Problem $5(20$ points$)$

LinkedIn was breached in $2012$ with a reported $6\mathrm{.}5$ million user accounts compromised

$($so assume that attackers have the plaintext of the username and password$).$ LinkedIn

requested these users to change their passwords, but not all of them did. In $2016,$ a

hacker site was selling $117$ million hacked LinkedIn accounts, and among them were

many of the hacked users from $2012.$ LinkedIn stated that they had already added

$$enhanced protection$($likely a salt functionality to password$)$ after the initial $2012$

breach. LinkedIn was also using SHA$-1$ at the time of the $2012$ hack.

Read

About Secure Password Hashing, and answer the following questions. You are

allowed to use external resources. $($There is no correct answer; to receive full credits,

answer the questions and justify your answers.$)$

i$.$ What$$s one difference between hashing and encryption? $(5$ points$)$

ii$.$ What do you think of LinkedIn's choice of using SHA$-1$ during the $2012$ hack? $(5$

points$)$

iii. Computer Science student, Alex Chicken$-$Soup, stated, $$For the LinkedIn

passwords hack, the problem is not the lack of $$salt$,$ the algorithm they are using

is wrong.$$ How do you interpret Alex$$s statement? Do you agree or disagree with

him? $(5$ points$)$

iv$.$ If you are in charge of LinkedIn's security team, what would you do to prevent

LinkedIn from incidents like this? Can you prevent them? $(5$ points$)$