About the Author

Chris Shiflett

Hi, I’m Chris: web craftsman, community leader, husband, father, and partner at Fictive Kin.


LeakedIn

When I read that LinkedIn leaked 6.5 million passwords, I thought it was newsworthy, so I shared it. Bummer for them, I thought, especially given a few particularly bad practices:

  • The hashes were unsalted SHA-1 hashes. SHA-1 was proven weak back in 2005, and unsalted hashes are especially weak.
  • Those who visited the LinkedIn home page were shown a fake log in form that attempts to trick users into giving away their email password. Shame, shame.

I shamed LinkedIn on Twitter and thought that was the end of my interest in the story until Phil pointed me to the dump of the passwords. Minutes later, I discovered that my password was not only one of the 6.5 million that had been leaked, it was also among those that had been cracked. I was a victim.

Unfortunately, I signed up for LinkedIn before I was using 1Password, so the cracked password was used on a handful of other sites. Now, I can never use that password again, and I have to change my password on every site where I used it. In case you're wondering, my password was a concatenation of several words. It was my weak password, but it wasn't that weak.

One of many implications of this is that there is now a (growing) list of hundreds of thousands of cracked passwords. You can be sure that these will be used to seed rainbow tables and will be an obvious choice for seeding a dictionary used to try to crack passwords the next time a leak happens. Even if the next leak is a bunch of salted hashes using a better algorithm, these cracked passwords will never be safe again.

If you want to see if you're also a victim, start by finding the hash of your password. PHP has a sha1() function, so if you're on a Mac, that means you can type this into Terminal (replace password with your password):

php -r 'echo sha1("password") . "\n";'

If you're not already familiar with hashes, just know that the string of characters this command outputs is the SHA-1 hash of your password. You'll need this to check to see whether your password was leaked.

Then, check to see if your hash is in the dump. If it is, it means they have not cracked it yet (not before the dump was uploaded). If you don't find it, then replace the first five characters of your hash with a 0, and check to see if that is in the dump. If that is, it means they have cracked it. If neither are there, it means yours was not one of the 6.5 million, but keep in mind there's no guarantee that this is the complete list. It is best to assume that your LinkedIn password is henceforth unsafe to be used anywhere.

Since this isn't very straightforward, a few friends and I thought it would be good idea to make a simple app that lets you check to see if you're a victim. In fact, while we were talking about what a good idea it would be, Sean made a quick prototype, and Bedrich provided some visual love. Cleverly, we are calling it LeakedIn. The app hashes your password using JavaScript, so your password never leaves your computer. You can verify this by viewing source, but if you prefer, you can also just provide your hash. We'll let you know if your password is one of the 6.5 million that were leaked as well as if it has already been cracked.

http://leakedin.org/

Please let me know if you're one of the lucky ones or a fellow victim. Maybe we can form a support group.

If you're building a web app and want to know how to hash passwords, let me suggest bcrypt, because, "over time it can be made slower and slower, so it remains resistant to specific brute-force search attacks against the hash and the salt."

About this post

LeakedIn was posted on Wed, 06 Jun 2012. If you liked it, follow me on Twitter or share:

88 comments

1.William Crawford said:

Thanks for providing this. It turns out my password wasn't leaked, which is nice to know. I had already changed it anyhow, though.

Wed, 06 Jun 2012 at 18:04:21 GMT Link


2.Melanie Nelson said:

Hey Chris. Saw Sean post about this. My password was safe, thankfully! :)

Wed, 06 Jun 2012 at 18:07:21 GMT Link


3.Joseph Scott said:

Clever, but I think asking people for their password is a bad policy. Many won't have the know how to determine if you are doing something bad. If this desensitizes some to phishing sites then that is a bad thing.

Now on the technical side I'm curious. Which password sets are you using? Both C_dwdm6msha1.rar and combo_not.zip?

