LeakedIn06 Jun 2012
When I read that LinkedIn leaked 6.5 million passwords, I thought it was newsworthy, so I shared it. Bummer for them, I thought, especially given a few particularly bad practices:
- The hashes were unsalted SHA-1 hashes. SHA-1 was proven weak back in 2005, and unsalted hashes are especially weak.
- Those who visited the LinkedIn home page were shown a fake log in form that attempts to trick users into giving away their email password. Shame, shame.
I shamed LinkedIn on Twitter and thought that was the end of my interest in the story until Phil pointed me to the dump of the passwords. Minutes later, I discovered that my password was not only one of the 6.5 million that had been leaked, it was also among those that had been cracked. I was a victim.
Unfortunately, I signed up for LinkedIn before I was using 1Password, so the cracked password was used on a handful of other sites. Now, I can never use that password again, and I have to change my password on every site where I used it. In case you're wondering, my password was a concatenation of several words. It was my weak password, but it wasn't that weak.
One of many implications of this is that there is now a (growing) list of hundreds of thousands of cracked passwords. You can be sure that these will be used to seed rainbow tables and will be an obvious choice for seeding a dictionary used to try to crack passwords the next time a leak happens. Even if the next leak is a bunch of salted hashes using a better algorithm, these cracked passwords will never be safe again.
If you want to see if you're also a victim, start by finding the hash of your password. PHP has a
sha1() function, so if you're on a Mac, that means you can type this into Terminal (replace password with your password):
php -r 'echo sha1("password") . "\n";'
If you're not already familiar with hashes, just know that the string of characters this command outputs is the SHA-1 hash of your password. You'll need this to check to see whether your password was leaked.
Then, check to see if your hash is in the dump. If it is, it means they have not cracked it yet (not before the dump was uploaded). If you don't find it, then replace the first five characters of your hash with a
0, and check to see if that is in the dump. If that is, it means they have cracked it. If neither are there, it means yours was not one of the 6.5 million, but keep in mind there's no guarantee that this is the complete list. It is best to assume that your LinkedIn password is henceforth unsafe to be used anywhere.
Please let me know if you're one of the lucky ones or a fellow victim. Maybe we can form a support group.
If you're building a web app and want to know how to hash passwords, let me suggest bcrypt, because, "over time it can be made slower and slower, so it remains resistant to specific brute-force search attacks against the hash and the salt."