EDITORIAL: LinkedIn and eHarmony don't take the security of their members seriously.
That's the only clear message resulting from both companies' disastrous password breaches of the past two days, which exposed an estimated 8 million passwords.
LinkedIn and eHarmony encrypted, or "hashed," the passwords of registered users, but neither salted the hashes with extra data that would have made them much more difficult to decrypt.
Without salting, it's very easy to crack password hashes by running through lists of common passwords and using dictionary words.
Every security expert who takes his job seriously knows this, and so does every hacker who wants to make money by stealing account information, including the one who posted the LinkedIn and eHarmony password lists in hacker forums seeking help with cracking passwords.
LinkedIn learned the necessity of salting the hard way, as director Vicente Silveira obliquely admitted in a blog posting late yesterday, which came after hours of insistence that LinkedIn could not confirm the data breach.
"We just recently put in place," Silveira wrote, "enhanced security … which includes hashing and salting of our current password databases."
Too little, too late. If LinkedIn had really cared about its members' security, it would have salted those hashes years ago.
EHarmony showed itself to be even more clueless.
"Please be assured that eHarmony uses robust security measures, including password hashing and data encryption, to protect our members’ personal information," wrote Becky Teraoka of eHarmony corporate communications in a blog posting late yesterday.
That's nice. No mention of salting at all. Too bad, because by the time Teraoka wrote that blog posting, 90 percent of the 1.5 million password hashes on the eHarmony password list had already been cracked.
"We also protect our networks with state-of-the-art firewalls, load balancers, SSL and other sophisticated security approaches," Teraoka wrote.
Such "sophisticated" website-management features are about unusual as brakes and turn signals on a car. If that's what makes eHarmony feel secure, the company is very clueless indeed.
[ How to Create and Remember Super-Secure Passwords ]
You, too, can be a hacker
How easy is it to crack unsalted password hashes? So easy that even you or I could do it.
Try it yourself if you'd like. The LinkedIn password file is easy to find online. So are free services that generate hashes, such as this one at sha1-online.com.
Download and unzip the LinkedIn password file, and keep the hash generator open in a browser window.
On the hash-generating Web page, select "SHA-1," the encryption algorithm that LinkedIn used. (EHarmony used the older, weaker MD5 algorithm.)
Plug in your own password. The site will generate the same 40-character hash that LinkedIn used.
Copy everything in the hash AFTER the first five characters — I'll explain why — and search for the shorter 35-character string in the LinkedIn password list.
Yours isn't there? Good — neither was mine.
But if you search for common passwords such as "password," "letmein" or "123456," they're all there.
In fact, those three are listed with "00000" at the beginning of the hash, indicating that the hacker who uploaded the file had already cracked them. To avoid duplication, he marked cracked hashes by replacing the first five characters with a string of zeroes.
So "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8," the hash for "password," is listed as "000001e4c9b93f3f0682250b6cf8331b7ee68fd8." The hash for "123456," which is "7c4a8d09ca3762af61e59520943dc26494f8941b," is instead listed as "00000d09ca3762af61e59520943dc26494f8941b."
Why you should always salt your password hashes
It's very difficult to reverse a hash, such as by running "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8" through some sort of formula to produce "password."
But no one needs to. If you know that "password" will always result in the SHA-1 hash "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8," all you have to do is look for the latter in a list of password hashes to know that "password" is there.
Every security expert, and every hacker, knows this. That's why hackers keep long lists of pre-computed hashes of common passwords, and why security experts who take their jobs seriously make the extra effort to salt password hashes, dropping extra bits of data into the hash algorithms.
It's also why you should use long passwords comprised of letters, numbers and punctuation marks, because such randomization is unlikely to appear in a pre-computed hash list, and nearly impossible to reverse.
With salting, "password" doesn't always result in "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8." Instead, it's a different 40-character string — every time.
Any hacker who'd gotten a list of LinkedIn or eHarmony passwords with salted hashes would have found it very difficult to match the hashes to any particular password hash on his pre-computed list.
LinkedIn and eHarmony should have bothered to take the extra step of salting their password hashes years ago.
If they'd done so, millions of people wouldn't be changing their passwords today and worrying about whether their LinkedIn and eHarmony accounts — and any other account with the same usernames and passwords — had been compromised.