LinkedIn: Unsalted, Assaulted and Faulted

An extremely determined and talented digital intruder can find way to break the security of just about website. So when you hear a site getting hacked, the that there was a break-in doesn't necessarily mean anyone was incredibly lazy or inept or asleep at the switch. Sometimes a site just gets outplayed a criminal genius.

Other times, , the circumstances of intrusion indicate that the site really was flat-out doing security . Sometimes a site really does leave the door unlocked and open.

That seems to be what happened LinkedIn (NYSE: LNKD) recently. The site suffered a break-in, the intruders swiped files containing many users' logins and passwords. That's not good, but it's a setback that could been mitigated by following some longstanding best practices, encrypting that data so that even if someone should steal it, they couldn't any sense of it.

But apparently that practice had been followed. After the breach, LinkedIn indicated going forward, the new passwords that victims put on their accounts, as as the passwords used by members whose data wasn't stolen, will hashed and salted. That's a delicious way to say that the data will be scrambled in to make it very difficult thieves to use it. It also implies that the time of the break-in, LinkedIn wasn't hashing and salting anything. The thieves stole raw potatoes.

Sure enough, millions of users' passwords appear to been exposed.

If LinkedIn indeed hadn't hashing and salting users' passwords, the incident exposed an embarrassingly weak security practice. Some users it in stride, saying that if anyone breaks their LinkedIn profile, that'll be the first visit it's had in years. For others, it's joke -- LinkedIn's a site for career networking, and some profiles could hold some very sensitive info.

Mucking with people's actual LinkedIn pages probably isn't what intruders really have in mind, though. Like with a lot of other sites, LinkedIn users in using an email address/password combo, and lots of people are in the of using the exact same email-password combo for all the sites visit, banking and credit card sites. Try enough cracked combos at enough sites, and are you'll gain access to something much interesting than who someone's coworkers are.

Adapted from: TechNewWorld, June 9, 2012; Available at