That and I'm jealous I didn't think of it first :-)

Wed, 06 Jun 2012 at 18:23:55 GMT Link


4.Ciprian Tutu said:

Assuming you got the dump you can just do this too for those non-php-ers out there:

grep `echo -n linkedin | shasum|cut -c6-40` combo_not.txt

0000040c80b6bfd450849405e8500d6d207783b6

Replace "linkedin" with your actual password. Then go delete the entry from your .bash_history just in case :)

Wed, 06 Jun 2012 at 18:42:11 GMT Link


5.Katie Moffat said:

mine was leaked and cracked apparently :(

Wed, 06 Jun 2012 at 19:06:48 GMT Link


6.Arnav Roy said:

Why not expose the password dump as well?

Wed, 06 Jun 2012 at 19:07:02 GMT Link


7.Chris Duffy said:

Another leaked and cracked here. I really liked that password, too. Thank you for the app!

Wed, 06 Jun 2012 at 19:24:17 GMT Link


8. said:

it is nice! I got "Your password was leaked and cracked. Sorry, friend."

Wed, 06 Jun 2012 at 19:29:34 GMT Link


9.Shane Menshik said:

Seriously - WHY WOULD ANYONE USE THIS SITE and provide your password? hacked or not.. Your just providing your password to anyone these days then?

Wed, 06 Jun 2012 at 19:35:10 GMT Link


10. said:

It's worth noting that if your password was cracked, it doesn't necessarily mean your account has been compromised. The password dump does not contain any email addresses. Because these are unsalted-sha1 hashes, if you share the same password (hopefully not!) with any of the unfortunate 6.5 million on the list, it will appear as if your password has been cracked. If your password has been cracked, but you haven't used the linkedin/calendar app on ios, then you are safe. (but you should still change your password since someone else out there is using it too!)

Wed, 06 Jun 2012 at 19:36:15 GMT Link


11.Ryan Swarts said:

Mine was leaked, but apparently not cracked. Should I change it still? It was a totally random and complex mix of numbers and characters and symbols that took me weeks to memorize. I use it everywhere.

Wed, 06 Jun 2012 at 19:38:09 GMT Link


12.Michael Torres said:

Can someone explain the outcome of this scenario to me? My password was leaked and cracked according to your website, but I have never used an iOS App for LinkedIn in any fashion. What can one do with the information they have from me?

Wed, 06 Jun 2012 at 20:01:13 GMT Link


13.Aseem Kishore said:

Hi there. Thanks for the helpful app!

A colleague pointed out though that we don't have a great way of knowing we can trust the app. Open-sourcing it (I'm surprised there's no GitHub link; apologies if I missed it) would help, but ultimately, we're still sending our unsalted hashes to an app that could simply be maliciously collecting them.

I don't know the legality of this, but it'd be nice if you could just host the list as a text file, e.g. on GitHub, and provide instructions for searching it yourself. Another idea my colleague had was to support entering only part of the SHA. Etc.

Thanks again, and I hope this feedback is appreciated!

Wed, 06 Jun 2012 at 20:23:23 GMT Link


14.Junh Hong said:

Mine was leaked and cracked. Sad :(

Thanks for making the page. I've forwarded it to my friends and family.

Wed, 06 Jun 2012 at 20:42:37 GMT Link


15.Pedro Oliveira said:

Since it already leaked it should be useful to have the dump public

Wed, 06 Jun 2012 at 21:01:32 GMT Link


16.Bahaa' Awartany said:

Another name on the wall of fame. Got the "Looks like your password was not leaked. Hooray!" message. Phew!

Wed, 06 Jun 2012 at 22:00:40 GMT Link


17.Jeff Porter said:

LeakedIn just returns an error page, 'No data received'. I guess there's a disorderly queue swamping the server.

I closed my account at the end of last year, but have heard that doesn't make you, or your password, safe. So I'll check back.

Wed, 06 Jun 2012 at 22:08:53 GMT Link


18.Jeff Porter said:

Got a bit return-key happy, there.

Meant to add...

