LinkedIn announced it is improving its online password protection in the wake of last week\u2019s theft of 6.5 million logins. This is certainly a\u00a0smart move, but\u00a0it\u2019s not really going to\u00a0help all that much. And the fault, dear Brutus,\u00a0falls mostly\u00a0on us, LinkedIn's users.\n\tEarlier this week LinkedIn said that in addition to the encryption it was already using\u2013the cryptographic hash function SHA-1\u2013its users' passwords are now also "salted," a technique that\u00a0randomly appends a string of characters to passwords to make them more secure. And it's possible the company is also working on additional safeguards. From a related post on LinkedIn's blog:\n\t\n\t\t"At this time, LinkedIn cannot release any further information in order to protect our members and due to the ongoing investigation. For security reasons we cannot discuss certain details of our ongoing security upgrades."\n\n\tFair enough. Unfortunately in passwords, as in food, just adding more salt doesn\u2019t always\u00a0make things better. As is noted in a great blog post by Jarno of F-Secure:\n\t\n\t\t"It seems that there are still many developers who hold a very strong belief that salt values will make passwords safe. Even if attacker would have the salt, the common rationalization seems to be that an attack isn't practically feasible, because it would take forever to go through 14 characters keyspace, and thus salt must be making things safe. One could say that developers are grasping at salt like a small child is grasping his teddy bear, trusting that it will keep all evil crackers at bay."\n\n\t(The folks at F-Secure are Finnish, and English is probably a second language, so that may explain the reference to \u201cevil crackers.\u201d Or it may be that there is a bit of poetry in their programming souls. Either way I love the image of teddy bears fighting off malevolent graham crackers. I like the idea of evil oyster crackers even more.)\n\tJarno refers to related research\u00a0that's being conducted\u00a0by Francois Pesce of Qualsys. Pesce ran an older program called John The Ripper on the LinkedIn files and within a couple of hours he had cracked about 2 million passwords.\n\t\n\t\t"Even though my dictionaries were 10 years old and didn't contain newer words like 'linkedin', it appeared that some cracking rules, by reversing strings or removing some vowels could guess new slang words from already cracked passwords."\n\n\tIn other words, a lot of people still use\u00a0silly tools\u00a0such as\u00a0\u201c123Password," and\u00a0as long as that's true\u00a0it will be relatively simple for Bad Guys\u00a0to crack many passwords. You can probably guess what's coming\u00a0next, but I like to re-iterate to keep myself sane: Users are the biggest problem with security.\n\tPeople are stupid and there\u2019s not a lot you can do about that. As they say in Texas, \u201cYou keep giving \u2018em books and giving \u2018em books and they just keep chewing on the covers.\u201d\n\tPesce\u2013and many others\u2013recommend using random password generators to create logins. That is a great idea, but\u00a0it's highly unlikely that folks who use \u201c123Password\u201d even know what a random password generator is.