Two-factor authentication: LinkedIn now on board
LinkedIn has joined the group of companies that offer two-factor authentication. Since the beginning of this month, those who use the business networking platform have been able to turn on two-factor authentication (referred to by LinkedIn as "two-step verification") in their settings. As with Facebook and other services, a password and a security code that is sent to the user's registered mobile by SMS text message will be required when someone tries to log in from a previously unregistered device or from a web browser they haven't used before. While in the settings, it is also a good idea to enable HTTPS-encrypted connections via Settings/Account/Manage security settings, as, by default, LinkedIn continues to provide its web pages in plain text.
In summer 2012, LinkedIn had to deal with a million-dollar class action lawsuit that was brought by a user after a password leak affected the network. In the class action complaint, LinkedIn was accused of creating "significant risks to the integrity of users' sensitive data" by using the "outdated" SHA1 hashing algorithm from 1995 to protect its users' data. In addition, the hashed passwords hadn't been salted beforehand. Another point in the complaint concerned the platform's information policy. LinkedIn only admitted that a leak had occurred after third-party observers publicly announced the password theft. The lawsuit was dismissed in March.
SHA1 is indeed no longer an up-to-date password-hashing method. The state-of-the-art technique is Password-Based Key Derivation Function 2 (PBKDF2), which, according to current information, allows passwords to be stored in an almost uncrackable way.
(sno)