Exactly one year ago today it was announced that part of the LinkedIn password database had been shared online. There were many posts about it.
Having your password database compromised is bad. But that turned out to not be the worst part of what happened. Although I didn’t see it mentioned in any of the official LinkedIn posts, people quickly realized that the passwords were hashed using SHA-1. No salts, no stretching, just a plain, single round, SHA-1. That made finding the plain text version of the password for millions of LinkedIn accounts fairly simple.
Using bcrypt with a decent random salt generator and good work factor would have been much better.
This made it very clear to me that if a site like LinkedIn can make the mistake of using a poor password storage method, anyone can. I made a repeating calendar entry for 6 June of every year to be “Password Anniversary Day”. On Password Anniversary Day ( 6/6 ) I pick a few sites that I have accounts on, more or less at random, and change my password. Just in case.
My Tweet about this on 6 June 2012:
Welcome to the first annual "change your http://t.co/utIhGP9J password" day http://t.co/DP88nDF1
— Joseph Scott (@josephscott) June 6, 2012
Happy Password Anniversary Day everyone.