By now everyone should have heard about it, but both LinkedIn and eHarmony were found to have been breached. Several million passwords were leaked, and if you have an account on either, you need to change your password quickly.
It’s become the norm that passwords for such sites are stored, on their end, in an encrypted format with the hope of delaying actual breaches if the data was lost. Well, that didn’t really last: a huge number of those passwords are already cracked. How? And if so, what’s the point of encrypting them?
The thing is, they’ll have used just one encryption key to encrypt them all. That key may not have been broken… but two (or more) users with the same password will see the same thing in an encrypted format (the hash). It turns out a lot of people used something like ‘123456’, and every time that password is used, the same hash shows up. If you figure out just one hash, you know that all the other accounts with the same hash are the same password.
This highlights one useful note for password security, which is that it’s beneficial to have varied passwords so that you and a billion other people don’t use the same one. You’ve heard this one for years of course, but don’t just go for the obvious, like a password of “passw0rd”. If you need help, I highly recommend XKCD’s advice (and you can find a password generator for it here).
But that bit aside, as an IT guy, I find interesting the implications for those in my field. It’s been acknowledged for a while that hashes like this aren’t sufficient to protect a userbase if you have a breach like this, but in spite of other similar incidents, the industry has been slow to come up with an alternative. And even security principles like “have a varied password” and “rotate passwords often” don’t completely prevent such things. It’s going to take a large shift in mentality, I think, for someone to find an answer.