Why isn’t LinkedIn using SRP?
This morning I was dismayed to get an email from LinkedIn to say that emails and passwords stolen in 2012 were available online. So they had reset the passwords of all emails accounts that haven’t changed their passwords since 2012. Okay sounds like a solid precaution against dictionary attacks on the stolen encrypted password details, right? Wrong.
They then want on to say:
LinkedIn has taken significant steps to strengthen account security since 2012. For example, we now use salted hashes to store passwords and enable additional account security by offering our members the option to use two-step verification.
Wow so in 2012 they were not properly salting the passwords and so those passwords, which users may have used across different sites, were not properly encrypted. That’s shockingly bad.
Further more salting passwords isn’t state of the art security. LinkedIn are still having the password set over the network to then salt it and save it in the database. So they are safe again the database getting stolen again but not against any other form of compromises on their network infrastructure. They should have upgrade to the Secure Remote Password protocol.
For a social network site or professionals it would seem that LinkedIn is lacking knowledgeable engineers and don’t have security as something built into their software development lifecycle.
Update: See this 2016 paper for a modern take on the problems of salted passwords which LinkedIn “upgraded to”.