[LINK] Millions of LinkedIn passwords leaked online

Glen Turner gdt at gdt.id.au
Thu Jun 7 09:38:43 AEST 2012


On 07/06/12 08:36, Dr Bob Jansen wrote:
> Reports on the BBC indicated that the file was encrypted and placed on a hacker site and asking for assistance in decrypting it.

Yep. SHA-1. But not salted so a rainbow table of passwords from past
hacks can be used :-(

Note that LinkedIn wanting to hold your password is the direct result of
their strategy -- they want to be an authentication provider, not an
authentication client.

That is, you can't use a secure option, such as authentication token
against a OpenID provider to authenticate login into LinkedIn. Rather
you have to give LinkedIn a password, apparently following infeasible
guidelines such as the one they released today:

http://blog.linkedin.com/2012/06/06/updating-your-password-on-linkedin-and-other-account-security-best-practices/

-- 
Glen Turner   www.gdt.id.au/~gdt



More information about the Link mailing list