LinkedIn: A little common sense

The fact that LinkedIn was breached has been well covered and confirmed, but in their confirmation they said something that I personally found insulting, more than anything else:

It is worth noting that the affected members who update their passwords and members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases.

So, they just recently started salting their hashes? Seriously?

Storing passwords via unsalted SHA-1 is not only unsafe, it’s reckless. When you store user credentials, you have a responsibility to your users to keep their data safe – in this case LinkedIn failed, epicly. Had they bothered to think about security, or hired people that understood even the most basic principles of secure application development – this wouldn’t have happened.

When properly implemented, hashed data shouldn’t be (practically) reversible to its original value – that is, after all, the purpose of hashing. Tweets like this though, make it painfully clear just how wrong LinkedIn got it:

They violated the most basic security principles, but more importantly, they violated their users’ trust.