Password Anniversary Day

Exactly one year ago today it was announced that part of the LinkedIn password database had been shared online. There were many posts about it.

Having your password database compromised is bad. But that turned out to not be the worst part of what happened. Although I didn’t see it mentioned in any of the official LinkedIn posts, people quickly realized that the passwords were hashed using SHA-1. No salts, no stretching, just a plain, single round, SHA-1. That made finding the plain text version of the password for millions of LinkedIn accounts fairly simple.

Using bcrypt with a decent random salt generator and good work factor would have been much better.

This made it very clear to me that if a site like LinkedIn can make the mistake of using a poor password storage method, anyone can. I made a repeating calendar entry for 6 June of every year to be “Password Anniversary Day”. On Password Anniversary Day ( 6/6 ) I pick a few sites that I have accounts on, more or less at random, and change my password. Just in case.

My Tweet about this on 6 June 2012:

Happy Password Anniversary Day everyone.

2 thoughts on “Password Anniversary Day”

  1. Well, rotating your passwords won’t change the storage method used by the provider. All it does is if the DB is linked, there’s an expiration date on how long the password will last, as you’re well aware.

    With that, I really like this idea. I’m generally not a fan of rotating passwords, but creating a “Password Anniversary Day” might raise enough awareness for all provides to either use bcrypt() or 5k key stretching rotations, complete with random salts.

  2. As a user I don’t have much control over the password storage method, so the best I can do is change it periodically.

    If this raises the awareness level at all of how to properly store passwords then I’d consider this a huge win.

Leave a Reply

Your email address will not be published. Required fields are marked *