Thursday May 23

Archive for the ‘Industry Insider’ Category

« Older Entries
Jun
11/12
Is LinkedIn lying about their new password salting?
Last Updated on Monday, 11 June 2012 04:17
Written by jj
Monday, June 11th, 2012

Wow, we’re a skeptical and paranoid bunch, aren’t we? I can’t blame the numerous security professionals that are making claims that LinkedIn is likely lying about their new password salting for added security. If you’re not a cryptography junkie, it may not make sense. I’ve been running things by several cryptography specialists and our security research friends as a sanity check too, but some of these claims are getting out of hand.

Is LinkedIn lying about implemented salts to secure user passwords? (more…)

Tags: , , ,   |  Posted under Crypto, Industry Insider  |  Comments  2 Comments
Jun
11/12
How to crack your own LinkedIn password hash
Last Updated on Monday, 11 June 2012 04:19
Written by jj
Monday, June 11th, 2012

Several people have asked what it means to crack a password hash, and others have asked for an even simpler explanation of what a hash is.

In brief, a hash is a one-way cryptographic function. In security circles, it’s not really considered to be encryption, in the technical sense, but it is a function of cryptography. When we hash something, we take a value, it can be any length of letters, numbers, text and we perform a function on it that spits out a fixed-length value. With the LinkedIn passwords, they use a hash algorithm called SHA-1. SHA-1 always gives us an output of exactly 160 bits. You’ll see a specific example set below. (more…)

Tags: , ,   |  Posted under Crypto, Industry Insider  |  Comments  1 Comment
Jun
10/12
Three reasons you care about the LinkedIn breach
Last Updated on Monday, 11 June 2012 01:35
Written by jj
Sunday, June 10th, 2012

I’ve been reading the flurry of posts, blogs, tweets and offhanded comments regarding LinkedIn’s recent data breach. I’m calling it a data breach here, not a password hash breach, because at this point, I don’t think anyone knows the extent of damage, or the full breadth of what data may have been taken.

Overheard in conversations, both in person and online, are comments “I don’t care about LinkedIn, I don’t need to change my password” and “they’re just hashes, only a few passwords were posted.” To those of you with this attitude, I think you’re missing the bigger picture. (more…)

Tags: , , , ,   |  Posted under Crypto, Industry Insider  |  Comments  No Comments
Jun
10/12
LinkedIn: Don’t just change your password, do this
Last Updated on Monday, 11 June 2012 01:36
Written by jj
Sunday, June 10th, 2012

Don’t just change your password, do this

I disagree with a lot of the sites that have made the simple recommendation to change your LinkedIn password. LinkedIn added the recommendations that users change passwords at other sites, change passwords often, and use greater complexity (more combinations of numbers, letters, characters and capitals). I’m going to go one step further and be very specific in my recommendations. (more…)

Tags: , , , , ,   |  Posted under Crypto, Industry Insider  |  Comments  No Comments
Jun
10/12
Correcting colleagues on LinkedIn salting and hashing details
Last Updated on Monday, 11 June 2012 04:24
Written by jj
Sunday, June 10th, 2012

I’d like to note there are some articles out there with misinformation as to the salting and hashing methods and abilities of LinkedIn to retroactively fix the issue of unsalted passwords.

In one particular article at Computer World  a reference was cited as saying LinkedIn could not have implemented the salting feature with the already-created database of hashes, and that salting could only be implemented with the original password, when a user created or changed a password. (more…)

Tags: , , , ,   |  Posted under Crypto, Industry Insider  |  Comments  3 Comments
« Older Entries

More Content

Find more of my content at
- Low Tech Hacking book
- Dark Reading
- Network Computing
- IANS
- SearchSecurity
- TechTarget

Get Social

RSSFacebookLinkedinYoutube

Topics