June 2016: The LinkedIn Hack
LinkedIn reported a breach of 6.5 million of their accounts in 2012. However, in May 2016, 117 million LinkedIn accounts were put on sale on a hacker site. These accounts were reportedly from the 2012 breach. In 2012, LinkedIn reported adding "enhanced protection" to their passwords. Likely, this protection was the addition to a salt to their hashed passwords. This creates questions - What are salting and hashing? and How are passwords securely stored?
To understand how so many of LinkedIn's passwords were compromised, we first need to understand how passwords are created and stored. When a user creates a password on their account, they first enter that password in plain text. This could be, for example "1234." When the user submits this password, it is hashed and then stored in a database. Hashing is an algorithm that the plain text password is pushed through to translate it into a series of letters and numbers. There are several different algorithms used for hashing. One method is called Secure Hash Algorithm 1 (SHA1), which is the algorithm LinkedIn was reportedly using at the time of the 2012 breach. Using the SHA1 algorithm, our example password "1234" would be stored in the database as "7110eda4d09e062aa5e4a390b0a572ac0d2c0220."
To comply with current industry standards, the plain text password may never be stored. Only the hashed value should be stored for the user. For the user to log in after their password is created, the website hashes the password entered and compares it to the hashed value stored for the user. If the hashes match, then the correct password has been entered and the user should be allowed to log in. The problem with this method is that the same plain text password always creates the same password hash. This means that dictionaries can be created that translate between plain text password strings and hashes. If a hacker has your password's hash from LinkedIn and can compare that hash to a dictionary, they would immediately know your plain text password.
To fix this problem, it is now best practice to add a random salt to the plaintext password before it is hashed. The salt is a random string of characters that is added to the plain text password before it is hashed. If done properly, this method ensures that even if two users use the password "1234," the hashes for their passwords will be different. This renders password-to-hash dictionaries useless.
For more details about secure password storage, please see the full Inspired eLearning Post