LinkedIn recently had a bit of a security problem that allowed people to access about 6 million user passwords. Actually they were unsalted hashes of passwords and that is technically different, but effectively about the same in this case. That was dumb. The passwords hashes should have been salted.
For the non-technical user a password “hash” is a code that the password is translated to. If I know the code I can figure out any coded password from the “hash”. A process called “salting” adds randomness to the hash, so knowing the code doesn’t let me crack all of the passwords from the hash.
On to the next “Dumb”. As an attempted “Public Service” Mr. Chris Shiflett (http://shiflett.org/) put up the website leakedIn.org so that users can check to see if their password was one of the ones that was compromised. In order to do this you have to type in your LinkedIn password. Sorry, but despite good intents by Mr. Shiflett, this is a dumb idea. You should never type your LinkedIn password anywhere other than at LinkedIn. If you are concerned that your password may have been one that was compromised, it is time to change it.
Now for the dumber… LeakedIn.org is not using SSL, or in other words it does not start with https. When you go to a website that starts with http nothing is encrypted. If you use public Wi-Fi then all of your data can be captured (unless WPA2 encryption is used). For this reason any reasonable web site that asks for a password uses https (encrypted) for at least the part where you send your password. LeakedIn uses http and that is really bad.
So, LinkedIn failing to use best practices when encrypting passwords was dumb. Asking users to type in their LinkedIn password anywhere other than at LinkedIn is dumb. Asking a user to you in their password on a non-SSL site is even dumber!
For the more technical users who have looked at the code on the web site, yes it is the hash and not the password that is returned to LeakedIn.org, but the problem LinkedIn has is that the unsalted hashes were leaked and LeakedIn is having users send their unsalted password hashed in plaintext across the web.
©2012 Randy Abrams - Independent Security Analyst