Home page logo

isn logo Information Security News mailing list archives

Why LivingSocial’s 50-million password brea ch is graver than you may think
From: InfoSec News <alerts () infosecnews org>
Date: Mon, 29 Apr 2013 00:26:35 -0500 (CDT)


By Dan Goodin
Ars Technica
Apr 27, 2013

Update: A few hours after this article was published, the LivingSocial FAQ was updated to say the company was switching its hashing algorithm to bcrypt. This is a fantastic move by LivingSocial that adds a significant improvement to its users. Bravo!

LivingSocial.com, a site that offers daily coupons on restaurants, spas, and other services, has suffered a security breach that has exposed names, e-mail addresses and password data for up to 50 million of its users. If you're one of them, you should make sure this breach doesn't affect other accounts that may be impacted.

In an e-mail sent Friday, CEO Tim O'Shaughnessy told customers the stolen passwords had been hashed and salted. That means passcodes were converted into one-way cryptographic representations that used random strings to cause each hash string to be unique, even if it corresponded to passwords chosen by other LivingSocial users. He went on to say "your Living Social password would be difficult to decode." This is a matter for vigorous debate, and it very possibly could give users a false sense of security.

As Ars explained before, advances in hardware and hacking techniques make it trivial to crack passwords that are presumed strong. LivingSocial engineers should be applauded for adding cryptographic salt, because the measure requires password cracking programs to guess the plaintext for each individual hash, rather than guessing passwords for millions of tens of millions of hashes all at once. But a far more important measure of protection, password cracking experts say, is the hashing algorithm used. SHA1, the algorithm used by LivingSocial, is an extremely poor choice for secure password storage. Like MD5 and even the newly adopted SHA3 algorithms, it's designed to operate quickly and with a minimal amount of computing resources. A far better choice would have been bcrypt, scrypt, or PBKDF2.


Visit the InfoSec News Security Bookstore
Best Selling Security Books and More!

  By Date           By Thread  

Current thread:
  • Why LivingSocial’s 50-million password brea ch is graver than you may think InfoSec News (Apr 29)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]