Millions of LinkedIn passwords reportedly leaked online

Another reason to use a Password Vault and store a strong password for each service you use.

In absence, at minimum, a user should NOT user the same password for linkedin/facebook/email, as one for the bank account.

Gotta go change my LinkedIN password! Agh!!
 
OMG!!! My LinkedIn password is the same as my prime password. My account's been compromised. Someone else may post shit over the next few weeks that may not be me.
 
OMG!!! My LinkedIn password is the same as my prime password. My account's been compromised. Someone else may post shit over the next few weeks that may not be me.

.........you mean all that metro sh%t you've been posting was you:tongue:
 
OMG!!! My LinkedIn password is the same as my prime password. My account's been compromised. Someone else may post shit over the next few weeks that may not be me.

They just posted the SHA1 and MD5 hashes (I can't believe they use such mickey mouse mechanisms which have long been shown to be insecure). Since there's no salt, they're doing a brute force attack ... which means they'll get an equivalent that matches the hash, but they won't necessarily have your actual password.
 
They just posted the SHA1 and MD5 hashes (I can't believe they use such mickey mouse mechanisms which have long been shown to be insecure). Since there's no salt, they're doing a brute force attack ... which means they'll get an equivalent that matches the hash, but they won't necessarily have your actual password.

I'm sorry but what the *#%^ did you just say? :biggrin:
 
.........you mean all that metro sh%t you've been posting was you:tongue:
dog89.jpg

They just posted the SHA1 and MD5 hashes (I can't believe they use such mickey mouse mechanisms which have long been shown to be insecure). Since there's no salt, they're doing a brute force attack ... which means they'll get an equivalent that matches the hash, but they won't necessarily have your actual password.
I'm sorry but what the *#%^ did you just say? :biggrin:
It means they're trying to make educated guesses as to what the passwords are based on some attributes that are calculated from the passwords themselves, but since they don't have the values used in the calculations, they don't really know if their guesses are correct until they try them.
 
Another reason to use a Password Vault and store a strong password for each service you use.

Agree 100%. Every password I use is unique.
I don't even know what they are.
I store them in an encrypted word doc protected by a 20+ character sentence.
My linkedin was too complex to crack anytime soon, but even if it was, it would impact my other accounts ZERO.


They just posted the SHA1 and MD5 hashes (I can't believe they use such mickey mouse mechanisms which have long been shown to be insecure). Since there's no salt, they're doing a brute force attack ... which means they'll get an equivalent that matches the hash, but they won't necessarily have your actual password.

While there's newer stuff out that doesn't have collision issues, those two are the most widely used hash algorithms out there w/o salts.
But yeah, if your password was a dictionary word, it was cracked in 1ms.
If it was unique(not a word), had uppercase, lowercase, numbers, characters, then they'll likely not crack it in your lifetime.

.
 
Last edited:
Agree 100%. Every password I use is unique.
I don't even know what they are.
I store them in an encrypted word doc protected by a 20+ character sentence.
My linkedin was too complex to crack anytime soon, but even if it was, it would impact my other accounts ZERO.

While there's newer stuff out that doesn't have collision issues, those two are the most widely used hash algorithms out there w/o salts.
But yeah, if your password was a dictionary word, it was cracked in 1ms.
If it was unique(not a word), had uppercase, lowercase, numbers, characters, then they'll likely not crack it in your lifetime.

.

That's not quite how I interpret what happened, and very few sites seem to go into this.

Here's how I understand it..

Although the hash database, not the passwords was stolen, the password IS deducible from the hash algorithims where weak hashing algorithms such as MD-5 and SHA-1 are used (and not 'salted'). This is what LinkedIn was using. **facepalm**. What is not clear to me though is whether they had the corresponding username associated with that hash.

This is easily accomplished by usage of a easily downloadable 'rainbow table' ((http://ophcrack.sourceforge.net/tables.php) that contains a table (hash, password) value pair. If I know one, I have the other.

Repeat: If I have the hash of your password for weak hashing algorithm such as what MD5 & SHA-1 is which is not salted*, I KNOW your password.


For example: If your password is 'password' - the SHA-1 hash is : '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8'
'nsxprime' it is: 31aec1bf84765719b4d8ead4d025c9e01961790b.

If I steal the sha-1/md5 database that has username, hash pairs (e.g. nsxotic911, 5baa......ee68fd) - all I do is look it up in the rainbow table.

You can use this to see if the hash / password was stolen:
https://lastpass.com/linkedin/

*A salt is just fancy way of saying adding a 'value' to the password before 'hashing/encrypting it' and that effectively significantly increases the length/complexity of the password (exponentially), and require an exponentially larger rainbow table - which makes it 'infeasible' (http://www.codinghorror.com/blog/2006/07/brute-force-key-attacks-are-for-dummies.html) for truly random values (discounting quantum computing). The size grows to trilliions, quadrillions, dupa tillions... as you go up in character count etc.. and not worth anyones time to dynamically put together. It would take thousands of years to crack a key with

For example. If your password was 'password' and the password was salted with 'rfajsd909JAOIHNLK!NL!@'fiou1!$', the password wihich the attacker did NOT know, the hash of the password is effectively is 'rfajsd909JAOIHNLK!NL!@'fiou1!$password'. Even if they knew that it was 'password' - they would have to build a custom rainbow table to figure out all of the other possible characters that are bound with the word ****************'password.'

