[LINK] Millions of LinkedIn passwords leaked online
Glen Turner
gdt at gdt.id.au
Fri Jun 8 10:47:58 AEST 2012
On 08/06/2012, at 8:30 AM, Marghanita da Cruz wrote:
> It seems they have taken your advice, at least partially.
I'd be surprised if they even knew I existed.
BTW, they still haven't done it right. Read this blog entry:
http://blog.linkedin.com/2012/06/07/taking-steps-to-protect-our-members/
> Finally, our current production database for account passwords is salted as well as
> hashed, which provides an additional layer of security.
That's still a long way from all of the desirable attributes for key derivation, for example there is no key stretching.
There are common functions for key derivation -- such as PBKDF2 -- that have been designed by people with cryptographic expertise and subject to deep review across many years. LinkedIn should simply try to stop rolling their own.
--
Glen Turner <http://www.gdt.id.au/~gdt/>
More information about the Link
mailing list