6 comments

[ 0.15 ms ] story [ 16.3 ms ] thread
Interesting because they are going after LinkedIn primarily based of the algorithm they used to protect passwords.
Exactly. Which means it's time for everyone else to start considering their Web application's security. For a change.
I wonder where it's acceptable to draw the line. Can't everything be breached eventually?
Do you want your bank vault to be locked with a Masterlock padlock, or a 1-ton safe door with glass inserts and an armed guard? That's the difference between unsalted MD5 and salted SHA.
And not just the algorithm that they used, but fact that their privacy policy stated that they used best practices to store the passwords, when they didn't.

Actually, the lawsuits speaks of "insufficient encryption methods", but as we all know, hashing is very different to encryption. And they want a trial by jury.

Edit: It seems to hinge on "All information that you provide will be protected by industry standard protocols and technology" in the privacy policy. It would be interesting to see if anybody can show that the industry has a standard password protection technology. I wouldn't be surprised if plain MD5s/SHA-whatevers are the most standard. Just not very secure.

I am happy to see this happen. For years computer companies just skate by with no punishment for security breaches. It is time to pay up.