Yet, LinkedIn only "just recently" added enhanced security measures -- after 6 million passwords got hacked -- adding measures called "salting" that make these brute-force attacks much harder for hackers by inserting random characters into the password hash. "We all know better than that,” software expert Gary McGraw told The Wall Street Journal's Michael Hickens. But according to Kamp, even salting might not be sufficient. "There is _no_ advantage in everybody in the world using the exact same algorithm," he wrote.
Most popular websites, like Facebook and Google, use more sophisticated password protections than a simple Md5 hash. While it's fun to poke fun at LinkedIn, as we did yesterday, asking what a hacker might do with a LinkedIn password, this breach has very real, very scary implications. Hackers have already exploiting the leaked passwords to trick users into downloading malware, reports Bits Blog's Nicole Perlroth. But password hacks can quickly turn into more serious issues. Like what happened to Deborah Fallows, wife of The Atlantic's Jim Fallows. Writing in The Atlantic, Fallows describes how a Gawker hack led to fears that someone got a hold of their personal and financial data via his wife's hacked Gmail account. "As in the great majority of hacking cases, my wife had been using the same password for her Gmail account as for some other, less secure sites, where her username was her Gmail address. (Who hasn’t done this?) And one way or another, a list of e‑mail addresses and associated passwords from one of those sites had made its way to hackers," he writes, suspecting these hackers got a hold of her password via a recent Gawker hack. Thus, even sites with the most secure measures, like Gmail, can get thousands of hacks per-day, which as Fallows explains, leads to legitimate concerns. Fallows continues:
The greatest practical fear for my wife and me was that, even if she eventually managed to retrieve her records, so much of our personal and financial data would be in someone else’s presumably hostile hands that we would spend our remaining years looking over our shoulders, wondering how and when something would be put to damaging use. At some point over the past six years, our correspondence would certainly have included every number or code that was important to us—credit-card numbers, bank-account information, medical info, and any other sensitive data you can imagine.
When one site uses an algorithm that makes it susceptible to sites, it compromises the rest of the Internet. And the more sites that use the same system, the easier it is for hackers to get a hold of our information. Considering these weaknesses, Kamp therefore recommends the following total overhaul of the password system. "All major internet sites, anybody with more than 50.000 passwords, should design or configure a unique algorithm (consisting of course of standard one-way hash functions like SHA2 etc) for their site, in order to make development of highly optimized password brute-force technologies a 'per-site' exercise for attackers," he writes.
*This post originally stated that Kamp invented MD5, rather than MD5crypt.
This article is from the archive of our partner The Wire.