Linked by Thom Holwerda on Wed 6th Jun 2012 22:30 UTC
Privacy, Security, Encryption Bad day for LinkedIn: not only did 6 million of their passwords get stolen and published online (as SHA1 hashes, but still), their iOS and Android applications uploaded your calendars to LinkedIn (after opting in, though). The Sensationalist Headline of the Day Award goes to Ars Technica. I guess everyone's starting to feel the sting of The Verge's fully deserved success.
Thread beginning with comment 521081
To read all comments associated with this story, please click here.
Regarding password storage
by Sodki on Wed 6th Jun 2012 23:13 UTC
Sodki
Member since:
2005-11-10

Password storage in plain text is a bad idea, but that doesn't mean that storing password hashes in itself is a good idea. The hashes _must_ be salted, otherwise you can easily find out at least some of those, using rainbow tables or even less sofisticated techniques, like finding out who uses the password "password" or "123456".

Reply Score: 3

RE: Regarding password storage
by vaette on Thu 7th Jun 2012 07:36 in reply to "Regarding password storage"
vaette Member since:
2008-08-09

Salted password hashes is increasingly irrelevant these days though. The only point of rainbow tables is to save the time of calculating each hash. These days though, an off the shelf PC gpu can compute on the level of 2.3 billion SHA1 hashes per second. Doing a rainbow table for a new salt is no longer in any way prohibitive. See for example http://www.golubev.com/hashgpu.htm

Edited 2012-06-07 07:36 UTC

Reply Parent Score: 4

Nelson Member since:
2005-11-29

You'd have to have a rainbow table for each salt+hash combination, which is different per user. The problem gets exponentially harder with more users. Its a space issue.

Reply Parent Score: 3