Comment: LinkedIn and its password problems
by Jürgen Schmidt
The security concept that appears to hold sway at LinkedIn is, to put it mildly, scandalous. It requires users to adhere to impossible standards – they should choose strong passwords of at least 10 characters, which should be as random as possible, should, naturally, not be used elsewhere, and which they should on no account write down. But when it comes to the company itself, the sloppiness with which it deals with these passwords is simply breathtaking.
The result is that, following the theft of hashes from the server by unknown perpetrators, even passwords that were generally considered uncrackable, such as "386126miata" and "parikh093741239" were compromised within just a few hours. LinkedIn might just as well have stored its passwords in plain text format. The message is loud and clear: "We don't care about security – we'd rather spend our cash on television ads."
It has been common knowledge for many years that pure hashes are easily cracked using rainbow tables or, more recently, Google cracking. Unix operating systems have therefore been using a salt to generate passwords for more than 10 years. The state-of-the-art is Password-Based Key Derivation Function 2 (PBKDF2), which stores passwords in a form which is, at present, almost uncrackable. LinkedIn does not use any such technology.
Here's a thought. How about if, in the future, we were to demand that every company which admonishes us about taking security precautions, itself proves that it meets the most basic security standards? What if a social network operator, to which we are expected to confide our personal data, were to at least adhere to basic rules such as PCI DSS, as formulated by the credit card industry? Of course, I am aware that this would far from guarantee security and that nothing is ever quite so simple in practice. But in the next few years, I don't want to hear another word from a software company (yes Microsoft, MD5 has been broken for years), bank or social network operator, moaning about PEBKAC (Problem Exists Between Keyboard And Chair) or users' general lack of security awareness. Stop worrying about the mote in your brother's eye and take care of the plank in your own.