Password Security and Hash Slippage

The massive losses of password hashes at LinkedIn [1], eHarmony [2] and Last.fm [3] are very concerning, to say the least. These are companies that are generally perceived as technology leaders, particularly LinkedIn. Also, as far as I now, eHarmony and LinkedIn are Java/JVM shops. Just some data that I gathered today regarding the scope of the issue:

• Last.fm - presumably up to 17 million lost hashes - Algorithm used: MD5 - Hashes were Not salted
• eHarmony - 1.5 million hashes - MD5 - No salted - All upper-case-passwords
• LinkedIn - 6.5 million hashes - SHA1 - Not salted

Some of the leaks supposedly happened as far back as 2011. Here is some further background information: 

• http://www.nytimes.com/2012/06/11/technology/linkedin-breach-exposes-light-security-even-at-data-companies.html
• http://translate.google.com/translate?sl=de&tl=en&js=n&prev=_t&hl=en&ie=UTF-8&layout=2&eotf=1&u=http%3A%2F%2Fwww.heise.de%2Fsecurity%2Fmeldung%2FPasswort-Lecks-groesser-als-angenommen-1613946.html
• http://www.technolog.msnbc.msn.com/technology/technolog/linkedin-eharmony-dont-take-your-security-seriously-819858
• http://erratasec.blogspot.de/2012/06/linkedin-vs-password-cracking.html

What is quite amazing to me, is that the basic measures that would prevent the cracking of the hashes, like better hash algorithms, salting, re-hashing are not rocket science. There is even a very nice library [4] out there that does it for you and it even hooks into e.g. Spring Security [5] - Not even Java coding is necessary.

I just wonder how the hackers got access to the hashes in the first place...I could not find any information on that, yet. Maybe another juicy story...

[1] http://blog.linkedin.com/2012/06/09/an-update-on-taking-steps-to-protect-our-members/
[2] http://advice.eharmony.com/blog/2012/06/07/updates-on-ongoing-efforts-to-protect-our-members/
[3] http://blog.last.fm/2012/06/08/an-update-on-lastfm-password-security

[4] http://www.jasypt.org/

[5] http://www.springsource.org/spring-security