[LINK] Millions of LinkedIn passwords leaked online

Martin Barry marty at supine.com
Fri Jun 8 17:19:46 AEST 2012


$quoted_author = "Glen Turner" ;
> 
> BTW, they still haven't done it right. Read this blog entry:
> 
> http://blog.linkedin.com/2012/06/07/taking-steps-to-protect-our-members/
> > Finally, our current production database for account passwords is salted as well as
> > hashed, which provides an additional layer of security.
> 
> That's still a long way from all of the desirable attributes for key
> derivation, for example there is no key stretching.
> 
> There are common functions for key derivation -- such as PBKDF2 -- that
> have been designed by people with cryptographic expertise and subject to
> deep review across many years.  LinkedIn should simply try to stop rolling
> their own.

My understanding is the current best practice is to use bcrypt. This is a
hashing implementation of the Blowfish algorithm which is relatively
inefficient and has a "work" variable which enables you to make it more
so as Moore's law catches up with you.

Salting merely stops the use of rainbow tables and forces the cracker to use
brute force. But that is little solace if the hashing algorithm is super
efficient.

cheers
Marty



More information about the Link mailing list