LinkedIn Likely Used Outdated, Weak Password Hashing Technology
LinkedIn recently experienced a data breach that exposed over 6.5 million hash passwords. This also recently happened to eHarmony and Last.fm. All three of these are notable Internet organizations, so it makes you wonder what they were doing wrong in terms of password security.
We live in a world now where we assume that all major Internet sites use the most up-to-date technologies. However, the truth is that often, they don’t. I sat down with Patrick Townsend, founder & CEO of Townsend Security to discuss how online organizations can prevent a password data breach from happening to them. Here’s what he had to say:
Let’s take a look at an overview of how this probably happened. First, like many websites, you access LinkedIn by providing a user ID—typically an email address—and password. In almost all cases the actual password is not stored in the clear. Instead, websites such as LinkedIn store the passwords as cryptographic hash values. When you log in, LinkedIn creates of hash of your typed password and compares it to the stored hash. If it’s the same you’ve entered the right password, if it’s different then it isn’t the correct password and you’ll get prompted to enter it again. The most important part of this process is protecting the hashed passwords, which apparently LinkedIn was either not doing or doing poorly. When the hashed passwords were stolen and posted, it left them vulnerable to being attacked and exposing the original passwords.
Hash cryptography is a continually evolving technology and stronger versions are always on the horizon. Cryptographers are always working hard to understand how to make more secure one-way hashes. If it’s done properly, hashing is practically impossible to reverse and uncover the passwords. However, there are a lot of ways to do hashing improperly, and there are a lot of weak hashing methods out there. There are two important ways to make sure you always use the most secure hashing technology:
1. Don’t use outdated hashing algorithms.
Examples of older hash algorithms are MD5 and SHA-1. SHA-1 was the technology apparently used at LinkedIn. Today you should never use either of those. You can use the newer versions of secure hash algorithms SHA-256 or SHA-512, but you should definitely not use known weak hash algorithms such as MD5 or SHA-1.
2. Use Salts
In cryptography, a salt strengthens the end result of one-way hashes. If you are hashing small amounts of data like a password or credit card number, using a salt is critical to prevent a “dictionary” or “brute-force” attack.
These two factors are considered security best practices using hashes, and ensure that you won’t end up with a weak implementation of a hash value. If LinkedIn had used these practices they would be in a much better security position than they are in today. Download our podcast "How LinkedIn Could Have Avoided a Breach" to hear even more about the LinkedIn breach and ways you can keep a similar breach from happening to your organization.