by Constantine von Hoffman

LinkedIn Boosts Password Security but You Still Can’t Cure Stupid

Jun 14, 20123 mins
Data and Information SecurityData BreachIntrusion Detection Software

When it comes to passwords, companies like LinkedIn can hash and salt all they want but people will inevitably use insecure apps such as "123Password" and put themselves at risk.

LinkedIn announced it is improving its online password protection in the wake of last week’s theft of 6.5 million logins. This is certainly a smart move, but it’s not really going to help all that much. And the fault, dear Brutus, falls mostly on us, LinkedIn’s users.

Earlier this week LinkedIn said that in addition to the encryption it was already using–the cryptographic hash function SHA-1–its users’ passwords are now also “salted,” a technique that randomly appends a string of characters to passwords to make them more secure. And it’s possible the company is also working on additional safeguards. From a related post on LinkedIn’s blog:

“At this time, LinkedIn cannot release any further information in order to protect our members and due to the ongoing investigation. For security reasons we cannot discuss certain details of our ongoing security upgrades.”

Fair enough. Unfortunately in passwords, as in food, just adding more salt doesn’t always make things better. As is noted in a great blog post by Jarno of F-Secure:

“It seems that there are still many developers who hold a very strong belief that salt values will make passwords safe. Even if attacker would have the salt, the common rationalization seems to be that an attack isn’t practically feasible, because it would take forever to go through 14 characters keyspace, and thus salt must be making things safe. One could say that developers are grasping at salt like a small child is grasping his teddy bear, trusting that it will keep all evil crackers at bay.”

(The folks at F-Secure are Finnish, and English is probably a second language, so that may explain the reference to “evil crackers.” Or it may be that there is a bit of poetry in their programming souls. Either way I love the image of teddy bears fighting off malevolent graham crackers. I like the idea of evil oyster crackers even more.)

Jarno refers to related research that’s being conducted by Francois Pesce of Qualsys. Pesce ran an older program called John The Ripper on the LinkedIn files and within a couple of hours he had cracked about 2 million passwords.

“Even though my dictionaries were 10 years old and didn’t contain newer words like ‘linkedin’, it appeared that some cracking rules, by reversing strings or removing some vowels could guess new slang words from already cracked passwords.”

In other words, a lot of people still use silly tools such as “123Password,” and as long as that’s true it will be relatively simple for Bad Guys to crack many passwords. You can probably guess what’s coming next, but I like to re-iterate to keep myself sane: Users are the biggest problem with security.

People are stupid and there’s not a lot you can do about that. As they say in Texas, “You keep giving ‘em books and giving ‘em books and they just keep chewing on the covers.”

Pesce–and many others–recommend using random password generators to create logins. That is a great idea, but it’s highly unlikely that folks who use “123Password” even know what a random password generator is.