/ Java Zone
Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Password Security and Hash Slippage

DZone's Guide to

Password Security and Hash Slippage

by
·
Jun. 12, 12 · Java Zone ·
Free Resource

Comment (1)

Save
Tweet
{{ articles[0].views | formatCount}} Views

The CMS developers love. Open Source, API-first and Enterprise-grade. Try BloomReach CMS for free.

The massive losses of password hashes at LinkedIn [1], eHarmony [2] and Last.fm [3] are very concerning, to say the least. These are companies that are generally perceived as technology leaders, particularly LinkedIn. Also, as far as I now, eHarmony and LinkedIn are Java/JVM shops. Just some data that I gathered today regarding the scope of the issue:
  • Last.fm - presumably up to 17 million lost hashes - Algorithm used: MD5 - Hashes were Not salted
  • eHarmony - 1.5 million hashes - MD5 - No salted - All upper-case-passwords
  • LinkedIn - 6.5 million hashes - SHA1 - Not salted
Some of the leaks supposedly happened as far back as 2011. Here is some further background information: 
What is quite amazing to me, is that the basic measures that would prevent the cracking of the hashes, like better hash algorithms, salting, re-hashing are not rocket science. There is even a very nice library [4] out there that does it for you and it even hooks into e.g. Spring Security [5] - Not even Java coding is necessary.

I just wonder how the hackers got access to the hashes in the first place...I could not find any information on that, yet. Maybe another juicy story...

BloomReach CMS: the API-first CMS of the future. Open-source & enterprise-grade. - As a Java developer, you will feel at home using Maven builds and your favorite IDE (e.g. Eclipse or IntelliJ) and continuous integration server (e.g. Jenkins). Manage your Java objects using Spring Framework, write your templates in JSP or Freemarker. Try for free.

Like This Article? Read More From DZone

Code Hygiene Through Automation
How Does Your DevOps Measurement of Success Stack Up?
Python Thread Tutorial (Part 1)

Free DZone Refcard

Java Containerization
DOWNLOAD
Topics:

Comment (1)

Save
Tweet
{{ articles[0].views | formatCount}} Views

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

Java Partner Resources

Building Reactive Microservices in Java: Asynchronous and Event-Based Application Design
Migrating to Microservice Databases
The Build vs. Buy Challenge: Insight Into a Hybrid Approach
How to use Single Page Applications with a Java CMS
Learn more about Kotlin
Java CMS Delivery Options: Deliver content to any website, app or device.
Microservices for Java Developers: A Hands-On Introduction to Frameworks & Containers
High Performance Content Delivery with a Java CMS
Predictive Analytics + Big Data Quality: A Love Story
Free tool: Scan Java, NuGet, and NPM packages for open source vulnerabilities
Streamline and Automate Your Local Development Flow
Developing Reactive Microservices: Enterprise Implementation in Java

Java Partner Resources

Building Reactive Microservices in Java: Asynchronous and Event-Based Application Design
Migrating to Microservice Databases
The Build vs. Buy Challenge: Insight Into a Hybrid Approach
How to use Single Page Applications with a Java CMS

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.linkDescription }}

{{ parent.urlSource.name }}
by {{ parent.authors[0].realName || parent.author}}
· {{ parent.articleDate | date:'MMM. dd, yyyy' }} {{ parent.linkDate | date:'MMM. dd, yyyy' }}
· {{ parent.portal.name }} Zone