06 Jun 2012

When I read that LinkedIn leaked 6.5 million passwords, I thought it was newsworthy, so I shared it. Bummer for them, I thought, especially given a few particularly bad practices:

I shamed LinkedIn on Twitter and thought that was the end of my interest in the story until Phil pointed me to the dump of the passwords. Minutes later, I discovered that my password was not only one of the 6.5 million that had been leaked, it was also among those that had been cracked. I was a victim.

Unfortunately, I signed up for LinkedIn before I was using 1Password, so the cracked password was used on a handful of other sites. Now, I can never use that password again, and I have to change my password on every site where I used it. In case you're wondering, my password was a concatenation of several words. It was my weak password, but it wasn't that weak.

One of many implications of this is that there is now a (growing) list of hundreds of thousands of cracked passwords. You can be sure that these will be used to seed rainbow tables and will be an obvious choice for seeding a dictionary used to try to crack passwords the next time a leak happens. Even if the next leak is a bunch of salted hashes using a better algorithm, these cracked passwords will never be safe again.

If you want to see if you're also a victim, start by finding the hash of your password. PHP has a sha1() function, so if you're on a Mac, that means you can type this into Terminal (replace password with your password):

  1. php -r 'echo sha1("password") . "\n";'

If you're not already familiar with hashes, just know that the string of characters this command outputs is the SHA-1 hash of your password. You'll need this to check to see whether your password was leaked.

Then, check to see if your hash is in the dump. If it is, it means they have not cracked it yet (not before the dump was uploaded). If you don't find it, then replace the first five characters of your hash with a 0, and check to see if that is in the dump. If that is, it means they have cracked it. If neither are there, it means yours was not one of the 6.5 million, but keep in mind there's no guarantee that this is the complete list. It is best to assume that your LinkedIn password is henceforth unsafe to be used anywhere.

Since this isn't very straightforward, a few friends and I thought it would be good idea to make a simple app that lets you check to see if you're a victim. In fact, while we were talking about what a good idea it would be, Sean made a quick prototype, and Bedrich provided some visual love. Cleverly, we are calling it LeakedIn. The app hashes your password using JavaScript, so your password never leaves your computer. You can verify this by viewing source, but if you prefer, you can also just provide your hash. We'll let you know if your password is one of the 6.5 million that were leaked as well as if it has already been cracked.


Please let me know if you're one of the lucky ones or a fellow victim. Maybe we can form a support group.

If you're building a web app and want to know how to hash passwords, let me suggest bcrypt, because, "over time it can be made slower and slower, so it remains resistant to specific brute-force search attacks against the hash and the salt."