LinkedIn Passwords: Who stores passwords in the clear

I am a pretty regular LinkedIn user, so the news that some unspecified number of LinkedIn users had their passwords compromised was of some interest to me.

Here’s what a recent post on their blog says:

“We want to provide you with an update on this morning’s reports of stolen passwords. We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts. We are continuing to investigate this situation and here is what we are pursuing as far as next steps for the compromised accounts….” (from LinkedIn Blog)

Not that I would be all that harmed if someone hacks my LinkedIn account, but still, it does affect me. So far I have not seen an email from LinkedIn telling me that my own account is in trouble.

But, the thing that mystifies me is that they make it sound like user passwords are stored in the clear on their systems. Isn’t it elementary that one does not store passwords in clear text on any server? I won’t even give any links to back up this point as it is practically in Chapter one of any web development book.

So, either LinkedIn knowingly violated a totally elementary security best practice and stores passwords in clear text. In my opinion this is very unlikely.

Or, the news reports were purposely misleading because what actually happened would give away something that they don’t want to give away.

What could that be, I wonder?

Facebook and Twitter Hacking

I guess it’s not surprising that people’s Facebook and twitter accounts are getting compromised. From the New York Times:

“Malicious programs are rampaging through Web sites like Facebook and Twitter, spreading themselves by taking over people’s accounts and sending out messages to all of their friends and followers. The result is that people are inadvertently telling their co-workers and loved ones how to raise their I.Q.’s or make money instantly, or urging them to watch an awesome new video in which they star.” (from From Viral Crooks, Social Networks are Prime Targets)

I just changed my three Twitter accounts, and Facebook accounts to use a “very hard” password. I suggest you consider doing it too 🙂