I’d like to note there are some articles out there with misinformation as to the salting and hashing methods and abilities of LinkedIn to retroactively fix the issue of unsalted passwords.
In one particular article at Computer World a reference was cited as saying LinkedIn could not have implemented the salting feature with the already-created database of hashes, and that salting could only be implemented with the original password, when a user created or changed a password.
This is not accurate, LinkedIn can (and I’m sure they have) applied a second iteration of the hash algorithm with the newly-added salt. Cryptography professionals and security researchers alike will agree this is acceptable, and actually more secure than simply salting the original password. In this particular case, I’m sure the iteration was added as a necessity (since they don’t have the original passwords) and not out of an added security consideration.
Soon, I’ll provide more on what salting and hashing is, but for now I wanted to make sure and set this straight. What LinkedIn has claimed it did is reasonable, possible and what we’d expect them to do.
Update: More on salting and hashing basics, with an example and steps to crack your own password now at “How to crack your own LinkedIn password hash.”
# # #
Oops, that link should have been http://krebsonsecurity.com/2012/06/how-companies-can-beef-up-password-security/
While I agree that LinkedIn could have taken the existing SHA-1 hashes as input for their new salted password scheme, I do not think “cryptography professionals and security researchers alike will agree this is acceptable, and actually more secure”. LinkedIn better implement a password hashing function like PBKDF2 instead to just adding salt.
See http://krebsonsecurity.com/2011/08/beware-of-juice-jacking/ for more details.
Richie,
Salting the passwords (or in this case, the hashes of passwords) isn’t more secure than other cryptographic password functions Thomas recommends. What I maybe should have said more clearly, is that salting and re-hashing the original hash is more secure than just the hash, and even than just the hash of the original password salted.
-jj