A big thanks to Chris and FictiveKin for doing something to help others, a reminder that there are more wonderful people on the web than there are trolls.

Wed, 06 Jun 2012 at 22:16:43 GMT Link


19.David Lewis said:

Just checked. My password seems secure. Did use Lastpass when I setup my LinkedIn account. Wonder if that provided some protection?

Wed, 06 Jun 2012 at 22:20:25 GMT Link


20.Brian Logan said:

Add me to the leaked but not cracked group. I used an email address and password unique to linkedin, so when they do crack it I'll be okay elsewhere.

Wed, 06 Jun 2012 at 22:28:03 GMT Link


21.Vince Work said:

If a hacker were to get into leakedin.org's webserver and leak it's access log, wouldn't he/she now have more SHA1's to add to the list of 6.5 million?

A page that generates the user's SHA1 (using JS) along with another (static) page that contains the exposed SHA1's for comparison would have been sufficient. Why have SHA1's go through the wire through easily sniffable, http?

Wed, 06 Jun 2012 at 22:57:37 GMT Link


22.Uriah Jacobs said:

yep, mine was leaked, but not cracked. Unfortunately, and I don't know why, but I was using my secure password for this site... Bummer.

Wed, 06 Jun 2012 at 23:09:01 GMT Link


23.Matthew Mansfield said:

Unfortunately, I'm in the leaked and cracked group. Thankfully the password was an old one I no longer use anywhere other than LinkedIn.

Wed, 06 Jun 2012 at 23:22:02 GMT Link


24.Michael Streeter said:

Not leaked or cracked. Hooray!

Good news: since the Sony affair, I used a password unique to each site. Bad news: I registered with LI before the Sony affair - and used my "Lord Of The Rings" type password, which now has to be discontinued.

Wed, 06 Jun 2012 at 23:42:24 GMT Link


25.Jim Ausman said:

Leaked and cracked here too. I use a unique password on each site so not a major problem. I did have to change it though.

Thu, 07 Jun 2012 at 00:03:49 GMT Link


26.John Van Der Loo said:

Leaked password sufferer here too. Not cracked fortunately.

For anyone who wants to generate a new password try my password generator http://correcthorsebatterystaple.net/

Thu, 07 Jun 2012 at 00:09:03 GMT Link


27.Chris Shiflett said:

Thanks for the comments.

A few quick notes:

1. Yes, it is wrong to provide your password for one site to a completely different site. We're no different, and this almost prevented us from making this tool.

2. The password dump we have is not guaranteed to be complete. In fact, I wouldn't be surprised if someone has a dump of the entire database that also includes email addresses. The scary truth is that we simply don't know.

3. You should assume your LinkedIn password, and especially the hash of your LinkedIn password, is already in the open. Providing it to LeakedIn enforces a bad habit, but it's not exactly the same as the password anti-pattern. I do not think direct comparisons are accurate or fair. I may explain why in more detail later.

4. Like many of you, I also changed my LinkedIn password, but since they don't know how this happened yet, they haven't fixed anything. Therefore, we should assume that our new LinkedIn passwords are also compromised.

Hopefully this answers a few of the most common questions.

Thu, 07 Jun 2012 at 00:19:26 GMT Link


28.Mona Lisa Overdrive said:

Being curious (and having already changed my password) I input my password into your webapp and, no surprise, it had been cracked.

Being cautious, I did view the source. The hash script looks legit, however at the bottom of the page there's a link to a script that, after viewing the source, I wasn't sure about. It's not commented and it's tangled so I didn't parse all of it and I won't post it here, but can you say what getclicky.js does?

Thu, 07 Jun 2012 at 00:27:30 GMT Link


29.Mona Lisa Overdrive said:

...or I could've just googled the name of the script and found out what it does. Disregard the question above, thanks.

Thu, 07 Jun 2012 at 00:28:56 GMT Link


30.Stefanie Harvey said:

Thanks for providing the link; I'm a lucky one (curious as to what differentiates that) and will change my password once word gets out that LinkedIn has fixed the issue.

