I’ll have to come up with a new password for my LinkedIn account.
Update (07 JUN 2012): Yep, my password’s in that list.
Related Articles and Sites: