On 6 Jun 2012 at 14:05, NT System Admin Issues wrote:
> On 6 Jun 2012 at 18:28, Heaton, Joseph@DFG wrote:
>
> > What I had heard from my security guy was that what was hacked
> > was the hash for the encryption. So, doesn't really matter what
> > you change to until Linkedin changes the hash itself. Anyone hear
> > if they've done that?
>
> Actually, it seems that LI hashed the passwords without salting them so a
> simple rainbow-tables attack on the database should reveal all the short
> passwords and all the common passwords (like "password1234" and
> "linkedinpassword"). If you have a long enough password I doubt they'll be
> able to find its hash in time.
>
> That said, I did change my LI pwd, including lengthening it somewhat.
More news, it would appear they have learned their lesson and are now salting
the password hash:
============= Included Stuff Follows =============
Linkedin Blog ยป An Update on LinkedIn Member Passwords Compromised
"It is worth noting that the affected members who update their passwords
and members whose passwords have not been compromised benefit from the
enhanced security we just recently put in place, which includes hashing
and salting of our current password databases."
============= Included Stuff Ends =============
Seen here:
http://blog.linkedin.com/2012/06/06/linkedin-member-passwords-compromised/
--
Angus Scott-Fleming
GeoApps, Tucson, Arizona
1-520-290-5038
Security Blog: http://geoapps.com/
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin
