And now it’s last.fm


Last.fm have had a security breach and advised all their users (such as me) to change their passwords. As with LinkedIn, having passwords hashed may not be enough to keep them secure.

I don’t know what has happened here and will refrain from commenting on Last.fm in particular, but one does begin to feel that these companies need some form of forceful reminder of their duty to hold these things as securely as possibly. People should just not be able to filch masses of passwords. Not even the chief executive (again, for the avoidance of doubt I am certainly not accusing any chief executive of having done so – the point is a general one).

What can be done? Two piece authentication, as practised by GitHub – the machines I use GitHub on have to have access to a public key I have registered with them as well as a per session password – would be one form. But can you see users of mass social network sites generating public keys and registering them? Neither can I and more importantly I don’t think the companies can either: but if they are not going to implement that then they need to tighten things up considerably at the server side.

A further thought on MD5


Shows a typical cryptographic hash function (S...
Image via Wikipedia

The main use of MD5 – at least if my computer is any guide – is to check that a file you have downloaded from the internet or elsewhere is what it says it is.

In fact in this general use MD5 is not being used to encrypt anything – instead it produces a “message digest” – a 128 bit number that is a hash function of the supplied file. The problem with collisions in this case is that it means two different files could give the same hashed value (ie MD5 digest) and you could be left thinking you had the genuine file when you did not.

But that 128 bit hashed value plainly is not going to give you back the file – unlike CSI:Miami and everywhere where you see a “let’s enhance that” computer graphics gimmick, in the real world you cannot get more information out than you put in: so a 128 bit number will not magically transform into a 5 MB file even if you can reverse the hashing.

But that was not the issue with the Sun – they appeared to be using MD5 to hash a short password and in that case, at least in theory, being able to crack MD5 could give the original information back.