Excerpt
LinkedIn’s use of unsalted SHA-1 for password hashing exposed users to brute force attacks. Their quick response fixed the issue highlighting the importance of proper hashing and security audits.
Introduction
LinkedIn is one of the world’s largest professional networking platforms with over 700 million members. Like any user-centric online service, password security is paramount for LinkedIn to protect its users’ accounts.
In 2012, LinkedIn was found to be using the unsalted SHA-1 algorithm to hash stored user passwords. This raised serious security concerns due to the weaknesses of unsalted SHA-1. This post examines why LinkedIn made this choice, the associated risks, and how LinkedIn responded to the issue.
Background on Password Hashing
Password hashing is the process of converting passwords into unreadable strings called hashes. It enables secure password storage.
Common hashing algorithms used are MD5, SHA-1, SHA-256 and bcrypt. The hash output does not reveal the original password.
When a user logs in, the entered password is hashed and matched against the stored hash to authenticate access.
LinkedIn’s Password Security Issue
In June 2012, security researchers discovered that LinkedIn was using the unsalted SHA-1 algorithm to hash user passwords before storing them.
This presented a glaring vulnerability as unsalted SHA-1 hashes are highly susceptible to brute force attacks due to their speed and simplicity.
Reasons Behind LinkedIn’s Choice
LinkedIn likely chose unsalted SHA-1 due to:
Widespread use - SHA-1 was commonly used at the time by many services.
Computational simplicity - SHA-1 is relatively fast to compute compared to algorithms like bcrypt. This reduced operational costs for LinkedIn.
Lack of awareness - In 2012, the weaknesses of SHA-1 were not as well understood and documented.
Overall, unsalted SHA-1 was convenient and standard practice then, though highly insecure against modern brute force attacks.
Impact on User Accounts
The use of unsalted SHA-1 to hash passwords exposed LinkedIn’s users to significant risks:
Made brute force cracking of passwords extremely easy. Hacker groups could easily decrypt user passwords.
Increased chance of credential stuffing attacks using leaked passwords.
Vulnerable to preimage attacks where attackers can find passwords matching known hashes.
This undermined the security of user accounts and data on the platform.
LinkedIn’s Response and Actions Taken
As soon as the unsalted SHA-1 issue became public, LinkedIn responded swiftly:
Required users to change passwords immediately to address the direct risks. New passwords used better salted hashing.
Implemented salted iterative hashing using 10000 SHA-256 rounds. This increased computing workload for brute force attacks.
Offered affected users one year of free identity protection insurance.
Listed enhancing security as a top priority going forward.
LinkedIn received some criticism for the lapse. But their transparent response and quick corrective actions were lauded.
Lessons Learned and Recommendations
The LinkedIn case exemplifies the importance of using proper password hashing techniques:
Always use salted password hashing, preferably with a slow key derivation function like bcrypt, PBKDF2 or Argon2.
Regularly reevaluate password practices against latest standards and recommendations.
Follow a defense-in-depth approach with multifactor authentication and other layers of protection.
Proactively audit security measures before vulnerabilities are exploited.
Maintain transparency with users and be quick to respond to discovered issues.
For any online service handling user credentials today, these lessons are essential to ensure security and build trust.
Conclusion
LinkedIn’s use of unsalted SHA-1 hashing exposed user accounts to serious risks of credential theft and brute force attacks. While security lapses occurred, LinkedIn responded well by promptly fixing the issues and keeping users informed. The case highlights why using proper password hashing with salt and slow key stretching is critical, along with constant security evaluations. For an online platform, robust password protection should be the top priority.