Having your password database compromised is bad. But that turned out to not be the worst part of what happened. Although I didn’t see it mentioned in any of the official LinkedIn posts, people quickly realized that the passwords were hashed using SHA-1. No salts, no stretching, just a plain, single round, SHA-1. That made finding the plain text version of the password for millions of LinkedIn accounts fairly simple.
Using bcrypt with a decent random salt generator and good work factor would have been much better.
This made it very clear to me that if a site like LinkedIn can make the mistake of using a poor password storage method, anyone can. I made a repeating calendar entry for 6 June of every year to be “Password Anniversary Day”. On Password Anniversary Day ( 6/6 ) I pick a few sites that I have accounts on, more or less at random, and change my password. Just in case.
My Tweet about this on 6 June 2012:
— Joseph Scott (@josephscott) June 6, 2012
Happy Password Anniversary Day everyone.