Executive Summary:


Scribd, a popular document sharing website, was found to be compromised when the website's operations team detected suspicious activity on the network. This suspicious activity was described as an attempt to gain access to the email addresses and passwords of the site's users. The website has approximately 100 million users and up to one percent of them may have had their passwords compromised. The passwords that are considered compromised by Scribd were hashed with an outdated algorithm. Scribd notified the affected users and instructed them to change their passwords. Scribd also reset the passwords of the users with compromised passwords. The compromised passwords were using the SHA-1 algorithm. Although these passwords were also salted, they were still considered compromised by Scribd. The passwords that Scribd did not consider to be compromised were using the scrypt algorithm. According to Norwegian security advisor Per Thorsheim, it is a mistake to assume that only the passwords using SHA-1 were compromised. Over a sufficient amount of time, the scrypt protected passwords can also be cracked.

Analysis:


Scribd could have applied several different methods to prevent the compromise of their users' passwords. They should have not been using SHA-1 to hash some of their users' passwords. This outdated algorithm is considered to be unsecure. A stronger version of SHA such as SHA-512 would have provided greater security. Other than using a stronger version of SHA, Scribd could have used scrypt like they did on the passwords they do not consider compromised. Also, the password policy could have been stronger to enhance security. Scribd only requires six characters for user passwords. Requiring users to have more characters in their password would make it more difficult for the passwords to be cracked. It would also be beneficial to require users to change their passwords at regular intervals and use special characters and numbers in their passwords. If strong passwords are not used, then scrypt will not be as beneficial. Therefore, it is imperative that a strong password policy is enforced. Other than implementing strong password policies and using strong hashing algorithms, Scribd should ensure that they are adequately securing their networks. A weakness in Scribd's network security may have allowed the intruders access to the network in the first place.