Even the finest sword plunged into salt water will eventually rust. Sun Tzu *
Yesterday, the word of the day at LinkedIn was “Salt” (in the cryptographic sense and not the NaCl sense). Some dodgy fellow made off with at least some of the LinkedIn password database. Those passwords were not stored in cleartext (thank Jupiter) but the hashes weren’t salted. This means tools like John The Ripper can be used to find the original password and that is exactly what happened.
If you are a software developer and you work on public facing web sites, here is the LinkedIn lesson:
- Always use salt with your password hashing scheme
- Use slow hashing functions like bcrypt or scrypt rather than faster hashing functions like MD5, SHA, etc.
* Note on epigram: Security nerds love to quote Sun Tzu and this was the only Sun Tzu quote I could find that had some salt in it.