What do LinkedIn, eHarmony and Yahoo all have in common? Other than the fact that all three are popular web sites with millions of users, they also share the ignominious distinction of having recent security breaches where massive numbers of passwords have been compromised.
As I wrote here recently, LinkedIn, a professional networking site, had an exposure of about 6 million passwords. The good news was that the passwords were hashed, which means they were obscured using a special, 1-way encryption technique which can’t be easily reversed/decrypted, if done correctly. The problem is that the hashes weren’t salted, which makes them less delicious — I mean, less secure.
Salting involves adding a random number to the password so that when it is hashed the results will be more unpredictable. This makes life harder for crackers (no, not the edible kind but the ones who break encryption schemes), who then must try far more combinations in a brute force attack in order to find what they are looking for.
So, all that stuff you’ve been hearing about cutting back on salt may or may not be great advice from a medical standpoint (that’s a debate for another blog) but scrimping on the salt when it comes to password hashing is definitely bad for your online identity’s health.
Then along comes eHarmony who not only skipped the salt, they also chose a relatively weak hashing algorithm (MD5) and, if that weren’t enough, they converted all passwords to upper case before processing them, thereby reducing the duration of a brute force attack dramatically.
Not to be outdone, Yahoo Voices, which currently holds the lead in this race to the bottom, not only did away with the salt, they didn’t bother with hashing either. That’s right — the passwords were actually stored in the clear and, ultimately revealed to all.
Yahoo’s position that this really isn’t that big of a deal since most of the accounts were dormant misses the larger issue and that is that, human nature being what it is, people tend to opt for the path of least resistance and use the same password for many (if not all) of their online accounts. This means that if I know what your Yahoo, eHarmony or LinkedIn password is, I’ve got a pretty good idea what the password is to your Gmail account, your bank account and so on.
The lesson here is that everyone should be using some sort of single sign-on or password storage manager so that they can maintain a unique set of randomly chosen, hard to guess, passwords for every site they visit and if you are on the IT side of things maintaining a store of user passwords, by all means, don’t skip the salt…