Agree 100%. Every password I use is unique.
I don't even know what they are.
I store them in an encrypted word doc protected by a 20+ character sentence.
My linkedin was too complex to crack anytime soon, but even if it was, it would impact my other accounts ZERO.
While there's newer stuff out that doesn't have collision issues, those two are the most widely used hash algorithms out there w/o salts.
But yeah, if your password was a dictionary word, it was cracked in 1ms.
If it was unique(not a word), had uppercase, lowercase, numbers, characters, then they'll likely not crack it in your lifetime.
.
That's not quite how I interpret what happened, and very few sites seem to go into this.
Here's how I understand it..
Although the hash database, not the passwords was stolen, the password
IS deducible from the hash algorithims where weak hashing algorithms such as MD-5 and SHA-1 are used (and not 'salted'). This is what LinkedIn was using. **facepalm**. What is not clear to me though is whether they had the corresponding username associated with that hash.
This is easily accomplished by usage of a easily downloadable 'rainbow table' ((
http://ophcrack.sourceforge.net/tables.php) that contains a table (hash, password) value pair. If I know one, I have the other.
Repeat: If I have the hash of your password for weak hashing algorithm such as what MD5 & SHA-1 is which is not salted*, I KNOW your password.
For example: If your password is 'password' - the SHA-1 hash is : '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8'
'nsxprime' it is: 31aec1bf84765719b4d8ead4d025c9e01961790b.
If I steal the sha-1/md5 database that has username, hash pairs (e.g. nsxotic911, 5baa......ee68fd) - all I do is look it up in the rainbow table.
You can use this to see if the hash / password was stolen:
https://lastpass.com/linkedin/
*A salt is just fancy way of saying adding a 'value' to the password before 'hashing/encrypting it' and that effectively significantly increases the length/complexity of the password (exponentially), and require an exponentially larger rainbow table - which makes it 'infeasible' (
http://www.codinghorror.com/blog/2006/07/brute-force-key-attacks-are-for-dummies.html) for truly random values (discounting quantum computing). The size grows to trilliions, quadrillions, dupa tillions... as you go up in character count etc.. and not worth anyones time to dynamically put together. It would take thousands of years to crack a key with
For example. If your password was 'password' and the password was salted with 'rfajsd909JAOIHNLK!NL!@'fiou1!$', the password wihich the attacker did NOT know, the hash of the password is effectively is 'rfajsd909JAOIHNLK!NL!@'fiou1!$password'. Even if they knew that it was 'password' - they would have to build a custom rainbow table to figure out all of the other possible characters that are bound with the word ****************'password.'
LinkedIn was not salting their passwords, which they could have even if it was using MD5/SHA-1 (considered weak/insecure by default) but chose not to.