LinkedIn Passwords: Who stores passwords in the clear

I am a pretty regular LinkedIn user, so the news that some unspecified number of LinkedIn users had their passwords compromised was of some interest to me.

Here’s what a recent post on their blog says:

“We want to provide you with an update on this morning’s reports of stolen passwords. We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts. We are continuing to investigate this situation and here is what we are pursuing as far as next steps for the compromised accounts….” (from LinkedIn Blog)

Not that I would be all that harmed if someone hacks my LinkedIn account, but still, it does affect me. So far I have not seen an email from LinkedIn telling me that my own account is in trouble.

But, the thing that mystifies me is that they make it sound like user passwords are stored in the clear on their systems. Isn’t it elementary that one does not store passwords in clear text on any server? I won’t even give any links to back up this point as it is practically in Chapter one of any web development book.

So, either LinkedIn knowingly violated a totally elementary security best practice and stores passwords in clear text. In my opinion this is very unlikely.

Or, the news reports were purposely misleading because what actually happened would give away something that they don’t want to give away.

What could that be, I wonder?

0 thoughts on “LinkedIn Passwords: Who stores passwords in the clear

  1. The passwords were not stored in the clear. They were stoerd as SHA1 hashes. The problem is that they are non-iterated, unsalted SHA1 hashes,. That makes it vastly easier to do dictionary and brute force attacks to match SHA1 of candidate passwords against the database of stolen hashes.You can go to http://www.LeakedIn.org to check whether your LinkedIn password was leaked, or whether it has been both leaked and cracked. My password was both leaked and cracked. It was 12 characters, mixed case plus digits and a special character, no actual words, no number-for-letter substitutions. This wold be considered quite strong by most standards, but not if the site doesn't bother to take the proper steps — known for decades — to make dictionary and brute force attacks more difficult.I was a very early adopter of LinkedIn — within the first 5000 users. I feel like they just let me down.

    Like

  2. Thanks, that makes more sense. And so the question arises: who built http://www.leakedin.org and are they just a way to steal even more passwords?(Of course I couldn't resist typing my own password, which indeed was leaked but not yet cracked. I have changed it of course 🙂

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s