Wow, we're a skeptical and paranoid bunch, aren't we? I can't blame the numerous security professionals that are making claims that LinkedIn is likely lying about their new password salting for added security. If you're not a cryptography junkie, it may not make sense. I've been running things by several cryptography specialists and our security research friends as a sanity check too, but some of these claims are getting out of hand. Is LinkedIn lying about implemented salts to secure user passwords?

Wow, we’re a skeptical and paranoid bunch, aren’t we? I can’t blame the numerous security professionals that are making claims that LinkedIn is likely lying about their new password salting for added security. If you’re not a cryptography junkie, it may not make sense. I’ve been running things by several cryptography specialists and our security research friends as a sanity check too, but some of these claims are getting out of hand.

Is LinkedIn lying about implemented salts to secure user passwords?

Probably not. As I noted in this post, correcting some of my colleagues, what LinkedIn claims they have done is possible, reasonable and the most secure and simple recourse to retroactively apply the added security of salting to already-stored passwords. I intend to write a short piece on salting and hashing, but haven’t gotten around to it. If there’s an explanation (with graphics) you’ve read and liked, feel free to link it here in the comments.

Here’s the argument from some skeptical friends, “You have to add the salt with the original password, so either LinkedIn is lying, or they are storing the original password in plaintext (a big no-no).”

Here’s my response, and why that’s not correct. Normally, yes, the salt would be applied to the original password, to create a salted, hash output. However, there are more ways to skin a crypto cat, and LinkedIn has probably done something slightly different.

So, what is LinkedIn doing? I, and my fellow security professionals, feel pretty sure they’ve taken the original password hashes, added the salt to that, and re-hashed with SHA-1.

For an example of what this looks like, and a simple demo of how easy or hard they are to crack, see my post on How to crack your LinkedIn password hash.

I don’t work at LinkedIn, and I don’t consult for them, so this post is a bit of technical speculation based on a little common sense. Read this and think it through before you accuse LinkedIn of lying, or assume they’re not doing whatever’s in their power to add security. If you’re still skeptical, feel free to share your questions or stories here. I invite all my colleagues to respond in kind and provide additional info too.

# # #

jj

Author, speaker, and recognized authority on network and wireless security architectures, Jennifer (JJ) Minella helps organizations solve technical problems and align teams.

View all posts

2 comments