There are claims circulating on the Web today, which have been reported by the BBC, stating that some six million passwords from LinkedIn have been leaked on a Russian Internet site in encrypted form.

LinkedIn, which has around 150 million users, has responded via a tweet that they are investigating these claims.

Graham Cluley, from Sophos, is reported by the BBC as saying: "We've confirmed there are LinkedIn passwords in the data. We did this by searching through the data for (hashed) passwords that we at Sophos use only on LinkedIn. We found those passwords in the data. We also saw that hundreds of the passwords contain the word 'Linkedin'."

This strongly suggests that LinkedIn may only be hashing and not salting their passwords properly (if at all). Hashing is a method that encrypts a password in such a way that it cannot be decrypted. The original password is not stored, only the encrypted version, making it near impossible to work out what the original was from just what was stored. Each time someone claims to be entering the password, that entry is hashed using exactly the same algorithm and compared with what was stored. If they match then the current entry is, to all intents and purposes, the same as the original password, which is a secret only known to the user.

The problem with just plain hashing is that the same algorithms are widely used by developers (simply because there aren't that many available), so all a hacker has to do is run possible passwords through the same hash algorithm to generate a simple (if not large) look-up table that essentially marries hashes with passwords. If they have a hash with a corresponding password then they have struck the jackpot!

If the hacker has considerable computing power at their disposal for long periods of time then they can clearly build pretty comprehensive tables that cover (say) all eight letter passwords possible. Obviously, the longer or more complex a password is, the larger the effort needed to compromise it. The beauty from the hacker’s perspective is that once they have generated or otherwise acquired a table then it can be used to attack many different systems that use the same plain hashing algorithm.

Salting improves the security by amending the original password before it is hashed, usually by adding random characters to it in some way. This means that, even if the hacker knows the hashing algorithm and the salts in use as well as how it was used to change the original password, their lookup tables will be useless because they now need a lookup table for each salt in use, which could be as many as one per password. Salting makes the hashes used by the system under attack almost unique to that system, greatly increasing the amount of effort needed to compromise it. Prospective hackers would essentially need to build a lookup table for each salt used. This approach frequently puts encrypted passwords beyond the economic reach of even the most determined hackers (although they could theoretically obtain them with a huge amount of resources). However, salting can be done badly by using the same salt for each password, which means once that is guessed or otherwise ascertained, then the problem is no more difficult than working on unsalted hashes.

The fact that Sophos has been able to ascertain that some of their LinkedIn passwords are amongst the stolen hashes strongly suggests that the passwords were only hashed and not salted particularly well (if at all). Consequently, it is going to be much easier for hackers to work out what the original passwords were by simply using a brute force approach until they strike gold.

Obviously, the longer the password and the wider the range of characters used in constructing it (upper and lower case letters, numbers, punctuation marks, etc) the more effort will be needed by the hackers. It’s also likely that those with short passwords based on real words will be cracked first.

I would join Graham Cluley in strongly urging people to change their password on LinkedIn and anywhere else that they have used the same password. (You would be wise to use a complex password.) Once a hacker has established your password and linked it to your identity then they are highly likely to try it elsewhere so that the fruits of their labour may be better rewarded, possibly with your hard earned cash!

This weblog is produced by Revell Research Systems.