[prev in list] [next in list] [prev in thread] [next in thread] 

List:       isn
Subject:    [ISN] =?iso8859-7?q?Why_LivingSocial=A2s_50-million_password_brea?= =?iso8859-7?q?ch_is_graver_than_
From:       InfoSec News <alerts () infosecnews ! org>
Date:       2013-04-29 5:26:35
Message-ID: alpine.DEB.2.02.1304290026240.14928 () infosecnews ! org
[Download RAW message or body]

http://arstechnica.com/security/2013/04/why-livingsocials-50-million-password-breach-is-graver-than-you-may-think/

By Dan Goodin
Ars Technica
Apr 27, 2013

Update: A few hours after this article was published, the LivingSocial FAQ was 
updated to say the company was switching its hashing algorithm to bcrypt. This 
is a fantastic move by LivingSocial that adds a significant improvement to its 
users. Bravo!

LivingSocial.com, a site that offers daily coupons on restaurants, spas, and 
other services, has suffered a security breach that has exposed names, e-mail 
addresses and password data for up to 50 million of its users. If you're one of 
them, you should make sure this breach doesn't affect other accounts that may 
be impacted.

In an e-mail sent Friday, CEO Tim O'Shaughnessy told customers the stolen 
passwords had been hashed and salted. That means passcodes were converted into 
one-way cryptographic representations that used random strings to cause each 
hash string to be unique, even if it corresponded to passwords chosen by other 
LivingSocial users. He went on to say "your Living Social password would be 
difficult to decode." This is a matter for vigorous debate, and it very 
possibly could give users a false sense of security.

As Ars explained before, advances in hardware and hacking techniques make it 
trivial to crack passwords that are presumed strong. LivingSocial engineers 
should be applauded for adding cryptographic salt, because the measure requires 
password cracking programs to guess the plaintext for each individual hash, 
rather than guessing passwords for millions of tens of millions of hashes all 
at once. But a far more important measure of protection, password cracking 
experts say, is the hashing algorithm used. SHA1, the algorithm used by 
LivingSocial, is an extremely poor choice for secure password storage. Like MD5 
and even the newly adopted SHA3 algorithms, it's designed to operate quickly 
and with a minimal amount of computing resources. A far better choice would 
have been bcrypt, scrypt, or PBKDF2.

[...]


______________________________________________
Visit the InfoSec News Security Bookstore
Best Selling Security Books and More!
http://www.shopinfosecnews.org 
[prev in list] [next in list] [prev in thread] [next in thread]