This LinkedIn security breach has put me in a foul mood. I can’t decide if these developers were lazy or stupid. Right now, I’m inclined to believe they are both. The dangers of unsalted password hashes have been known for many years.
A quick Google search will show you this article from 2004 that explains why salting is important and even gives you code to do the salting. There is absolutely no excuse for any web developer anywhere in the world to store plaintext, or unsalted password hashes, period.
The best part of this breach is LinkedIn’s own blog. My favorite quote:
It is worth noting that the affected members who update their passwords and members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases.
It’s not enhanced security. It is the most basic thing you can do to protect your customer’s data. It costs next to nothing to add salted password hashes to a database. If LinkedIn can’t be trusted to protect your data at such a low cost, what can they be trusted with?
I also love this line:
To the best of our knowledge, no email logins associated with the passwords have been published…
Don’t get too excited about the email addresses not being published and lose sight of the fact that they were stolen in the first place.
Here is another gem:
…nor have we received any verified reports of unauthorized access to any member’s account as a result of this event.
Just thinking out loud here, but if someone broke into LinkedIn’s database months ago and stole the passwords and LinkedIn didn’t know about it until the passwords were published, do you think LinkedIn is qualified to determine if any unauthorized access has taken place? Let that sink in for a minute.
I don’t usually rant like this but I’m so tired of seeing stupid security mistakes. Everyone worries about advanced persistent threats (APT), which account for maybe 1 in 100 data breaches. The other 99 data breaches occur because people aren’t doing Information Security 101.
Stephen Haywood is a security analyst at Sword & Shield Enterprise Security. He has more than ten years experience in the information technology field working as a programmer, technical trainer, network operations manager, and information security consultant. He holds a Bachelor of Science in Math and a number of industry certifications, including the Certified Information Systems Security Professional (CISSP), Offensive Security Certified Professional (OSCP), and GIAC Penetration Tester (GPEN). His blog is www.averagesecurityguy.info. Follow him on Twitter @averagesecguy.