On 6 Jun 2012 at 14:05, NT System Admin Issues wrote: > On 6 Jun 2012 at 18:28, Heaton, Joseph@DFG wrote: > > > What I had heard from my security guy was that what was hacked > > was the hash for the encryption. So, doesn't really matter what > > you change to until Linkedin changes the hash itself. Anyone hear > > if they've done that? > > Actually, it seems that LI hashed the passwords without salting them so a > simple rainbow-tables attack on the database should reveal all the short > passwords and all the common passwords (like "password1234" and > "linkedinpassword"). If you have a long enough password I doubt they'll be > able to find its hash in time. > > That said, I did change my LI pwd, including lengthening it somewhat.
More news, it would appear they have learned their lesson and are now salting the password hash: ============= Included Stuff Follows ============= Linkedin Blog ยป An Update on LinkedIn Member Passwords Compromised "It is worth noting that the affected members who update their passwords and members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases." ============= Included Stuff Ends ============= Seen here: http://blog.linkedin.com/2012/06/06/linkedin-member-passwords-compromised/ -- Angus Scott-Fleming GeoApps, Tucson, Arizona 1-520-290-5038 Security Blog: http://geoapps.com/ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin