[LINK] Millions of LinkedIn passwords leaked online

Glen Turner gdt at gdt.id.au
Fri Jun 8 10:47:58 AEST 2012


On 08/06/2012, at 8:30 AM, Marghanita da Cruz wrote:
> It seems they have taken your advice, at least partially.

I'd be surprised if they even knew I existed.

BTW, they still haven't done it right. Read this blog entry:

http://blog.linkedin.com/2012/06/07/taking-steps-to-protect-our-members/
> Finally, our current production database for account passwords is salted as well as
> hashed, which provides an additional layer of security.

That's still a long way from all of the desirable attributes for key derivation, for example there is no key stretching.

There are common functions for key derivation -- such as PBKDF2 -- that have been designed by people with cryptographic expertise and subject to deep review across many years.  LinkedIn should simply try to stop rolling their own.

-- 
 Glen Turner <http://www.gdt.id.au/~gdt/>





More information about the Link mailing list