Coffeehouse Thread

57 posts

Conversation Locked

This conversation has been locked by the site admins. No new comments can be made.

Apparently the IPO didn't fund Linkedin enough to hire decent programmers

Back to Forum: Coffeehouse
  • User profile image
    cbae

    The more interesting topic for me is how the hackers got into the database to begin with. IMO, that's a bigger security flaw than how the user passwords were stored.

    This is like criticizing somebody for using "1111" as the combination for a safe inside of a house while ignoring that the homeowner leaves the front door to the house wide open.

  • User profile image
    davewill

     

  • User profile image
    spivonious

    Ludicrous Speed....GO!

     

    Apparently my password wasn't leaked, but it would have been nice for LinkedIn to have sent out a message to its users.

  • User profile image
    magicalclick

    I wanted to change my password, but, I stopped. Because it wanted me to use all the crazy format, and I only use such format on my more important password. Since the site has bad security, I actually just to change my password to 12345 and let the hacker stole it. I barely use LinkedIn.

    Leaving WM on 5/2018 if no apps, no dedicated billboards where I drive, no Store name.
    Last modified
  • User profile image
    ScanIAm

    , cbae wrote

    The more interesting topic for me is how the hackers got into the database to begin with. IMO, that's a bigger security flaw than how the user passwords were stored.

    This is like criticizing somebody for using "1111" as the combination for a safe inside of a house while ignoring that the homeowner leaves the front door to the house wide open.

    Even more interesting is why I continue to use LinkedIn.  It's nothing more than a way for clueless and lazy recruiters to harrass developers.

  • User profile image
    GoddersUK

    Looks like last.fm have been hit too - http://nakedsecurity.sophos.com/2012/06/07/last-fm-password/.

    Their "sorry for the inconvenience" doesn't really help when it means I have to replace my password across a multitude of websites (most of which I can't even remember). I'm just thankful I use unique passwords and two factor authentication for important sites like my email, WLID, online banking and facebook.

     

  • User profile image
    blowdart

    , GoddersUK wrote

    Looks like last.fm have been hit too - http://nakedsecurity.sophos.com/2012/06/07/last-fm-password/.

    Their "sorry for the inconvenience" doesn't really help when it means I have to replace my password across a multitude of websites (most of which I can't even remember). I'm just thankful I use unique passwords and two factor authentication for important sites like my email, WLID, online banking and facebook.

     

    Only unique passwords for important sites? For shame sir.

    Mind you, I use lastpass to generate unique passwords for each site - my memory is not that good.

     

  • User profile image
    GoddersUK

    , blowdart wrote

    *snip*

    Only unique passwords for important sites? For shame sir.

    Mind you, I use lastpass to generate unique passwords for each site - my memory is not that good.

    I'm always reticent to trust a 3rd party with my passwords, particularly when they want to sync them with the cloud (although I can see how that is a requirement for convenience sake...). Currently I only use the password managers in Firefox and Opera, encrypting the password store in both with a master password.

    That said this inconvenience may be incentive enough for me to switch to something like lastpass.

  • User profile image
    blowdart

    , GoddersUK wrote

    That said this inconvenience may be incentive enough for me to switch to something like lastpass.

    So if you believe they do what they say they do they're encrypting the passwords with your master password (pretty standard), so they can't see the actual data.

  • User profile image
    AndyC

    , blowdart wrote

    *snip*

    So if you believe they do what they say they do they're encrypting the passwords with your master password (pretty standard), so they can't see the actual data.

    Well, lets at least hope that lastpass is salting that....

  • User profile image
    blowdart

    , AndyC wrote

    *snip*

    Well, lets at least hope that lastpass is salting that....

    https://lastpass.com/whylastpass_technology.php

    LastPass strongly believes in using local encryption, and locally created one way salted hashes to provide you with the best of both worlds for your sensitive information: Complete security, while still providing online accessibility and syncing capabilities. We've accomplished this by using 256-bit AES implemented in C++ and JavaScript (for the website) and exclusively encrypting and decrypting on your local PC.

  • User profile image
    cheong

    @magicalclick: It depends. As it's partially a recruitment website, if you plan to use it this way, it deserves to be set with a strong password (resume contains personal information that bad guys can do bad things with)

    However this incident is bad enough that I have to think about whether continue trusting them to hold my personal information.

    Recent Achievement unlocked: Code Avenger Tier 4/6: You see dead program. A lot!
    Last modified
  • User profile image
    01001001

    As it's partially a recruitment website

    Here's a little trick with head hunters. Their contracts don't mean squat. You can easily directly contact whoever you interviewed with and negotiate the headhunter fee back to your pocket. ( and make sure the sleezy head hunter gets nothing which is exactly how much they deserve )

    Headhunters charge between 10-20%.

    Just don't tell the "recruiter" and that's pretty much it. The head hunter may get mad, or they may threaten, but at the end of the day they're just a bunch of idiots with no clue, so they'll STFU and dissipate.

    I don't like how recruiters are allowed to stalk people on Linkedin, in particular though. That's probably the worst part of Linkedin, and Linkedin loves those people because they are the main customers for premium services.

  • User profile image
    ZippyV

    @blowdart: What about using bcrypt instead of SHA for hashing passwords? Isn't SHA too fast to prevent brute-forcing all the passwords (even with salt)?

  • User profile image
    blowdart

    , ZippyV wrote

    @blowdart: What about using bcrypt instead of SHA for hashing passwords? Isn't SHA too fast to prevent brute-forcing all the passwords (even with salt)?

    Yea, there's been some interesting discussion around that recently. Even then it's only a matter of time before someone comes up with an optimised way to precompute bcrypt hashes - computation time is getting cheaper and cheaper.

    The only sensible advice I have around this is to store the algorithm used beside the salt and the hash so you can change it later when you have to and still support older hashes.

     

  • User profile image
    ZippyV

    @blowdart: I'm eagerly waiting for the 2nd edition of your book.

  • User profile image
    01001001

    It doesn't matter what algorithm you use (short of a public/private key). As long as you have the salt, you can run a dictionary against the sums, MD5, SHA1, ect...

    The salt can be computed from the hash of one single username which you know the password to.

    A portion of decrypted passes were posted after the LinkedIn attack which means they've already brute forced the passwords at this point.

    The real risk is not the compromised Linkedin accounts, but the fact that people trust linkedin enough to use the same passwords as their bank, gmail, paypal, ect...

  • User profile image
    blowdart

    , ZippyV wrote

    @blowdart: I'm eagerly waiting for the 2nd edition of your book.

    Oh dear lord, the first was bad enough Smiley

     

Conversation locked

This conversation has been locked by the site admins. No new comments can be made.