Cheers!

Thu, 07 Jun 2012 at 01:21:28 GMT Link


31.Disa Johnson said:

Leaked and cracked, used on a handful of unimportant sites but still never to be used again and changed wherever it was used. LinkedIn no salt? Gah!

Thu, 07 Jun 2012 at 01:41:25 GMT Link


32.Pad Dad said:

My password was leaked, but not cracked. Strong password with uppercase, lowercase, numbers, etc. I changed it anyway because it's only a matter of time before it is cracked.

If you do not trust the site change your LinkedIn password first, hash your old password locally on your computer, and submit it to see if your password was in the list. This is what I did.

Even if you are not in the list, you should still change your password. This may be only part of the list and LinkedIn still has not said that they have fixed the hole that allowed the passwords to be compromised. Also, do not use the same passwords on multiple websites, this is just asking for trouble.

Cheers

Thu, 07 Jun 2012 at 02:07:18 GMT Link


33.Jack van Lelyveld said:

Hey Chris - thanx for the share and shame. LinkedIn really should pull their heads out of the sand and fix the problem. With such a huge subscriber base it's bad for business.

I'm safe but changing anyway. Infuriating how my clever 1 password must now be changed on numerous sites - shame on LinkedIn!!!

#Jack van Lelyveld

Thu, 07 Jun 2012 at 03:53:07 GMT Link


34.Zhi Shan said:

Damn it my password is leaked! Screw them man.

Thu, 07 Jun 2012 at 03:55:09 GMT Link


35.Harry Callahan said:

Chris, asking web site visitors for plaintext passwords, even client-side hashed, is super bad form. The correct way to implement this kind of application while keeping your geek creds intact is to use private information retrieval, which is a cryptographic technique specifically designed for exactly this kind of situation:

https://en.wikipedia.org/wiki/Priva...ation_retrieval

Thu, 07 Jun 2012 at 04:31:13 GMT Link


36.Harry Callahan said:

To follow up on my previous comment, here's a "trivial" PIR (private information retrieval) scheme suitable for this scenario which requires zero cryptography and would provide significant privacy benefits to the user. Instead of sending the full hashed password to the web server, send only the last four characters. The web server can then provide the client with a list of all of the hashes that match those last four characters, which for this particular list of hashes is a pretty good size (not too big, not too small). Then you use a little Javascript to check (client-side) whether or not the full hash is present in the list that the server returned.

For users whose passwords were already compromised, there is no difference in privacy -- their passwords are still just as compromised as before. But for users whose passwords were not compromised, there is a huge benefit: the act of using your web page does not further compromise their password (e.g. by sending an unsalted hash of their password over the internet in plain text, which is what you're doing right now).

Thu, 07 Jun 2012 at 05:01:13 GMT Link


37. said:

Mine was on the list, but not "cracked." But I changed it anyway.

Thu, 07 Jun 2012 at 05:04:56 GMT Link


38.Montana Leet said:

The LeakedIn site says that my password was cracked, but I haven't received an e-mail from LinkedIn like I'm supposed to have had. Is LeakedIn accurate or has LinkedIn just mistakenly failed to include me in the e-mails it sent out?

Thu, 07 Jun 2012 at 05:33:41 GMT Link


39.Marco Davids said:

The tool has a flaw. I obtained a list of cracked passwords and tried a few. It than says the pasword was not cracked. So it is not 100% reliable.

Here are a few examples:

2348370f9894148d8dc3bc5eb7bd09f5d8d46614:Breezy#1

ad6d091de537ddb3cbc602bbea867e61da2e9dc2:Shaggy#32

bcfd9248be0decc2679c19b1e63d384cfad82b58:Lizzie#23

etc.

Thu, 07 Jun 2012 at 06:02:30 GMT Link


40.Lisa Bialac-Jehle said:

Yep....Mine was leaked and cracked....PS: Linkedin's stock went up 9¢ today. WTH? Grrrr.....

