The solution is called Aladdin and it is an open source USB key(board) to your computer & websites. He types your password so you don’t have to. There is no software to install and works everywhere because it appears as an USB keyboard to the operating system. All it does is type your password.

I’m trying to raise funds by crowdfunding at http://www.indiegogo.com/aladdin-key so I invite you to take a look.

http://uk.finance.yahoo.com/news/yahoo-reports-theft-400-000-164341156.html

You clearly have no idea when the theft took place, exactly what was taken, nor who has the complete dataset.

And yet at the same time as blasting mainstream media for hype and misinformation, you yourself, based only on assumption, claim there is minimal risk to users.

A balanced response is required but do not underplay the risk, which is just as dangerous or silly as overplaying it.

To make matters worse you assume “recently” adding salting implies the theft was of an old backup. To me, what that says is that since knowing about the theft they have begun to salt passwords. Not at all the same thing!

In future please try to sound less like you’re in the pocket of big business, and more like an intelligent and independent security researcher.

Separation of duties seems to be missing, and that within a company with 150mill+ users. They could have learned from breaches like Sony last year, apparently they didn’t.

Good thing is there are no reliable reports of account breaches & abuse, neither at Linkedin or at any other sites where one would expect password reuse.

I am very happy to say that I managed to alert national CERTs and others before the story appeared in media, and I also believe that the massive media coverage have prevented any serious fallout following the initial breach.

As for lots of the BS floating around I would like to see some serious stats of real – economical – losses or gains following such breaches. After all HBGary shares went up and finally the company got purchased – AFTER a truly embarrassing password breach with their CEO in the front seat.

That’s the conclusion I came to discussing this with Clive Robinson on Schneier’s blog. Nice stuff like SRP aside, salting already makes the crooks work for their take, yet LinkedIn didn’t do even the most basic security. The stuff that was practically free thanks to groups like OWASP. There should be legal liability when a company making so much money with so much data doesn’t do the bare minimum. I’m not asking for perfect or anything from web 2.0. Just standard commercial best practices at a minimum. Linkedin is far from it.

http://en.wikipedia.org/wiki/Secure_Remote_Password_protocol

Sorry guys but we don’t appear to “get it” with regards passwords and attackers…

We know that attackers go for the “low hanging fruit” first and work upwards, we also know that over fifty years of using passwords we only make small incremental improvments that the attackers overcome usually with little difficulty in fairly short order these days.

So let us assume that a salt is added or some other system such as bcrypt is used…

You are not solving the problem only increasing the bar so that the attacker will go to the next weakest point to get their desired data. For instance if the DB is made less vulnerable, the attacker will get to the point where as they can get into the target servers they will just install a logger or some such to intercept the username and password prior to the authentication process. If it’s found on the servers then they can move the logging onto a close intermediary node on the internet outside of the target servers organisation, or make some other attack to ensure the traffic flows through a node under the attackers control.

So what to do, well you could ask the question about why let the password off the client machine in the first place?

That is from the targets point of view they fully externalise the risk onto the client machine, and thus make it the client owners issue. It also at the same time makes the attackers move their attention away from the target servers as the desirable information is nolonger there (though there may well be other information that is still desirable other than the users password).

Can this be done, yes and has been possible one way or another for around a quater of a century.

http://srp.stanford.edu/whatisit.html

How is this limiting the damage? This article is BS.