The controversy over Linkedin security breach has everyone put on their hindsight glasses to see what went wrong.
Last week at LinkedIn, more than 6.46 million user passwords were stolen and posted onto a forum on a Russian hacker site. Many are stunned that such a well-known and relatively longstanding social network could have suffered such a security breach. However, anyone that has even the most basic understanding of secure web hosting saw this one coming a mile away. The fact that LinkedIn was attacked was inevitable. Everyday sites of all different sizes are targeted by hackers, but there are some simple steps that site owners can take to prevent a breach like this from happening.
web server hacked.
Hashing and Salting
What is hashing and salting? Although it sounds like a cooking technique, it’s actually a method of encrypting passwords. First an algorithm is used to encode user names and passwords into integers called hash codes or hash values. So if a site is compromised, the database only shows the hashes, not the actual passwords. This is still not enough though, because hackers have found ways to easily test millions of passwords a second by using automated tools. They then create “dictionaries” that list hash codes and the password that it corresponds to. Although it may seem like this would be way too much data, it is interesting to note that a recent study showed there are only 1,000 words that make up 91% of people’s passwords.
This is where salting comes in; salting makes the hashed versions of passwords more cryptic by adding random variables to the end of the hash. The longer the salt is, the harder it will be to crack the passwords and the salts must be unique, or the process is meaningless. Even though salting will slow down hackers, it is still not enough to prevent hackers from retrieving password information. This is why sites, especially social network sites that thrive because communities of people are voluntarily sharing personal information, must go one step further to protect user.
Secure Dedicated Server Hosting
After the security breach, LinkedIn posted a blog stating that they had improved their security by implementing salting (previously they had only used hashing). However, they didn’t mention anything about securing these passwords on a separate dedicated web server. The server should be protected by a firewall and its only purpose should be to provide secure storing of user’s passwords and account information.
Even though LinkedIn has improved their security there are several steps that you can take to secure your own account. First off, use unique passwords that are not a part of the 1,000 words that make up 91% of people’s passwords. Your password should not be easily guessed and should contain numbers and special characters. You should also use different passwords for different websites. By following these tips, you should remain safe from your account being compromised by most brute force attacks.
The 6.5 million released were the ones that they could not crack with existing rainbow tables. They’ve said that several times on the underground chat networks. Check any of the passwords released through tmto.org and you’ll find no matches.
Curious that none of the released passwords are in the rainbow tables. One would expect a large percentage if all 6.5 million were using ‘typical’ passwords.