Friday Feb 23
Correcting colleagues on LinkedIn salting and hashing details
Updated on Monday, 11 June 2012 04:24

I’d like to note there are some articles out there with misinformation as to the salting and hashing methods and abilities of LinkedIn to retroactively fix the issue of unsalted passwords.

In one particular article at Computer World  a reference was cited as saying LinkedIn could not have implemented the salting feature with the already-created database of hashes, and that salting could only be implemented with the original password, when a user created or changed a password.

This is not accurate, LinkedIn can (and I’m sure they have) applied a second iteration of the hash algorithm with the newly-added salt. Cryptography professionals and security researchers alike will agree this is acceptable, and actually more secure than simply salting the original password. In this particular case, I’m sure the iteration was added as a necessity (since they don’t have the original passwords) and not out of an added security consideration.

Soon, I’ll provide more on what salting and hashing is, but for now I wanted to make sure and set this straight. What LinkedIn has claimed it did is reasonable, possible and what we’d expect them to do.

Update: More on salting and hashing basics, with an example and steps to crack your own password now at “How to crack your own LinkedIn password hash.”

# # #