More Zonkyness

LinkedIn Password Compromise: The Unanswered Questions…

Jun 062012

If you have not already heard about it, and you have a LinkedIn account, you should be aware that a large number of password hashes has been found in the wild. This means it is possible that hackers have the ability to crack your password and break into your account.

Change any LinkedIn account passwords now.

But there are still just a few unanswered questions :-

Why were the password hashes unsalted ?

Storing passwords in the clear is just about the most irresponsible thing a website operator can do, but storing passwords in hashed form without a so-called salt is also a clear indication that someone needs a slap and told to go the extra 10m. It has long been known (i.e. for decades) that using a simple password hash allows for someone to find out what the original password was.

This is why the Unix system from the 1970s used a salt to make revealing passwords harder.

Technically a salt is a few extra bits of randomness added to the hash (and included in the output) to make pre-computing the password hashes more expensive. It also obfuscates identical passwords.

So why weren’t LinkedIn salting their passwords? Couldn’t be bothered? Assumed that their systems were so secure that nobody could break in? Whatever the reason, it was not a good enough reason – allowing their site to be hacked is bad enough, but caring so little about the security of our data shows pure incompetence and arrogance.

Are We Sure These Password Hashes Belong To LinkedIn?

In a word: No. We assume it is, and there’s some evidence to support that assumption. Several bloggers (one), have posted indicating that they have checked and found that their own LinkedIn password hash can be found in the file.

So we can assume that these password hashes are from LinkedIn, and to change our password if we have an account. Perhaps this is wrong and this huge list of password hashes is just some prankster’s idea of a fun day, but this is one of those cases where you assume it is real to be safe.

But There Are No Usernames. Aren’t We Safe?

I’ve come across at least one comment indicating that because the usernames aren’t associated, there isn’t anything to worry about.

It is true that the information as released is not especially helpful – if you cracked all the password hashes you still wouldn’t know if my password was #32768, #65536, or any of the others. But you could still use that information with the help of a botnet army and enough time to let the tools like Hydra do their work.

And we do not know that the person or group who obtained this information in the first place does not have access to further information. Even if all they had access to was a database table containing just the password hashes, they will almost certainly know the frequencies of every password.

So no, we’re not safe.

Only 6.5million? I Thought LinkedIn Had 150million Accounts?

Indeed! It does seem strange that there are only 6.5million password hashes in the released file.

But those who have had a chance to poke around in the released file (including myself) have found that there are no duplicate hashes. Which would be normal in a salted password hash file, but given how woeful most people are at picking good passwords you would expect a very large number of duplicates in 150 million password hashes. Whether you would get as few as 6.5 million unique password hashes seems a touch unlikely, but possible.

Of course it may be that the person or group who grabbed this password dump in the first place only managed a partial dump for some reason.

But If The Original Leak Isn’t Fixed, Isn’t Changing Our Password A Waste Of Time?

It is certainly true that if LinkedIn hasn’t fixed their original problem, or has not implemented some form of remedial action, then it is possible that an attacker could break in with exactly the same method as they did before, and steal the passwords again. Which means we will probably have to change our passwords again – once LinkedIn finally gets around to announcing this has all been fixed.

But not changing your password now is foolish in the extreme – you should assume that the attacker(s) have your account details now.

Stupid Ad Mistake …

Humour, Media No Responses »

Jun 042012

You know those annoying ads you can see surrounding this posting ? The ones that don’t go anywhere near paying for the costs of running this site ?

I get to see them myself, and was somewhat surprised to find one today that had just a teensy little problem with it :-

Nine Mistakes You Should Avoid in 2011

Which was advertising a financial services company. Got to admit that whilst anyone can make a mistake, I would be very unlikely to let someone near my money who is likely to make this sort of mistake!

Ambling Alongside The Hamble

Photography No Responses »

Jun 042012

Not exactly the most productive afternoon what with the combination of hayfever, a broken monopod, and too many people rushing by.

#1: Death In Life

56357

#2: An Afternoon Walk

56362

Taxing The Granny Annex?

Politics No Responses »

Jun 022012

Apparently the government has announced plans to stop charging council tax for those who live in so-called “granny annexes”. The opposition has quite rightly pointed out that this is an interesting position to take as there has long been a council tax exemption for those living in granny annexes who are over 65, or who are impaired in various other ways.

For those not familiar with granny annexes – and this may come as a surprise to many Tories, but not everyone is familiar with the concept – if you have a large enough house, it is possible to set aside part of it as a separate dwelling. Usually to give some member of the family some level of independent living – traditionally used for a live-in grandparent. Thus the term “granny annex”.

It may come as a bit of a surprise to many Tories, but most ordinary hard-working families live in homes where space is at a premium. Indeed having the spare space to create an annex could be a definition of “wealthy”. Or in other words, Tories have come up with a nifty way of giving a tax cut to the wealthy whilst trying (and failing) to sound like they are helping ordinary people.

Or to put it another way, why are we giving council tax exceptions to grannies and disabled people? If someone over the age of 65 lives in their own flat they have to pay council tax, but if they live in an annex in their family’s home, they don’t. I’m not against the idea that those who are somewhat constrained in their income should get some sort of discount on their council tax, but getting a discount because you have rich relatives?

Parliament: The House Of Unruly Schoolkids

Politics No Responses »

May 232012

I am sure that pretty much all of us are familiar with what happens in school when the teacher leaves the room on a Friday afternoon and a whole class full of rebellious children start kicking up fuss. Shouting, throwing insults around, and generally making a lot of unnecessary noise.

When watching “PM Questions” at lunchtime today, it occurred to me (and probably not for the first time) that our politicians in parliament act pretty much like a bunch of unruly school kids. Let us look at some of the examples of boorish behaviour :-

Calling the leader of the opposition an “idiot” (for which David Cameron was spanked for and forced to retract).
Growling with approval during speeches.
Shouting dissent during speeches.

This may be the sort of behaviour expected during an Oxbridge debate, but most of us have not been unfortunate to take part in such a thing, and this sort of behaviour of our representatives is disgusting.

It has been suggested before that PMQs needs reform, but with no obvious change to the behaviour seen. Perhaps those MPs who behave this way should be made aware that most of us are only aware of how they behave from their behaviour at the weekly PMQs ?

Older Entries Newer Entries