LinkedIn Password Leak: Salt Their Hide – ACM Queue

Just how does salting and hashing of passwords help us? Poul-Henning Kamp, the inventor of the widely-used MD5 password hash algorithm (and long-time FreeBSD developer), weighs in on the LinkedIn leak – in plain english for the rest of us. 

It’s important to note his point that the 6.5M leaked passwords most likely represent only ‘unique’ passwords, not total passwords, meaning the number leaked is probably far higher (not to mention that probability that the hackers responsible also have unpublished email addresses, contact lists and more). LinkedIn’s response has been luke-warm at best and reserved at worst, so it might be a while before the full extent is revealed.

“On a system with many users, the chances that some of them have chosen the same password are pretty good. Humans are notoriously lousy at selecting good passwords. For the evil attacker, that means all users who have the same hashed password in the database have chosen the same password, so it is probably not a very good one, and the attacker can target that with a brute force attempt”.

“This became a problem and was solved in the 1980s: To fix the problem, we have to make sure that users do not have the same hash-value stored, even if they have the same password.”

LinkedIn Password Leak: Salt Their Hide – ACM Queue

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s