Words on a Platform

When a company stores your password they perform something called ‘hashing’. A hash is a one-way function which takes something like ‘sunshine’ and gives me ‘0571749e2ac330a7455809c6b0e7af90’. They do this because if the function went two ways, and somebody got hold of their password database, you could just perform it backwards and you’d have all the passwords in plaintext.

When I log in, the system hashes the password I’ve put in, and checks it against the hash in the database. Easy.

Unfortunately with our modern day fast CPUs and whatnot, people can create ‘rainbow tables’ for a certain hash. A rainbow table is calculated by iterating through all possible passwords under x characters (taking longer for higher values of x, but 8 characters takes about 5 days), figuring out what their hash is, effectively giving you a reverse mapping from hash to password. If you have that, and the password database, you’re about 5 seconds away from having everybody’s password in plaintext.

This is where the concept of a ‘salt’ comes in. A salt is another few binary digits I put on the end of your password. So instead of hashing ‘sunshine’ the system will now hash ‘sunshine10101111’. You use a random salt for every password, and then store the salt next to the hashed password. 

Now it might seem like storing next to the hash negates any security benefit, but consider: you now need to create a rainbow table for every salt in the database, so a distributed attack, even with a basic 8-bit salt, will go from taking 5 days to 3.5 years. I can crack Joe Bloggs’ password just as easily as I could before, but since only a small fraction of the database has the same salt as Joe, the story becomes “15 passwords compromised” rather than 6 million.

LinkedIn, a multi-billion dollar company for whom management of user data is their core business, didn’t salt their hashes. You now know more about password security than the people who built their systems, and that makes them so negligent it should be criminal.

EDIT: You can check if your password’s been leaked at http://leakedin.org/. The hashing on this site happens client-side so it’s completely safe, but if you don’t trust it you can hash it in terminal using 

php -r ‘echo sha1(“password”) . “\n”;’

Mine’s been compromised, but strangely enough the only email I’ve received from LinkedIn in the last 24 hours is about how they’ve got a tool to help me find my gmail contacts. Presumably this involves trusting them with another username/password combination.