Wednesday, June 06, 2012

Don't be reckless with other people's hearts, And don't put up with people that are reckless with yours

And that goes for passwords also.

Today, LinkedIn had been the subject of a disclosure of 6.4 million passwords likely corresponding to at least that many LinkedIn accounts.  A file containing 6.4 million hashed passwords was released onto the Internet and those passwords were easily cracked (not all, but most).  Given that each hash was unique and that many people use the same passwords (such as password, secret and, in this case, l1nked1n) it's likely that many more than 6.4 million customers of LinkedIn are affected.

After many hours of 'we're looking into it', LinkedIn posted a somewhat detail-free blog post entitled An Update on LinkedIn Member Passwords Compromised.   It begins:
We want to provide you with an update on this morning’s reports of stolen passwords. We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts. We are continuing to investigate this situation and here is what we are pursuing as far as next steps for the compromised accounts:
There's no data here on how many, just a vague 'some'.  Pity that they missed an opportunity to simply come clean.  Further on they say:
These affected members will receive a second email from our Customer Support team providing a bit more context on this situation and why they are being asked to change their passwords.
Pity again that they missed the opportunity to be open here.  Why is it that only the affected people get 'more context'?  But they continue:
It is worth noting that the affected members who update their passwords and members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases. 
This paragraph is extremely worrying.  Firstly, it's an admission that LinkedIn were not using anything close to a best practice in storing passwords.  The leaked passwords were all hashed with SHA1, an almost useless technique given the speed with which SHA1 based passwords can be tested.  Worse, the 'enhanced solution' of  'hashing and salting' is literally 1970s technology.

Of course, they could have implemented something strong like PBKDF2 or scrypt.  And given Kerchoff's Principle it wouldn't have hurt them to have come out publicly and said precisely what they were doing.  But they didn't.

Also, there's no news on when 'recently' was.  Worse case it was just before that blog post was written. I hope that's not true.

And then...
We sincerely apologize for the inconvenience this has caused our members. We take the security of our members very seriously.
Inconvenience?  It's hard to take seriously the final sentence given that it appears that the storage of passwords was very, very weak.

What they should do now is simply tell the truth (the whole truth).  Admit their failings, tell us how many people were compromised, tell us how they are storing passwords now.  In security openness breeds trust.

PS Just before LinkedIn posted their admission that passwords had been disclosed, they put up a blog post on password security which contains terrible advice such as "Substitute numbers for letters that look similar (for example, substitute “0″ for “o” or “3″ for “E”."   In a situation like the LinkedIn disclosure today that does absolutely nothing.  All the good password cracking software can make those substitutions.

They also didn't recommend using a password manager of any type, but recommend not writing your passwords down and using a different password on each site.  How, exactly, is someone who is not Rain Man meant to remember different complex passwords for every site and, following LinkedIn's advice, change their password every three months?

Either write your passwords down or use a password manager.

LinkedIn's entire handling of the situation makes be even happier that I don't have a LinkedIn account.

1 comment:

Will said...

Also, of course, that they know how it was compromised and that that hole is now closed, obviously!

The whole 'how' seems to be lacking.