LinkedIn bolsters security following breach

Passwords are now hashed and salted for double protection
Adam Smith

June 13, 2012
LinkedIn_Logo

Last week, there was a major security breach at LinkedIn, with some 6.5 million passwords being compromised.

And the social network has just published a statement for the press, detailing the company’s response to the incident, and measures taken for the future security of LinkedIn users.

LinkedIn reaffirmed that the stolen passwords weren’t published with their corresponding email logins, and said that it addressed the risk to members by swiftly disabling the compromised passwords – with all of them disabled by the end of the day following the detection of the breach.

Members were then emailed instructions on how to reset their password.

The firm also clarified: “At this time, there have been no reports of compromised LinkedIn accounts as a result of this password theft.”

So it appears no damage was done as a result of the incident.

Furthermore, LinkedIn notes that it has now completed an apparently long planned upgrade of its password database system.

Previously passwords were hashed, but now they will be salted and hashed, which is effectively a double layer of protection (adding a string before hashing – which means simple or silly passwords won’t be nearly as easy to brute force and crack).

LinkedIn stated that now, the password of every member has been hashed and salted. This, and the fact that no accounts were actually breached, represents a solid recovery from a major hack.

Naturally, there’s also an investigation going on into who perpetrated the act, with a view to bringing the culprits to justice.






 

Comments in chronological order (1 comment)

  1. Unsalted Peanuts says:

    Strong passwords salted or not do not replace the need for other effective security control. People need to be talking less about hashing or salting passwords and more about other steps that need to be implemented like some form of 2FA were you can telesign into your account and and have the security knowing you are protected if your password were to be stolen. This should be a prerequisite to any system that wants to promote itself as being secure. With this if they were to try to use the “stolen” password and don’t have your phone nor are on the computer, smartphone or tablet you have designated trusted, they would not be able to enter the account.

Post a comment

Your email address will not be published. Required fields are marked *

Visited 3854 times, 1 so far today