Sunday, June 10, 2012

Password Security and Hash Slippage

The massive losses of password hashes at LinkedIn [1], eHarmony [2] and Last.fm [3] are very concerning, to say the least. These are companies that are generally perceived as technology leaders, particularly LinkedIn. Also, as far as I now, eHarmony and LinkedIn are Java/JVM shops. Just some data that I gathered today regarding the scope of the issue:
  • Last.fm - presumably up to 17 million lost hashes - Algorithm used: MD5 - Hashes were Not salted
  • eHarmony - 1.5 million hashes - MD5 - No salted - All upper-case-passwords
  • LinkedIn - 6.5 million hashes - SHA1 - Not salted
Some of the leaks supposedly happened as far back as 2011. Here is some further background information: 
What is quite amazing to me, is that the basic measures that would prevent the cracking of the hashes, like better hash algorithms, salting, re-hashing are not rocket science. There is even a very nice library [4] out there that does it for you and it even hooks into e.g. Spring Security [5] - Not even Java coding is necessary.

I just wonder how the hackers got access to the hashes in the first place...I could not find any information on that, yet. Maybe another juicy story...