LinkedIn announced this week that almost 6.5 million passwords associated with user accounts had been compromised. The LinkedIn Social Network breach was discovered when the passwords were posted on a Russian forum by the alleged hacker. According to reports, the passwords were hashed using SHA-1, a frequently employed hashing algorithm developed by the NSA. So, how would passwords that are seemingly protected using a secure hashing algorithm be compromised?
SHA-1 is typically thought to be a secure algorithm, but best practice is to add a “salt” to the hash. Salting involves appending a random bit of data to the end of the data element. That way, when it is hashed, instances of collision are minimized and patterns are more difficult to detect. This prevents pattern recognition, which can thwart most of the major exploits to hashed passwords. Unfortunately, Linkedin has just experienced the danger of unsalted hashes. (You can read Vormetric’s Todd Theimann’s comments on the compromise in the SC Magazine article).
In the wake of the security compromise, Linkedin has alerted its users and provided steps that can be taken to ensure better account security. These steps are good general guidelines on password security and should likely be followed for any account – compromised social network or not. This latest incident certainly drives home the need for robust data protection, including encryption and proper key management. Which do you think would be a better course of action – salted hashes or encryption?