With the huge LivingSocial hack that we read about the other day it's clear that there are common themes that we've seen many times lately. In this case the news is a little better than previous but let's review what we know:
So there is a little bit of good news here. "What might that be?" you're probably asking. Well the security folks at LivingSocial did salt their passwords which makes any attack against the hashed passwords much harder. When you salt a hashed password, that means when you try and log in to the site, what's happening on the back end is the salt, a few bytes of random data, is combined with your password. Then it is hashed and stored in the database, “HASHING ALGORITHM” is run on (SALT + Password) which creates a “HASH."Why is this good? Well let's say the passwords were hashed and then not salted. When this happens someone can get a dictionary or a list of commonly used passwords then you figure out what hashing algorithm that the site was using (typically SHA2 or if the site is very old MD5) and then you just calculate hashes against the big hash list and compare your hashed dictionary to the stolen accounts. If the site has hashed passwords however you need to create this big dictionary hash list separately for every single user. That takes a really long time! Hashing protects all 50 million passwords from getting cracked. What is does not protect against is a single account being cracked.Ok so now should you change your password? Yeah probably. So what can websites do?
Read about it here: https://krebsonsecurity.com/2012/06/how-companies-can-beef-up-password-security/I hope LivingSocial follows up their announcement with a detailed post mortem. The way the community gets better about security is by understanding what mistakes were made, embarrassing as they may be. There are some things they could do better to protect their users, but they've taken the first important step in telling people something happened, let's hope they follow up with changes so that this can't happen again."