Thu, 07 Jun 2012 at 06:09:41 GMT Link


41.Sandra Payne said:

Mine was leaked, but not cracked. It was a strong password, so I'm bummed to lose it. I just worked out another one, changed it, and then read here that since LinkedIn doesn't know how this happened, my new one will have to be temporary as well. *sigh*

Thu, 07 Jun 2012 at 08:00:09 GMT Link


42.Karan Mavai said:

The interesting thing is that the list provides false positive to a lot of people. Based on the logic described, any cracked password has it's hash 5 leading characters replaced with 0's. By doing that aren't they increasing the number of potential passwords that come back as cracked?

Thu, 07 Jun 2012 at 08:02:47 GMT Link


43.Pete Woolley said:

Not leakedin. Phew.

Thu, 07 Jun 2012 at 09:02:42 GMT Link


44.Martina Skelly said:

Leaked and Cracked :(

Thu, 07 Jun 2012 at 10:45:17 GMT Link


45. said:

How can I decrypt this?

00000def8fc887cd8e910823e98ae509c3d2dedc

Thu, 07 Jun 2012 at 10:54:08 GMT Link


46.Liz Needham said:

Not leaked or cracked. Password changed though.

Thu, 07 Jun 2012 at 11:17:43 GMT Link


47.Chris Curry said:

Leaked but not cracked. I changed it, and I noticed that LinkedIn is increasing security.

Thanks.

Thu, 07 Jun 2012 at 11:29:48 GMT Link


48.Pierre Rudloff said:

Looks like I am a victim too.

Thu, 07 Jun 2012 at 11:37:19 GMT Link


49.Mike Buksas said:

Leaked and Cracked. And now, Changed! Asking LastPass for a new random mess of characters is very easy.

Thank you for this service. I'm very disappointed that I learned about this problem (and LeakedIn.org) through Ars Technica, and not LinkedIn.

Thu, 07 Jun 2012 at 13:01:40 GMT Link


50.Audrey Greeson said:

Not leaked thank goodness, but I changed my password anyway. Thanks for the heads up!

Thu, 07 Jun 2012 at 13:02:59 GMT Link


51.Charles Reace said:

Thanks again, Chris. Fortunately my password was apparently not compromised (yet?).

Thu, 07 Jun 2012 at 13:27:59 GMT Link


52. said:

This looks like it duck story for rise up Linkedin's reputation. Does you saw that: http://www.alexa.com/siteinfo/linkedin.com ?

Thu, 07 Jun 2012 at 13:33:59 GMT Link


53.DL Byron said:

Know you meant well here and SwissMiss endorsed this, but it's really a bad idea. Suggest you either take it down or revise it to remove some characters and do a compare, as other commentators have said. You've still got time to save yourself and gain more geek cred with a fix or removal.

Thu, 07 Jun 2012 at 13:42:49 GMT Link


54.Matthew Smith said:

Leaked and cracked. Shitballs. Thanks for posting Chris.

Thu, 07 Jun 2012 at 14:01:02 GMT Link


55.Tim Bradley said:

Want to know if your LinkIn password has been stolen??? I made this short tutorial to demonstrate how to check if your LinkedIn password has been hacked. It also demonstrates the need for strong passwords. http://youtu.be/OFFL8FVNb5w

Thu, 07 Jun 2012 at 14:39:50 GMT Link


56.Lynne Pope said:

Leaked and cracked but still waiting for LinkedIn to bother sending an email to say --- anything! It was moderately strong but obviously not strong enough. Damn. Thanks for this work Chris.

Thu, 07 Jun 2012 at 17:05:57 GMT Link


57.Vince Work said:

Despite sound reasoning and suggestions from a few commenters here, leakedin.org remains flawed. Considering the hysteria around this event and the attention leakedin.org is getting, the following MUST be considered:

1) Many users are submitting their SHA-1s to leakedin.org, sent over cleartext http. This traffic can be sniffed (people checking at Starbucks or anywhere with public wifi). The list of exposed SHA-1s is now greater.

