Join the DZone community and get the full member experience.
Join For FreeThe
massive losses of password hashes at LinkedIn [1], eHarmony [2] and
Last.fm [3] are very concerning, to say the least. These are companies
that are generally perceived as technology leaders, particularly
LinkedIn. Also, as far as I now, eHarmony and LinkedIn are Java/JVM
shops. Just some data that I gathered today regarding the scope of the
issue:
- Last.fm - presumably up to 17 million lost hashes - Algorithm used: MD5 - Hashes were Not salted
- eHarmony - 1.5 million hashes - MD5 - No salted - All upper-case-passwords
- LinkedIn - 6.5 million hashes - SHA1 - Not salted
- http://www.nytimes.com/2012/06/11/technology/linkedin-breach-exposes-light-security-even-at-data-companies.html
- http://translate.google.com/translate?sl=de&tl=en&js=n&prev=_t&hl=en&ie=UTF-8&layout=2&eotf=1&u=http%3A%2F%2Fwww.heise.de%2Fsecurity%2Fmeldung%2FPasswort-Lecks-groesser-als-angenommen-1613946.html
- http://www.technolog.msnbc.msn.com/technology/technolog/linkedin-eharmony-dont-take-your-security-seriously-819858
- http://erratasec.blogspot.de/2012/06/linkedin-vs-password-cracking.html
What is quite amazing to me, is that
the basic measures that would prevent the cracking of the hashes, like
better hash algorithms, salting, re-hashing are not rocket science.
There is even a very nice library [4] out there that does it for you and
it even hooks into e.g. Spring Security [5] - Not even Java coding is
necessary.
I just wonder how the hackers got access to the hashes in the first
place...I could not find any information on that, yet. Maybe another
juicy story...
Spring Security
Published at DZone with permission of Gunnar Hillert. See the original article here.
Opinions expressed by DZone contributors are their own.
Comments