Medidata Blog

Medidata Security Chief on LinkedIn Hacking and Medidata's Better Approach

Reading Time: 2 minutes

Recently, 6.4 million out of approximately 160 million LinkedIn members had their passwords hacked. The good news is that the breach apparently didn’t include user names, and without that association, the actual threat is almost zero. But what about Medidata systems? Are they secure?

Luckily for our customers, the answer is yes. We apply much more robust password protection than did LinkedIn.

The reason lies in the internal mechanisms used to encrypt and manage the passwords. LinkedIn used a common encryption algorithm called a Secure Hash Algorithm (SHA-1). This code transforms a user-entered password into a unique series of bits. Unfortunately SHA-1 was broken some time ago, making LinkedIn’s password files a desirable target.

Medidata uses a stronger SHA-2 algorithm. SHA-2 comes in two varieties: 256 bit and 512 bit. Again, we use the stronger 512 bit. To add even more strength, we add a random 256-bit salt to the user-entered password. A salt consists of random bits added to the user password prior to encryption. These bits disable the use of “dictionary attacks” where pre-computed values are compared to the encrypted password files. Security experts all agreed that if LinkedIn had simply added a salt to their already weak SHA-1, it wouldn’t have been cracked. In fact, if one were to try every possible match for a Medidata password, called a “brute-force attack” in hacking terms, it would take approximately 1.25 * (1050) centuries with the fastest processors.

The second part of the reason lies in the management of passwords. Despite how strong the password encryption is, the longer a password remains unchanged, the greater the possibility that someone would randomly guess a password or possibly capture it using some other form of espionage. LinkedIn never expired users’ passwords, so once a password was discovered a hacker could expect that it would remain forever. Fortunately, this could never happen at Medidata, as we require frequent password changes throughout the calendar year.

As you can see, Medidata takes a robust approach to password control. With these controls, among others, we make sure our password files are safe and secure.

Medidata Solutions Image

Medidata Solutions