LinkedIn Password Leak: Salt Their Hide

Let me walk through the process of password protection and explain why unsalted passwords are only infinitesimally better than plaintext passwords:

via LinkedIn Password Leak: Salt Their Hide – ACM Queue.


LinkedIn is learning fast right now, according to their damage control missives, they have now implemented salting and “better hashing.” But we have yet to find out why nobody objected to them protecting 150+ million user passwords with 1970s methods.

And everybody else should take notice too: Even if you use md5crypt, you should upgrade your password scrambling algorithm. As a rule of thumb: If it does not take a full second to calculate the password hash, it is too weak.