This week has been one massive hack; 1st LinkedIn, then eHarmony and now Last.fm. What is especially galling is that none of these companies salt their stored passwords – considering that unsalted password hashes are easily deciphered with the massive computing power available to anyone these days, this is a huge faux pas.
“Salting stored hashes increases the complexity of the encrypted password data, beyond the point where it can be cracked in a reasonable amount of time,” said Jim Walter, manager of McAfee’s Threat Intelligence Service (MTIS), in an interview with eSecurity Planet. “Failing to store passwords in a secure manner allows for quick and easy decryption of the hashes, revealing the plain-text passwords.”
And then LinkedIn has the additional gall of giving us account security best practices. Well hopefully they have learnt from their mistakes:
“It is worth noting that the affected members who update their passwords and members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases.:
I have one issue with LinkedIn’s password change method and it’s being done via email. I’ve already received one phishing email pertain to be from LinkedIn – be careful!
