Showing posts from June, 2012

LinkedIn breach .. the multiplier effect

Last week's high profile theft of password for the business networking site LinkedIn has been a topic of many news articles and blogs in the computing and security area.  There was a particularly interesting discussion of the issue of developers not understanding the security implications of using fast hashing algorithms which are intended for high-speed, on the wire, integrity checking such as SHA, for secure storage of passwords.  The argument here is that password hashes should actually use more computationally demanding (i.e. slower) algorithms.  This would increase the cost to the attacker in conducting a brute force attack to identify the correct plain text to match the encrypted passwords in the stolen file(s).

The immediate countermeasure that was publicised through media and through social network 'word of mouth' was that people should change their LinkedIn password.  Of course this created the opportunity for phishing attackers (unrelated to those who stole the…