Password Is Not Protection
The security wires are still buzzing about the LinkedIn compromise. Again, as I’ve stated recently, a good post-mortem takes time and it’s best to ignore all the hype and speculation until most — if not all — of the facts can be established. What is surprising, is how much coverage there is about LinkedIn’s problem, as compared to the near-complete silence on Verisign’s management not being made aware of breaches dating back to 2010 that only came to light in 2012. That news is scary. This story is just irritating because of the number of opportunities for LinkedIn to have performed this upgrade without the hand being forced.
All this fuss over passwords, because people have this misconception that passwords equate to security. For the record, NIST acknowledged in 2004 that SHA-1 is deprecated for various insecure reasons and will be retired as a standard by 2010. Two years after the fact, a leading technology company with over 150-million users is using this encryption algorithm to store passwords. Quite the mind boggling and mind numbing technology sin. Password is not security; it’s not even a security blanket. It’s authentication and hardly adequate in the modern, hostile web. LinkedIn should’ve known better.
Besides, the focus should not be on the fact that 6-million hashes are in the open — a meager 4% of the user base (although I believe the breach is likely much worse) — but what is happening with this very large set of information. Regardless of the objectives of the the initial breach, the [hacking] business intelligence that may now be derived from heuristic analysis is highly productive, in driving refinements for future brute force attacks and/or gauging patterns and frequencies, and in general, increasing future success against the general public. Not to mention, combined with the saltless SHA-1 decision blunder, the chance to create rainbow books and exercise massively-distributed computations. Good day for the Black Hats; bad day for the rest of us. Anyone who thinks it’s not a big deal because logins weren’t included is missing the big picture.