Pages:
Author

Topic: [Password Leak] LinkedIn database hacked - page 5. (Read 12917 times)

administrator
Activity: 5222
Merit: 13032
Bitcointalk?

SMF uses SHA-1 hashes salted with the username. Not the greatest, though better than LinkedIn. (I'm trying to improve our password security.)
member
Activity: 70
Merit: 10
If you have a LinkedIn account and use the same password for other services (such as mtgox), please change your password. If you are unsure, visit LeakedIn to check.

Seriously people: don't go to LEAKEDin and type your password.  Whether it's honest or not, you gain nothing from potentially handing your password over to some random site on the Internet.


"Just provide your password (which we hash with JavaScript; view source to verify) or a SHA-1 hash of your password below, and we'll check."

browser hashes password -----sends to server-----> server replies if hash matches.

hero member
Activity: 504
Merit: 502
If you have a LinkedIn account and use the same password for other services (such as mtgox), please change your password. If you are unsure, visit LeakedIn to check.

Seriously people: don't go to LEAKEDin and type your password.  Whether it's honest or not, you gain nothing from potentially handing your password over to some random site on the Internet.
legendary
Activity: 1498
Merit: 1000
Bitcointalk?

bitcointalk salts their passwords since I saw a thread talking about it
legendary
Activity: 1102
Merit: 1014
CoinDL and ExchB both use salt and multiple rounds of hashing.
hero member
Activity: 784
Merit: 1000
0xFB0D8D1534241423
Goddammit, I can't find a mirror of the leak.
Oh, found it. This is fun.
sr. member
Activity: 476
Merit: 250
Tangible Cryptography LLC
Honestly I feel it is going to take companies being force to publicly disclose their exact mechanism for storing passwords and face civil penalties for inaccurate disclosures.   I mean it is 2012 not 1971.  There is absolutely no possible excuse for not using bcypt (or similar) much less not even salting the passwords.     Security through obscurity is no security at all.

Maybe we can get such information from Bitcoin websites via public pressure.

So major Bitcoin businesses and exchanges how are you storing your passwords?
MtGox?
CampBX?
Bitcointalk?
Bitmit?
Deepbit?
Bitcoinica?

Any volunteers?
hero member
Activity: 560
Merit: 500
I am the one who knocks
Who salts a password?  Is that something I have to do when creating a password, or is that directed at the password manager to make sure to salt the passwords?

kjlimo,

It is, unfortunately, up to the website operator to do.  The safest thing you can do as a consumer is user a random password at each site.
donator
Activity: 308
Merit: 250
Is that something I have to do when creating a password, or is that directed at the password manager to make sure to salt the passwords?
The latter.
legendary
Activity: 2128
Merit: 1031
And remember to always salt your passwords  Wink

Who salts a password?  Is that something I have to do when creating a password, or is that directed at the password manager to make sure to salt the passwords?
legendary
Activity: 1498
Merit: 1000
And remember to always salt your passwords  Wink
member
Activity: 70
Merit: 10
This morning, a dump of unique passwords from LinkedIn databases had been posted. From the dump, it is revealed that password hashes did not include a salt. This allows the attacker to generate a rainbow table that is valid with all the hashes. So expect your password compromised. (feel the same as if your password were leaked plain-text)

If you have a LinkedIn account and use the same password for other services (such as mtgox), please change your password. If you are unsure, visit LeakedIn to check.

More news here: https://news.ycombinator.com/item?id=4073309
Pages:
Jump to: