The LinkedIn password disclosure might not have also released account names. We went over it at a security lunch today. If they used a system similar to Radius servers, there are two separate databases, one that maps username to account number and one that maps account number to password hash. It is plausible that LinkedIn used this structure for the same reasons that Radius does. It improves performance in some respects and reduces the harm from partial breaches of security.
I had not considered it likely that LinkIn would do this, given their silence on security methods and the available information on their database breach. But copying the Radius approach (or perhaps using a Radius or Radius derived system) is plausible to me.
Comments