Brand Strategy. Brand Energy.
What went wrong?
The affected companies have not provided information about how their users' passwords got in the hands of malicious hackers. Only LinkedIn has so far provided any details on the method it used for protecting the passwords. LinkedIn says the passwords on its site were obscured using the SHA-1 hashing algorithm.
If the passwords were hashed, why aren't they secure?
Security experts say LinkedIn's password hashes should have also been "salted," using terminology that sounds more like we're talking about Southern cooking than cryptographic techniques. Hashed passwords that aren't salted can still be cracked using automated brute force tools that convert plain-text passwords into hashes and then check if the hash appears anywhere in the password file. So, for common passwords, such as "12345" or "password," the hacker needs only to crack the code once to unlock the password for all of the accounts that use that same password. Salting adds another layer of protection by including a string of random characters to the passwords before they are hashed, so that each one has a unique hash. This means that a hacker will have to try to crack every user's password individually instead, even if there are a lot of duplicate passwords. This increases the amount of time and effort to crack the passwords.
The LinkedIn passwords had been hashed, but not salted, the company says. Because of the password leak, the company is now salting all the information that is in the database that stores passwords, according to a LinkedIn blog post from this afternoon that also says they have warned more users and contacted police about the breach. Last.fm and eHarmony, meanwhile, have not disclosed whether they hashed or salted the passwords used on their sites."
For the full story, see: