Earlier today, numerous reports hit blogs and news sites that a large file full of hashed passwords from LinkedIn has been released at the web. A Russian blog became the recipient of 6,458,020 hashed passwords from the social networking site LinkedIn with a user bragging about the one who breached their site and released them. As of this posting, LinkedIn is still looking into the veracity of the claim and the actuality of the passwords.
However, the clarion reply from security experts across the web is that people should change their passwords immediately.
If you have a LinkedIn account and haven’t changed it yet, Sophos blog Naked Security’s Graham Cluley has a post for you on how to do it.
“Investigations by Sophos researchers have confirmed that the file does contain, at least in part, LinkedIn passwords,” writes Cluley. “If you were using the same passwords on other websites – make sure to change them too. And never again use the same password on multiple websites.”
I couldn’t agree more. At this point, the basic refrain about security sanity is that people should never use the same password across multiple sites.
The passwords released on the Russian blog do appear to have been encrypted, and blog sites have mentioned what was released is “hashes.” Many people may not know what a hash is and how it’s used in the industry to protect passwords. However, looking at the hashes and explaining what they are might give an idea as to why encryption itself is not a panacea against hacking—it’s another tool used for defense and needs to be used alongside other tools and used correctly to be effective.
What is a password hash?
Hashing passwords is a first-line defense for secrets—primarily passwords stored in databases—that is used by many software engineers to obfuscate data that could otherwise be in plain sight. It’s a quick type of encryption used to protect those secrets from otherwise honest system administrators (who might see the database) but it’s not a very strong obstacle to a determined attacker.
A basic SHA-1 hash (SHA is an encryption algorithm used to generate a “hash”) is a somewhat unique number that represents a particular password—that is to say that when a password is run through the algorithm it will tend to produce a number that won’t be often produced for any other password. For example, the SHA-1 hash produced for “password” would deliver the hexadecimal number “5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8”. The problem inherent here is that this hash is always the same for this password.
As a result, most hash generators also “salt” the password by attaching or mixing another string of bits to the password before hashing to make it harder to decrypt it. At its simplest, a salt would be to concatenate something to the beginning or end of the password (others transform the password first) such as “moo+” meaning that if I used “password” the hash would be generated using “moo+password”. This is expected to increase the complexity of the passwords and help make them harder to guess. Keep in mind this is the simplest use of salt.
The problem cited by some security experts involving the LinkedIn hack is that the passwords themselves do not appear to be salted.
As a result, a cracker looking at a giant file full of unsalted hashes could presumably only need to know the encryption algorithm used to generate those hashes and quickly pull out the passwords used to generate them.
This knowledge has led security experts to urge people to change their password on LinkedIn immediately. Even if usernames or other personal information isn’t in the database posted on the Internet, those passwords will still give potential malicious actors a much better chance of guessing the password on for any given account by greatly reducing the number of guesses they need to make to get the right answer.