slash dev slash null

stuff about puters

Category: SRP6a

Thinbus PHP is now on Packagist providing zero-knowledge password-proofs

I finally got around to releasing Thinbus PHP onto Packagist. The PHP demo app is also released there to show how to use the library. The JavaScript at that repo allows a browser to register and login to the PHP server. It is shared with the Thinbus Java version. Next up will be a demo app for the Thibus Node version. Now there are fewer excuses for transmitting a password to the server to be checked.

Brute Force Attacks On Browser based Secure Remote Password Protocol

Mattias Siø Fjellvang contacted me to discuss brute force attacks on SRP such as the thinbus-srp JavaScript library. I thought to write down the things that came out of the discussion.  Read the rest of this entry »

Why isn’t LinkedIn using SRP?

This morning I was dismayed to get an email from LinkedIn to say that emails and passwords stolen in 2012 were available online. So they had reset the passwords of all emails accounts that haven’t changed their passwords since 2012. Okay sounds like a solid precaution against dictionary attacks on the stolen encrypted password details, right? Wrong.

They then want on to say:

LinkedIn has taken significant steps to strengthen account security since 2012. For example, we now use salted hashes to store passwords and enable additional account security by offering our members the option to use two-step verification.

Wow so in 2012 they were not properly salting the passwords and so those passwords, which users may have used across different sites, were not properly encrypted. That’s shockingly bad.

Further more salting passwords isn’t state of the art security. LinkedIn are still having the password set over the network to then salt it and save it in the database. So they are safe again the database getting stolen again but not against any other form of compromises on their network infrastructure. They should have upgrade to the Secure Remote Password protocol.

For a social network site or professionals it would seem that LinkedIn is lacking knowledgeable engineers and don’t have security as something built into their software development lifecycle.

Update: See this 2016 paper for a modern take on the problems of salted passwords which LinkedIn “upgraded to”.