Hackers stole the passwords of six million LinkedIn users last week.The New York Times’s Nicol Perlroth says the reason this happened is simple: Experts tell her LinkedIn took a rather lax approach to protecting user passwords.
On a grading scale of A through F, experts say, LinkedIn, eHarmony and Lastfm.com would get, at best, a “D” for password security. The most negligent thing a company can do with users’ passwords is store them in plain text.
The most basic step they can take to protect passwords is camouflage them with basic encryption — what is known as “hashing” — in which they mash-up a password with a mathematical algorithm and store only the encoded, or “hashed,” version.
To make hackers’ jobs more difficult, diligent companies will append a series of random digits to the end of each hashed value, a process known as “salting,” which requires only a few more lines of code and can be done at no cost.
Salting passwords, security experts say, is Security 101 — a basic step that LinkedIn, eHarmony and Lastfm.com all failed to take.