Coffeehouse Thread

57 posts

Conversation Locked

This conversation has been locked by the site admins. No new comments can be made.

Apparently the IPO didn't fund Linkedin enough to hire decent programmers

Back to Forum: Coffeehouse
  • cbae

    The more interesting topic for me is how the hackers got into the database to begin with. IMO, that's a bigger security flaw than how the user passwords were stored.

    This is like criticizing somebody for using "1111" as the combination for a safe inside of a house while ignoring that the homeowner leaves the front door to the house wide open.

  • davewill

     

  • spivonious

    Ludicrous Speed....GO!

     

    Apparently my password wasn't leaked, but it would have been nice for LinkedIn to have sent out a message to its users.

  • magicalclick

    I wanted to change my password, but, I stopped. Because it wanted me to use all the crazy format, and I only use such format on my more important password. Since the site has bad security, I actually just to change my password to 12345 and let the hacker stole it. I barely use LinkedIn.

    Leaving WM on 5/2018 if no apps, no dedicated billboards where I drive, no Store name.
    Last modified
  • ScanIAm

    , cbae wrote

    The more interesting topic for me is how the hackers got into the database to begin with. IMO, that's a bigger security flaw than how the user passwords were stored.

    This is like criticizing somebody for using "1111" as the combination for a safe inside of a house while ignoring that the homeowner leaves the front door to the house wide open.

    Even more interesting is why I continue to use LinkedIn.  It's nothing more than a way for clueless and lazy recruiters to harrass developers.

  • GoddersUK

    Looks like last.fm have been hit too - http://nakedsecurity.sophos.com/2012/06/07/last-fm-password/.

    Their "sorry for the inconvenience" doesn't really help when it means I have to replace my password across a multitude of websites (most of which I can't even remember). I'm just thankful I use unique passwords and two factor authentication for important sites like my email, WLID, online banking and facebook.

     

  • blowdart

    , GoddersUK wrote

    Looks like last.fm have been hit too - http://nakedsecurity.sophos.com/2012/06/07/last-fm-password/.

    Their "sorry for the inconvenience" doesn't really help when it means I have to replace my password across a multitude of websites (most of which I can't even remember). I'm just thankful I use unique passwords and two factor authentication for important sites like my email, WLID, online banking and facebook.

     

    Only unique passwords for important sites? For shame sir.

    Mind you, I use lastpass to generate unique passwords for each site - my memory is not that good.

     

  • GoddersUK

    , blowdart wrote

    *snip*

    Only unique passwords for important sites? For shame sir.

    Mind you, I use lastpass to generate unique passwords for each site - my memory is not that good.

    I'm always reticent to trust a 3rd party with my passwords, particularly when they want to sync them with the cloud (although I can see how that is a requirement for convenience sake...). Currently I only use the password managers in Firefox and Opera, encrypting the password store in both with a master password.

    That said this inconvenience may be incentive enough for me to switch to something like lastpass.

  • blowdart

    , GoddersUK wrote

    That said this inconvenience may be incentive enough for me to switch to something like lastpass.

    So if you believe they do what they say they do they're encrypting the passwords with your master password (pretty standard), so they can't see the actual data.

  • AndyC

    , blowdart wrote

    *snip*

    So if you believe they do what they say they do they're encrypting the passwords with your master password (pretty standard), so they can't see the actual data.

    Well, lets at least hope that lastpass is salting that....

  • blowdart

    , AndyC wrote

    *snip*

    Well, lets at least hope that lastpass is salting that....

    https://lastpass.com/whylastpass_technology.php

    LastPass strongly believes in using local encryption, and locally created one way salted hashes to provide you with the best of both worlds for your sensitive information: Complete security, while still providing online accessibility and syncing capabilities. We've accomplished this by using 256-bit AES implemented in C++ and JavaScript (for the website) and exclusively encrypting and decrypting on your local PC.

  • cheong

    @magicalclick: It depends. As it's partially a recruitment website, if you plan to use it this way, it deserves to be set with a strong password (resume contains personal information that bad guys can do bad things with)

    However this incident is bad enough that I have to think about whether continue trusting them to hold my personal information.

    Recent Achievement unlocked: Code Avenger Tier 4/6: You see dead program. A lot!
    Last modified
  • 01001001

    As it's partially a recruitment website

    Here's a little trick with head hunters. Their contracts don't mean squat. You can easily directly contact whoever you interviewed with and negotiate the headhunter fee back to your pocket. ( and make sure the sleezy head hunter gets nothing which is exactly how much they deserve )

    Headhunters charge between 10-20%.

    Just don't tell the "recruiter" and that's pretty much it. The head hunter may get mad, or they may threaten, but at the end of the day they're just a bunch of idiots with no clue, so they'll STFU and dissipate.

    I don't like how recruiters are allowed to stalk people on Linkedin, in particular though. That's probably the worst part of Linkedin, and Linkedin loves those people because they are the main customers for premium services.

  • ZippyV

    @blowdart: What about using bcrypt instead of SHA for hashing passwords? Isn't SHA too fast to prevent brute-forcing all the passwords (even with salt)?

  • blowdart

    , ZippyV wrote

    @blowdart: What about using bcrypt instead of SHA for hashing passwords? Isn't SHA too fast to prevent brute-forcing all the passwords (even with salt)?

    Yea, there's been some interesting discussion around that recently. Even then it's only a matter of time before someone comes up with an optimised way to precompute bcrypt hashes - computation time is getting cheaper and cheaper.

    The only sensible advice I have around this is to store the algorithm used beside the salt and the hash so you can change it later when you have to and still support older hashes.

     

  • ZippyV

    @blowdart: I'm eagerly waiting for the 2nd edition of your book.

  • 01001001

    It doesn't matter what algorithm you use (short of a public/private key). As long as you have the salt, you can run a dictionary against the sums, MD5, SHA1, ect...

    The salt can be computed from the hash of one single username which you know the password to.

    A portion of decrypted passes were posted after the LinkedIn attack which means they've already brute forced the passwords at this point.

    The real risk is not the compromised Linkedin accounts, but the fact that people trust linkedin enough to use the same passwords as their bank, gmail, paypal, ect...

  • blowdart

    , ZippyV wrote

    @blowdart: I'm eagerly waiting for the 2nd edition of your book.

    Oh dear lord, the first was bad enough Smiley

     

Conversation locked

This conversation has been locked by the site admins. No new comments can be made.