Subscribe to CIO Magazine »

LinkedIn: No account breaches in wake of hack

LinkedIn beefs up security after passwords leaked

Social networking site LinkedIn has revealed details of attempts to increase security in the wake of 6.5 million usernames and hashed passwords being published on a Russian hacker forum.

A blog entry by director Vicente Silveira revealed that LinkedIn has not received any reports of unauthorised account access in the wake of the security breach.

The company also revealed that passwords of the service's users are now salted as well as hashed. "That transition was completed prior to news of the password theft breaking on Wednesday," Silveira wrote.

Ty Miller, chief technology officer of penetration testing firm Pure hacking, said that although the salting of password hashes has been around for a long time, "we find that many Web applications either do not hash their passwords at all, or use common hashing algorithms, such as MD5, without a salt".

"Social and professional networking sites such as LinkedIn are major targets for hackers," Miller said. "Combining this with the complexity of these types of web applications, the chance of a critical vulnerability being present is likely. This means that a defence-in-depth approach should be a necessity for LinkedIn, which includes protecting passwords with strong cryptographic methods."

Miller said that social networking services such as LinkedIn store a wealth of personal information about their users and have a responsibility to implement a very high standard of security, with security measures, such as salting password hashes, implemented as part of application design.

Salting a password makes it less likely an account will vulnerable to hackers using rainbow tables, which are essentially dictionaries of hashes that allow someone to discover what a user's unencrypted password is.

"Salts are designed to ensure that the generated hash is different even if the same password is being hashed," Miller said. "The larger the salt, the more different hashes exist for the same password. This generally means that Rainbow Tables are not a feasible option for cracking salted hashes because there are too many combinations to create.

"This means that attackers have to rely on dictionary-based password attacks, which has to calculate every possible salted hash for each password in the password dictionary. This means that weak passwords will be able to be cracked easily, and stronger passwords are more likely to remain secured."

Rohan Pearce is the editor of Techworld Australia. Contact him at rohan_pearce at

Follow Rohan on Twitter: @rohan_p

Follow Techworld Australia on Twitter: @techworld_au

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: Pure
References show all
Comments are now closed.
Related Whitepapers
Latest Stories
Community Comments
Latest Blog Posts
  • The F5 DDoS Protection Reference Architecture part 1 of 3
    Distributed denial of service attacks (DDoS) attempt to make a machine or network resource unavailable to its intended users, with a wave of crippling attacks on enterprises since 2012. This whitepaper offers guidance to security and network architects in designing, deploying, and managing architecture to protect against increasingly sophisticated, application-layer DDoS attacks.
    Learn more »
  • Guide: 10 Essential Questions about Mobile App Containers
    Mobile apps are the ultimate corporate dilemma: They turbo-charge productivity—but also bring significant security risks. How do you navigate the challenge and emerge with both? With a comprehensive approach to security.Learn the key areas to focus on as you build a mobile app security strategy.
    Learn more »
  • The F5 DDoS Protection Reference Architecture part 3 of 3
    This whitepaper is the third in a three-part series on distributed denial of service attacks (DDoS) and multi-tier DDoS protection. This section refers to case studies of different approaches to deploying protection architecture, including an enterprise customer scenario, an FSI customer scenario and an SMB customer scenario. The paper explains how these options should provide the flexibility and needed to combat the modern DDoS threat.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Latest Jobs
Salary Calculator

Supplied by

View the full Peoplebank ICT Salary & Employment Index

Recent comments