2) leaked.in org's access logs will have URLs tied with IPs--and potentially the user. If a savvy hacker were to get those logs, that would be a nice prize.

3) leakedin.org is using analytics from getclicky. How secure is getclicky? Does getclicky store URLs and IPs? If so, another nice prize if they were obtained.

4) It only takes a malicious site to copy your site and take advantage of the situation. Case in point: http://leakedln.org.

5) Considering the mass hysteria going on, 4) can easily happen with Spam.

The above are paranoid scenarios, but we're talking about security here.

It only took a few hours to make the site, right? Why not spend another couple hours refining the algorithm by doing a client-side-only check (send partial hash to server, return subset from server, compare on client). This site is apparently already doing that: http://crackedin.s3-website-us-east-1.amazonaws.com/ .

Thu, 07 Jun 2012 at 19:07:19 GMT Link


58.Dan Hoogterp said:

Mine was leaked, but not cracked. It was a fairly strong and unique pw for that site. I changed it the second the news broke, so I had no reservations trying it with this tool.

I know a half dozen people who checked and realized they were leaked and cracked. This helps train people going forward on the need for unique, strong passwords.

I think the tool is a great help. Thank You.

Thu, 07 Jun 2012 at 21:32:33 GMT Link


59.Michael Rasmussen said:

Leaked but not cracked. Yay! for acronym based passwords!

Thu, 07 Jun 2012 at 21:43:59 GMT Link


60.Michael Rasmussen said:

What? None of these were leaked?

horsebatterystaple

staplebatteryhorse

batteryhorsestaple

correcthorsebatterystaple

What's the world coming to?

Thu, 07 Jun 2012 at 21:59:47 GMT Link


61.Chris Morrow said:

Can someone explain the difference between leaked and cracked? If a password has been leaked but not cracked, does that mean that it has become public knowledge that the password exists (eg, having "123456" be leaked is basically meaningless), but the password has not yet been connected to a particular account? If not that, then what?

Thu, 07 Jun 2012 at 22:06:13 GMT Link


62.Daniel Park said:

@Chris Morrow

Leaked means the encrypted hash form of your password has been leaked. It looks something like this:

qiyh4XPJGsOZ2MEAyLkfWqeQ

Cracked means someone has successfully decrypted that hash and now knows exactly what your password is.

IIRC, we don't know whether the people who obtained the leak also have a list of accounts/emails associated with each hash. But I'd say there is a fairly good chance.

Thu, 07 Jun 2012 at 22:16:45 GMT Link


63.Chris Morrow said:

How can it work in one direction but not the other? If the LeakedIn tool can take in a password and output a hash, then doesn't that by definition mean that the encryption system is public knowledge, and hence the hash form is readily decryptable back into the original password? My knowledge of cryptography is (obviously) pretty small, so I'm still confused.

Thu, 07 Jun 2012 at 22:26:18 GMT Link


64.David Bowling said:

Leaked and cracked. So if I'm reading this correctly, I need to immediately change my Linked In password and any other site that I may be using that password. Is that correct. Is Norton of no use in this situation?

Thank You!

Thu, 07 Jun 2012 at 22:55:02 GMT Link


65.Chris Morrow said:

I've already admitted ignorance, but I don't believe that any of your computer's security software can help at all with an already-cracked password, since that's something completely outside your computer.

Thu, 07 Jun 2012 at 23:03:39 GMT Link


66.Mary Mihalik said:

Why am I not seeing anywhere on leakedin.com to check my pw?

Thu, 07 Jun 2012 at 23:38:42 GMT Link


67.Trevor Dyck said:

Thanks for creating this! I'd be much more comfortable if it used an https:// secure server, entering my password (even hashed) and sending it clear over the wire is not really so secure...

