Today 6.5 millions hashed password have been posted on a Russian hacker site. It is unclear whether the user names were compromised as well. But what was revealed is that LinkedIn keeps your password unsalted, hashed with SHA-1. Some explanations may be needed first to understand why this is relevant.
Companies need to validate password. Storing or transmitting passwords in clear is not an option, as a breach of the network connection or of the database would give immediate access to customers’ accounts. Instead the password is first digested before being transmitted and stored. Password digest consist of applying a one-way function to it –a one-way function is a function that is easy to compute, but computationally hard to reverse. Then the company can easily check the digested password against its database without exposing the original password.
Password digest assumes that the one-way function is hard to reverse. Hashing is the most common method used here, because it is fast to compute, and it can be made hard to reverse. SHA-1 and SHA-2 are hashing functions widely used for that purpose. However security flaws were identified in SHA-1 in 2005, and it is common practice to use SHA-2 instead.
Even if a one-way function is used, hackers can determine the original password of a digested password with a dictionary attack. Simply pre-compute the digest of a list of predefined words (e.g., a dictionary), and check whether any digest matches the stolen digested password. These pre-computed digested dictionaries are available from many hacker sites.
To avoid dictionary attacks, you can force users to pick a password that is unlikely to appear in a digested dictionary –for example a password that mixes lower and upper cases, numbers, and special characters. Or you can salt the password before digestion. Salting a password consists of adding a random string to the password, making dictionary ineffective –there is just too many salts to consider.
Back to LinkedIn now. LinkedIn was officially launched in May 2003, so using SHA-1 at the time was not unreasonable. But not using salt was asking for trouble. Nobody today in 2012 should use anything less than salted password hashed with SHA-2.
Bottom line: change your LinkedIn password now. And use a strong password, so that you are immune to dictionary attacks.