LinkedIn was not salting their passwords, which they could have even if it was using MD5/SHA-1 (considered weak/insecure by default) but chose not to.
 
Last edited:
Assuming LinkedIn knows what it compromised, in their notice blog thay state that you should have received at least one e-mail notification from them if your password was compromised.

The LastPass seems an interesting option to check but not sure if I would want to test a password (even if it is no longer valid) yet on another site.
 
If I steal the sha-1/md5 database that has username, hash pairs (e.g. nsxotic911, 5baa......ee68fd) - all I do is look it up in the rainbow table.

Depends... I haven't used rainbow tables in years, but if I remember right, mine was close to 1TB and I think it only went to 5 characters. I think the biggest rainbow tables ever made goes to 7 characters. The larger you go, the time it takes to compute goes up exponentially. If you used a passphrase, they'll N E V E R break it. Not in our lifetime.

My point is simply, MD5 is the norm and in no way 'bad'.
I would bet less than 10% of websites use a salt.


.
 
Last edited:
Assuming LinkedIn knows what it compromised, in their notice blog thay state that you should have received at least one e-mail notification from them if your password was compromised.

The LastPass seems an interesting option to check but not sure if I would want to test a password (even if it is no longer valid) yet on another site.


Your're not testing a password. All that you're testing is a particular string (such as nsxprime or password) and the corresponding MD5 and SHA-1 hash that IS CONSISTENT across all systems that use MD-5 & SHA-1 without a salt.

You're not giving away your 'password' unless you're also giving them your username which make up the 'credentials'. In order to access an account, you need the credentials - both username and password. If all I have is your password, if I go and type it in to the 'password' field, I don't automatically log in as you. I have to know the account that the password is associated with. In order to figure out who the password is associated with, I would have to try all possible username combinations. That's a lot of millions of users.

A different way to put it is this. If I find 'they key' to your house, it is useless unless I know WHO and WHERE you live and what lock it applies to. Effectively, I'd have to test out all the locks which are installed for that manufacturer.

Does that make sense?
 
Last edited:
Depends... I haven't used rainbow tables in years, but if I remember right, mine was close to 1TB and I think it only went to 5 characters. I think the biggest rainbow tables ever made goes to 7 characters. The larger you go, the time it takes to compute goes up exponentially. If you used a passphrase, they'll N E V E R break it. Not in our lifetime.

My point is simply, MD5 is the norm and in no way 'bad'.
I would bet less than 10% of websites use a salt.

.

MD5 is decent after 5 or so character sets. as there are some cryptographic attacks that hinder it's security overall. Before that, as you point out, it is useless.
 
Your're not testing a password. All that you're testing is a particular string (such as nsxprime or password) and the corresponding MD5 and SHA-1 hash that IS CONSISTENT across all systems that use MD-5 & SHA-1 without a salt.

You're not giving away your 'password' unless you're also giving them your username which make up the 'credentials'. In order to access an account, you need the credentials - both username and password. If all I have is your password, if I go and type it in to the 'password' field, I don't automatically log in as you. I have to know the account that the password is associated with. In order to figure out who the password is associated with, I would have to try all possible username combinations. That's a lot of millions of users.

A different way to put it is this. If I find 'they key' to your house, it is useless unless I know WHO and WHERE you live and what lock it applies to. Effectively, I'd have to test out all the locks which are installed for that manufacturer.

Does that make sense?



I am not the techie type, and that is one reason why I don't quickly grasp such info or jump into all the hypes asscoiated with a new venture.

So let me take your example, if I use the password test on LastPass from my IP address, how difficult is it to track who I am from all the other posts/forums that I subscribe with my real name? I bet if someone wants to hack it, it would take less than .........
 
You can use this to see if the hash / password was stolen:
https://lastpass.com/linkedin/

I tried the lastpass checker and it came back with:

"the SHA-1 hash of your password is: {character string}

Your password was one of the ones that was compromised.

We strongly recommend that you follow our recommendations above and immediately change your LinkedIn and related passwords!!
"

Assuming LinkedIn knows what it compromised, in their notice blog thay state that you should have received at least one e-mail notification from them if your password was compromised.

I didn't receive an email from LinkedIn, and the blog entry states "Members that have accounts associated with the compromised passwords will notice that their LinkedIn account password is no longer valid." Yet I was able to log in with my old/unchanged password. Who is BS'ing me here?

My LinkedIn password is unique thankfully, and I went ahead and changed it.
 
I tried the lastpass checker and it came back with:

"the SHA-1 hash of your password is: {character string}

Your password was one of the ones that was compromised.

We strongly recommend that you follow our recommendations above and immediately change your LinkedIn and related passwords!!
"



I didn't receive an email from LinkedIn, and the blog entry states "Members that have accounts associated with the compromised passwords will notice that their LinkedIn account password is no longer valid." Yet I was able to log in with my old/unchanged password. Who is BS'ing me here?

My LinkedIn password is unique thankfully, and I went ahead and changed it.

LinkedIn is probably 'bs'ng' you here, in that, they don't [yet, if truly ever] understand the full scale of the leak. I wouldn't be surprised if it was more than 6.5 million too. It's just that 6.5 million were released.

Notice that LinkedIn does not specify how many, or an approximate number as other responsible disclosures do, probably because the number is higher, or they simply don't know the extent of the breach.
 
Back
Top