Fri, 08 Jun 2012 at 00:10:37 GMT Link


68.Daniel Park said:

@Chris Morrow

Typically most security systems will take your password and apply a secret key to it before hashing it; this key is called a salt. Therefore successfully decrypting a hash usually involves discovering the salt and not just the hash technique.

Fri, 08 Jun 2012 at 00:38:57 GMT Link


69.Michael Rasmussen said:

Will you get getting updates of the cracked password list?

Fri, 08 Jun 2012 at 00:56:14 GMT Link


70.Amarendra Godbole said:

@Trevor Dyck: The site uses javascript to compute the hash, so no password is sent over the wire."View Source" of the webpage (leakedin.org) for details. You are safe.

Fri, 08 Jun 2012 at 03:47:58 GMT Link


71.Greg Comfort said:

Thanks for this app. Very nice work. I changed my LinkedIn pw as soon as I heard the news. Seems my old one was leaked but not cracked, probably 'cos it was based on a non-English word. Fortunately was unique to LinkedIn. Thx again.

Fri, 08 Jun 2012 at 04:29:51 GMT Link


72. said:

To all the folks posting silliness such as "not leaked" "not cracked" "whew"

well, your password was just leaked. And you yourself just leaked it.

never.ever.ever.type your password used on one site into another.

I cannot believe you folks just fell for the same trick that phishers use WHILE READING A SECURITY BLOG!!!

Even if that leakedIn site is legit, you don't know that for sure! You are just trusting that it is...because someone on the internet told you so.

They are not even securing the transmission of your precious password to their precious site. (Notice the lack of a lock icon in your browser when you type.) It is clear text for all to potentially see. The failed lookups are probably all being logged for future inclusion into said rainbow tables for all we know.

Fri, 08 Jun 2012 at 06:10:15 GMT Link


73.Amarendra Godbole said:

@tpsboston: The site uses javascript to compute the sha1 hash, so no password is transmitted over the wire. The hash is computed locally on your browser, which is then transmitted over the wire to do a lookup.

Fri, 08 Jun 2012 at 06:24:40 GMT Link


74. said:

@Amarendra Godbole

What was that GetClicky stuff in the javascript earlier? It's gone now but was there. Just because the code "looks safe" now does not mean it was safe two hours ago.

This is the problem. Client-side javascript is changing and the end-user has no idea. It could have changed again while I bothered to type this.

Best practices should still always apply. I'm sure the authors of this blog agree completely.

Fri, 08 Jun 2012 at 06:36:54 GMT Link


75.Kashish Jain said:

My Password is safe and is not on the list. Thank you for informing.

With Regards

Kashish Jain

Fri, 08 Jun 2012 at 11:24:27 GMT Link


76.Olli Erinko said:

Well, my password wasn't on the list of cracked passwords.

Though, the day LinkedIn leak was announced (actually just a few hours after), my GMail account was accessed from China (I'm around.. 7000 kilometers from there, no way I could get there within the 5 minutes of me accessing it from here and someone accessing it from there).

I suppose I could call myself lucky for Googles protective measures (the account was locked instantly, and required me to re-enable it with my mobile phone).

In other words, I'm not so sure that the list found on various forums is a complete list of all leaked passwords.

Fri, 08 Jun 2012 at 13:31:13 GMT Link


77.Michael Rasmussen said:

@Olli Erinko - You can tunnel and log in from two places at a time. I'm routinely accessing my bank account from net locations ~2700km apart within 20 minutes.

Fri, 08 Jun 2012 at 14:50:12 GMT Link


78. said:

@Amarendra Godbole: Doesn't matter that the password is hashed client side. There's no difference between sending the hash over the wire in clear text and the hash existing in the leaked file. The leaked file doesn't contain any passwords in clear text either. If you're concerned about your hash existing in this file, you should be concerned about sending it across the wire in the clear as well.

