Lessons From The LinkedIn Password Attack

There has been some speculation that the fact that LinkedIn did not “salt” their passwords has made it easier for attackers to crack them. The leaked LinkedIn passwords were stored as SHA-1 hashes.

“Salting stored hashes increases the complexity of the encrypted password data, beyond the point where it can be cracked in a reasonable amount of time,” said Jim Walter, manager of McAfee’s Threat Intelligence Service (MTIS), in an interview with eSecurity Planet. “Failing to store passwords in a secure manner allows for quick and easy decryption of the hashes, revealing the plain-text passwords.”