Unless LinkedIn had implemented salting before the breach the only way it can salt hashes at this stage is to get everyone to update their passwords, he said.
Once a password has been hashed there is no way it can then be salted, he said. Salting is done before a password is hashed. The wording is a bit puzzling because it suggests that LinkedIn has salted or is salting existing passwords hashes, Wisniewski said. "It is worth noting that the affected members who update their passwords and members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases," Silveira had noted. In the post, Silveira said that LinkedIn has implemented salting to protect newly updated passwords and also passwords that have not been compromised. In a carefully worded blog post LinkedIn director Wednesday Vicente Silveira said that the company had disabled all the compromised passwords and was instructing affected members how to access their accounts to reset their passwords. So far, the company has not indicated how the breach occurred or how many passwords may have been compromised. In response to widespread reports about the breach, LinkedIn yesterday admitted that "some" of its passwords might have been compromised. Almost anyone can use these tables to decrypt almost any SHA-1 hash and recover it in plain text in in a matter of minutes. Tables that contain pre-computed hashes for billions of passwords are easily available. Storing them in hashed form with no salting is nearly as bad, considering the availability of SHA-1 hash cracking tools, Wisniewski said.
The worst policy for companies is to store passwords in clear text, experts say. For an organization as large as LinkedIn, I would expect better," he said. That LinkedIn apparently chose to protect passwords using just SHA-1 is disappointing, Wisniewski said. Salting is considered something of a best practice for protecting passwords, especially those used by employees of large companies.
The process ensures that even if two passwords are identical, their hashes will be unique. Therefore, many organizations theses day use a process known as salting - where a random string of characters are appended to a password before it is hashed- to make password cracking much harder. Though SHA-1 offers a degree of protection against password cracking attempts, the protocol is by no means foolproof.
0 kommentar(er)