@Chris Morrow: Leaked means the hash was leaked when the file was leaked. Cracked means that the hash has been reversed into a password. It's possible to be leaked but not cracked because hash algorithms are one way. You can generate a hash from some text but there is no algorithmic way to get the text from the hash. In order to crack the passwords given the hashes one has to brute force (i.e. guess) the passwords. Clever folks have created specialized programs to make cracking these hashes more efficient, including Rainbow Tables. For a deeper understanding see http://netsecurity.about.com/od/hackertools/a/Rainbow-Tables.htm.

Fri, 08 Jun 2012 at 18:17:10 GMT Link


79.Vince Work said:

Thanks for removing getclicky--an acknowledgment of the security risk mentioned in comment #57, perhaps? However, there are still glaring issues with leakedin.org.

leakedin.org is transmitting unsalted SHA1 hashes over cleartext HTTP.

Ask yourself this. What did hackers obtain from LinkedIn and post on an online forum--the whole source of this controversy?

Answer: unsalted SHA1 hashes.

Now, what does leakedin.org risk leaking?

Answer: More unsalted SHA1 hashes.

To offer a solution by compounding the problem is just not right. Please reconsider.

Fri, 08 Jun 2012 at 19:08:17 GMT Link


80.Michael Hraba said:

Friendly question for layman....

You enter your password, and all within my browser, without anything transmitted, and no one seeing it, my password transforms into a bunch of stuff.... and then it checks it?

Slow non-techie people want to join in, too. =)

Fri, 08 Jun 2012 at 21:33:01 GMT Link


81. said:

I typed in some entries from the 10 worst passwords leaked and it says I am safe - WTH? Did they remove those entries?

Sat, 09 Jun 2012 at 15:54:52 GMT Link


82. said:

Thanks Chris for this very helpful blog. I too was reluctant to post my password so I used a php script on xampp to hash it, then used findstr from the Windows 2003 Resource Kit to search the combo_not.txt file. Sure enough, there was my hashed password!

Mon, 11 Jun 2012 at 09:05:07 GMT Link


83. said:

Mine was leaked but not cracked.

Anyway I changed it.

Mon, 11 Jun 2012 at 09:18:49 GMT Link


84.Ian Coleman said:

Thanks Chris!

This has become a SERIOUS problem, the hackers HAVE a corresponding email addresses to my cracked password!! My only use of the email address I used for linked in one other place, twitter. Stupidly my twitter and linkedin accouts also had the same password which I didn't realise until this morning, as my twitter account was accessed by a 3rd party who tweeted spam tweets to a russian based .ru site.

Either via the linkedIn data dump, or by other means, the group clearly have matched email addresses with passwords! Now I have to check everything to make sure there isn't somewhere else I've used that email address/password combo.

Thanks for shedding light in this, linkedin certainly aren't

Mon, 11 Jun 2012 at 13:54:50 GMT Link


85.Marek Janouš said:

Mine was not leaked nor cracked according to leakedin.org, yet I still got the e-mail from LinkedIn, saying they believe it was included “in the post” (though not cracked).

Tue, 12 Jun 2012 at 09:47:06 GMT Link


86.Elisavet Triant said:

Well, asking people for their passwords, even if it's legit isn't a very good idea.

What I did was to change my password anyway in LinkedIn and THEN check to see if it was leaked. Your form says it wasn't.

Wed, 13 Jun 2012 at 07:18:11 GMT Link


87.Bob Lerner said:

Rather shocked that leakedin not only doesn't use a password field for the password, that it also doesn't serve over SSL either.

In the even that my password wasn't on this list, then shoulder surfers, back-button pressers, or man-in-the-middle attackers could sure get it then.

Fri, 22 Jun 2012 at 16:49:14 GMT Link


88.Kvasin Leonid said:

I found a lot of useful and interesting information! your community!

192.168.1.1

Tue, 16 Aug 2016 at 17:57:59 GMT Link


Hello! What’s your name?

Want to comment? Please connect with Twitter to join the discussion.