LinkedIn is struggling with the aftermath of a serious password breach. It's not yet admitted to the full scope of the security hit it has taken.
Both LinkedIn and eHarmony demonstrably failed to use security best-practices to store passwords at rest. The passwords in the posted list were run through a hash function (SHA-1) but "salt" was not added: extra randomness that protects against brute-force attacks. Even passwords that follow all the guidelines -- uppercase and lowercase letters, numbers, punctuation -- can be recovered with little difficulty from their SHA-1 hash.
A back-of-the-envelope calculation by Errata Security says that an attacker, using just a single computer, can break a 5-character password in 5 seconds; 6 characters in 9 minutes; 7 characters in 13 hours; 8 characters in 57 days; 9 characters in 15 years. "In other words," Errata Security's Robert David Graham writes, "if your password was 7 letters, the hacker has already cracked it, but if it's 9 letters, it's too difficult to crack with brute force" -- on a single machine at any rate.
Both LinkedIn and eHarmony are reacting to the breach as if only accounts represented by the leaked password hashes have been compromised. This is disingenuous in the extreme. Ars Technica and others make the very reasonable assumption that the posted hashes represent passwords that the original attackers had not been able to crack. Ars gives a figure of 8 million for the size of the leaked list of password hashes. Of these, 1.5 million appear to belong to eHarmony.
If these figures are right (and other accounts come to different conclusions about the totals), this means that the attackers were publicly asking for help in cracking 4.1 percent of LinkedIn's 160 million accounts. In other words, on the reasonable assumption that the attackers are actually in possession of the entire hashed password database from LinkedIn, they had already cracked 95.9 percent of them.
Are you safe?
So if your old LinkedIn password was in the leaked list (you can check it here) -- you have changed your password already, haven't you? -- all it means is that you were in the top 4 percent for password strength. It does not mean that your account was not compromised.
LinkedIn has now said that it has begun salting its hashes, so newly changed passwords will be essentially impossible to guess by brute force if they leak again. Does that mean your account is safe? Not at all.
The biggest mistake LinkedIn is making -- if its meager public statements are to be believed -- is in not admitting, and acting as if, its systems are 100 percent compromised and owned. It has not said it found the vulnerability that let the attackers in, much less patched it, much less cleaned its systems of residual compromises.
There is strong circumstantial evidence that the attackers broke into LinkedIn's systems at least three weeks ago.
LinkedIn's public communication about the breach has been grossly deficient. On Wednesday, many hours elapsed after the security community (and Twitter) were 100 percent convinced that LinkedIn had been breached before it admitted so. As noted above, it then adopted the stance that only the accounts represented in the leaked password hash list had been compromised -- not 96 percent of all accounts and counting. It touted its newfound hash-plus-salt religion, as if users were now fully protected -- not admitting that if the attackers are still in its systems, they should be assumed to have access to the salt used, the algorithms, and everything else LinkedIn once believed to be secure.
The agility lessons here are obvious. Use security best-practices. If breached, communicate quickly, honestly, frequently, and fully. And finally, plan to be owned, and know how you will react and recover when it happens.