Friday Sep 22
Is LinkedIn lying about their new password salting?
Updated on Monday, 11 June 2012 04:17

Wow, we’re a skeptical and paranoid bunch, aren’t we? I can’t blame the numerous security professionals that are making claims that LinkedIn is likely lying about their new password salting for added security. If you’re not a cryptography junkie, it may not make sense. I’ve been running things by several cryptography specialists and our security research friends as a sanity check too, but some of these claims are getting out of hand.

Is LinkedIn lying about implemented salts to secure user passwords?

Probably not. As I noted in this post, correcting some of my colleagues, what LinkedIn claims they have done is possible, reasonable and the most secure and simple recourse to retroactively apply the added security of salting to already-stored passwords. I intend to write a short piece on salting and hashing, but haven’t gotten around to it. If there’s an explanation (with graphics) you’ve read and liked, feel free to link it here in the comments.

Here’s the argument from some skeptical friends, “You have to add the salt with the original password, so either LinkedIn is lying, or they are storing the original password in plaintext (a big no-no).”

Here’s my response, and why that’s not correct. Normally, yes, the salt would be applied to the original password, to create a salted, hash output. However, there are more ways to skin a crypto cat, and LinkedIn has probably done something slightly different.

So, what is LinkedIn doing? I, and my fellow security professionals, feel pretty sure they’ve taken the original password hashes, added the salt to that, and re-hashed with SHA-1.

For an example of what this looks like, and a simple demo of how easy or hard they are to crack, see my post on How to crack your LinkedIn password hash.

I don’t work at LinkedIn, and I don’t consult for them, so this post is a bit of technical speculation based on a little common sense. Read this and think it through before you accuse LinkedIn of lying, or assume they’re not doing whatever’s in their power to add security. If you’re still skeptical, feel free to share your questions or stories here. I invite all my colleagues to respond in kind and provide additional info too.

# # #

  1. CommentsAdrian Lane   |  Monday, 23 July 2012 at 5:14 pm

    Thomas Ptacek did a really nice job explaining the issues, in layman’s terms, about using SHA for password hashes. Specifically check his comments computational complexity of SHA and the use of BCrypt:

  2. CommentsZen Anti DDoS   |  Thursday, 07 February 2013 at 3:39 pm

    I didn’t know you could re-hash a password. Anyway, that just confirm one thing, never use the same password on multiple sites. Your passwords are never safe.

Leave a Reply