[LINK] Millions of LinkedIn passwords leaked online
Glen Turner
gdt at gdt.id.au
Thu Jun 7 09:38:43 AEST 2012
On 07/06/12 08:36, Dr Bob Jansen wrote:
> Reports on the BBC indicated that the file was encrypted and placed on a hacker site and asking for assistance in decrypting it.
Yep. SHA-1. But not salted so a rainbow table of passwords from past
hacks can be used :-(
Note that LinkedIn wanting to hold your password is the direct result of
their strategy -- they want to be an authentication provider, not an
authentication client.
That is, you can't use a secure option, such as authentication token
against a OpenID provider to authenticate login into LinkedIn. Rather
you have to give LinkedIn a password, apparently following infeasible
guidelines such as the one they released today:
http://blog.linkedin.com/2012/06/06/updating-your-password-on-linkedin-and-other-account-security-best-practices/
--
Glen Turner www.gdt.id.au/~gdt
More information about the Link
mailing list