Wednesday, June 6, 2012

Time to Update Your LinkedIn Password

Change your LinkedIn password!  Also change it on any site where you use that same password.  In case you missed it, about 6.5 million LinkedIn passwords were leaked today.  The passwords were in the form of unsalted SHA-1 hashes.  This leads you to believe that LinkedIn was not following secure best practices in terms of storage of user passwords.  A blog post from LinkedIn indicates that hashing and salting of user passwords was "recently put in place".  I wonder how recently?  Probably today.

If you are curious about whether your password was compromised, head over to LeakedIn.org, a site just launched by PHP security guru Chris Shiflett. (Side note: Chris authors a very informative blog and I've learned a lot about AppSec from his posts over the years.)  Once there, enter your LinkedIn password.  Client-side JavaScript code will produce the corresponding SHA-1 hash, then send the hash value to the server.  You will soon find out if your password was part of the 6.5 million that were leaked and whether or not the hash was cracked.  If you don't feel comfortable entering your password, just run HashCalc locally to calculate the SHA-1 hash of your password and enter the hash value instead.  I did this check today and my password was indeed among those that were leaked, but it hadn't been cracked yet.

Needless to say, I've changed my LinkedIn password.  It's a perfect example of why you should be using different passwords for every site you use.