Last week LinkedIn suffered a major security breach where millions of “hashed” passwords were leaked. Dan Pinnington wrote an excellent post last week outlining how you can tell if your LinkedIn password has been compromised.
This security breach has prompted many to reset their password at LinkedIn and other sites. However, as Dan points out, you shouldn’t reset your password to a password you use at other sites. Why? The LinkedIn password leak gives us a perfect case study.
What was leaked at LinkedIn was not your exact password, but rather a hash of your password. A hash is a one-way mathematical function that maps one piece of data to another representation of the data in a deterministic, repeatable way. A commonly-used hash function in security applications is the SHA-1 function; the SHA-1 hash of a password, such as “testpassword” would be as follows:
Original Text: testpassword
SHA-1(‘testpassword’) = 8bb6118f8fd6935ad0876a3be34a717d32708ffd
In this case, LinkedIn would store the SHA1 hash of your password in its password database rather than the original text. Each time you log into LinkedIn, it will take the password you entered, apply the SHA-1 hash function, and compare the result to the SHA-1 hash of your password stored in the database; if they match, you’re logged into your LinkedIn account.
If the LinkedIn password database was leaked, the idea was that the impact of such a leak would be limited as only the SHA-1 hash of the password would have been leaked. Since the hash function is a one-way hash function, it is theoretically impossible to recover the original text given only the SHA-1 hash of the original text.
However, a simple SHA-1 hash of a password is vulnerable to attack via a rainbow table. Whereas normally a brute force attack to identify a SHA-1 password would take days or weeks, a rainbow table attack makes most passwords recoverable almost instantaneously. To combat this form of attack, best practice is to “salt” the password with a random number prior to computing the SHA-1 hash; this added randomness renders rainbow tables and other brute-force attacks ineffective. LinkedIn, however, overlooked this security best practice, and stored its passwords without any salt.
Now, with that nerdy aside out of the way, what take-home lessons have we garnered from the LinkedIn security breach? Do not use the same password across multiple websites. Even if the website is run by a huge, publicly traded company, such as LinkedIn, it may not be storing your password data in a secure fashion. By using a unique password for every website, you guarantee the impact of a password leak will be contained the greatest degree possible.
To make managing your various logins easier, use a password manager such as 1Password.