In the past few days it has become fairly widespread knowledge throughout the web world that LinkedIn has had their website hacked. You will probably know that websites are hacked far too often, it is not good but at least usually the data is safe. Not this time. On the most basic level of digital security, data should always be hashed and salted… LinkedIn didn’t use the salt.
What is a Hash?
A hash is basically a technique in which a password (or indeed any type of data) can be converted into a specific sized block of text. On its own a hash is not secure, since the same message (in our case a password) will always have the same output.
Here is an example using a non-recommended but often used hash function, MD5 (Message Digest Algorithm).
Example password: password
Outputted hash: 5f4dcc3b5aa765d61d8327deb882cf99
There are a variety of hash functions but if the hacker can work out which hash function was used to hash the passwords, they can simply find or create a table (known as a rainbow table) which matches the hash to the original password.
What Is Salt?
Since the output of any hash function will always be the same (providing you use the same function), it is very easy to create rainbow tables to match the hash with plaintext. To make hashes so that rainbow tables cannot easily match them to plaintext, you can add a salt so that the hash is unique to your website.
To do this you add your own secret key (the salt) to every password before they are hashed. Providing this key is kept secret then rainbow tables will not be able to match them and they will be hard to crack.
Here is the same example as above, but this time using a very simple salt.
Example password: password
Example salt: 34erw (which makes the password to be password34erw)
Outputted hash: f9f55ac26a41662ba7844631016c9a77
As you can see, the hash is different to before and will not be found in any rainbow table (and if it is, it will refer to a different password).
Can the hacker log into your account?
It seems that all of the passwords were hashed using SHA-1, which is a relatively secure hash function. Of course, no matter how secure the hash is… if it is not salted then they can be hacked by using rainbow tables.
The hacker has released a file that includes a large amount of hashes, it is unknown whether it is all of them though. There are some tools that have been released that search the large file for your hash such as this one by LastPass (a trustworthy password manager). Of course you should be very careful about entering your passwords in other websites, this one only uploads the hash not your plain text password.
Whether or not your LinkedIn details have been stolen, it is worth changing your password. You should also make sure that you do not use one password for everything, that is a very dangerous approach to using the web!
You should never write your passwords down. Everyone knows that, it is more likely that someone will find your plaintext password than a website will be hacked and your password found. However, it can be very hard to keep track of passwords (especially if you need one for every site). There are solutions to this, encrypted databases where you can safely store your passwords without worrying about plaintext passwords being found. Although they are not the perfect solution, they tend to be the best currently unless you are fantastic at remembering secure passwords.
One advantage that password databases have apart from being secure is that usually they will be able to generate very secure random passwords for you. If you can think of a password yourself, it is possible that someone can guess it.
Hopefully you were able to follow all of that, cryptography (security) is a very complex area of computing but the basics are important to understand.
So to remember:
- Hashes are blocks of text that are the same every time the same password is hashed
- Rainbow tables can be used to find the password that matches a hash
- Salts add on to hashes to make it harder to crack
- Password Databases can be used to make sure every site has a separate password and are one of the best ways to store passwords