Following the password leaks of LinkedIn, eHarmony, and Last.fm from last month, Formspring, described as a question-and-answer website, has announced and plugged up a password leak. One differentiating factor: Unlike the earlier data breaches Formspring used proper data security, at least in name only: they first salted their passwords before hashing them.
420,000 Passwords Post to a Security Forum
As the story goes, Formspring was alerted that a list of its members’ passwords was posted on a security forum. Formspring did some checking and found that the passwords did indeed belong it, and locked down their systems and emailed all 28 million users to reset their passwords. Furthermore, it announced that
We found that someone had broken into one of our development servers and was able to use that access to extract account information from a production database…. We were able to immediately fix the hole and upgraded our hashing mechanisms from sha-256 with random salts to bcrypt to fortify security. [formspring.me]
There will be people who complain how this was terrible security, that people shouldn’t be able to access the core (production database) via development servers. Such criticism is not beyond the pale.
Password Security: Formspring Did Things Right
At the same time, the criticism is also not valid. The reason why you need to have security in layers lies within the real-life fact that you just never know how or when or why you might have a data breach, either because you failed or someone else failed, within your organization or without.
So, despite what appears to be an idiotic data breach to some, I think some congratulations are in order for Formspring. I mean, we’ve obviously seen cases where companies whose entire worth revolves around data security online considers data sec an afterthought, at least practice-wise.
Plus, unlike the use of weak algorithms like MD5, Formspring used SHA-2 (specifically, SHA-256). SHA-2 is currently considered strong, and Formspring didn’t really have a reason to switch to bcrypt, a competing hash algorithm.
On the other hand, the main criticism against SHA-2 is that, just like SHA-1 and MD5, it’s “fast” meaning that the technological progress in raw computing power means that SHA-2 will be defeated sooner than later.
So, the fact that Formspring decided to switch to a “more secure” (there’s some arguing at the top echelons, I guess, whether it actually is more secure) hash algorithm, despite the fact that their current one was more than capable, speaks volumes about their security stance. Unlike others who’ve managed to fix the barn after the horses have escaped, Formspring has in essence fixed the barn while their horses escaped…to the adjoining barn.
Related Articles and Sites: