×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

LinkedIn Password Hashes Leaked Online

Unknown Lamer posted about 2 years ago | from the at-least-they-weren't-plain-text dept.

Security 271

jones_supa writes "A user in a Russian forum is claiming to have hacked LinkedIn to the tune of almost 6.5 million account details. The user uploaded 6,458,020 SHA-1 hashed passwords, but no usernames. Several people have said on Twitter that they found their real LinkedIn passwords as hashes on the list. The Verge spoke with Mikko Hyppönen, Chief Research Officer at F-Secure, who thinks this is a real collection. He told us he is 'guessing it's some sort of exploit on their web interface, but there's no way to know.' We will have to wait for LinkedIn to report back to be sure what exactly has happened." An anonymous reader tipped us to related news: The LinkedIn iOS application harvests information from your calendar and transmits it to their servers unencrypted.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

271 comments

Barbarians! (-1)

Anonymous Coward | about 2 years ago | (#40231883)

Rape the land!

Re:Barbarians! (0, Offtopic)

Anonymous Coward | about 2 years ago | (#40232301)

Disgraceful. Just because someone uses iOS or other Apple products does not mean they're a barbarian!

It's not an exploit, it's a feature! (5, Funny)

fuzzyfuzzyfungus (1223518) | about 2 years ago | (#40231887)

Haven't you always wanted to forge closer ties with the dynamic marketing and legal-arbitrage entrepreneurs at the Russian Business Network? Now, LinkedIn is proud to announce your exciting, and mandatory, chance to do just that!

Re:It's not an exploit, it's a feature! (0, Informative)

Anonymous Coward | about 2 years ago | (#40232013)

As this thread will probably turn into a bitch-fest against LinkedIn, I'll start.

LinkedIn are no better than dirty spammers.

I was getting constant "buy our carpet" emails from LinkedIn, by one of their users.

After complaining through the correct channels to LinkedIn, I was told it's their function to allow users of their site to communicate with each other. Fine, until you realise I'm not a user of their site; never have been, never will be. This fact was lost on them.

LinkedIn honestly thought they were doing me a favour by letting me know about "cheap carpets".

Did they ban the spammer? Did they bollocks.

Eventually they placed my email addresses on their block list.

LinkedIn are dirty spammers.

Re:It's not an exploit, it's a feature! (1)

Anonymous Coward | about 2 years ago | (#40232319)

How do you know the email originated from LinkedIn? Because it looked like it?

Re:It's not an exploit, it's a feature! (5, Interesting)

SternisheFan (2529412) | about 2 years ago | (#40233119)

I applied for a job earlier this year, and the pool company rejected my 'text format' resume, insisting on a resume submitted via Linked In. The last thing I wanted to do was have to join some social network just to get a job. I lived 10 minutes away from the home.office of the job and offered to meet to interview and hand them a hard copy resume. No dice, it had to be done by this Linked In. Now, after reading this news, I know it was the right decision. This internet sure has gotten wacky.

Plain text (5, Funny)

Anonymous Coward | about 2 years ago | (#40231913)

This sort of vulnerability is exactly why I avoid storing passwords in hash form. I always store passwords in plain text form. It's much more secure.

Re:Plain text (4, Funny)

fuzzyfuzzyfungus (1223518) | about 2 years ago | (#40231995)

This sort of vulnerability is exactly why I avoid storing passwords in hash form. I always store passwords in plain text form. It's much more secure.

Y'know what fools the black-hats every time? Store the passwords in plaintext; but require all users to create a password consisting of exactly 64 hexadecimal characters... Even better, we all know that users hate security, so more user hatred = more secure. And this system is Super Secure.

Re:Plain text (4, Funny)

vlm (69642) | about 2 years ago | (#40232061)

Won't work, local policy prevents repeated numbers, and letters must be a mix of upper and lower case, and no sequential numbers. (I only wish I were kidding)

Re:Plain text (2)

PeterKraus (1244558) | about 2 years ago | (#40232141)

Here we have all that, but only 6-8 characters, out of which exactly one is a capital letter and exactly two are numbers....

The IT is outsourced to India. I'm at work for a week and a half, and they didn't manage to give my account permissions to use Excel and Word. This way, I have to use my bosses account whenever I need to do a more complicated spreadsheet, than Google Docs allow me to...

Re:Plain text (1)

Ken D (100098) | about 2 years ago | (#40232223)

And no numbers that could be letter substitutes.
So no 0,1,2,3,4,5,6,7,8 or 9 is allowed. You must include numbers not in this set. (Also please remember that NaN is not a number and thus does not satisfy the numeric requirement).

Re:Plain text (0)

Anonymous Coward | about 2 years ago | (#40232513)

10 is a number, too.
And it's not in the aforementioned set.

Re:Plain text (1)

sudonymous (2585501) | about 2 years ago | (#40232627)

Actually, NaN IS a number... a number that claims it's not a number!

< typeof NaN
> "number"

Also, is anyone else suddenly aware of how dumb the word "number" is? "number".

linked tweet in dutch? (0)

Anonymous Coward | about 2 years ago | (#40231937)

I should start to learn dutch if I want to read what people are saying in Twitter

Password changed (0)

Anonymous Coward | about 2 years ago | (#40231947)

Password changed and I don't use iOS. I'm all good... until next time. :P

Re:Password changed (3, Interesting)

Anonymous Coward | about 2 years ago | (#40231975)

Password changed and I don't use iOS. I'm all good... until next time. :P

Well, as long as the source of the leak is unknown, how do you know they cannot access your new password?

Re:Password changed (3, Interesting)

TheLink (130905) | about 2 years ago | (#40233229)

If the hackers have great control of the site, just logging in to the site could give them access to your password _plaintext_.

So use different passwords for different sites.

The actual list (0)

Anonymous Coward | about 2 years ago | (#40231953)

So where's the actual list?

Re:The actual list (1)

jones_supa (887896) | about 2 years ago | (#40232541)

I (the submitter) also wondered, where is this Russian forum that is being talked about around the Internet.

Could someone please look up my password for me? (1)

vlm (69642) | about 2 years ago | (#40231957)

I haven't logged into linkedin for so long, that I don't remember my password anymore.
And I blocked emails from *@linkedin.com as spam, because, well, they're basically all spam. I can't be bothered to unblock and do email based password recovery.
Could some Russian friend please look up my password for me, and reply back?
K thx bye

Re:Could someone please look up my password for me (5, Funny)

Anonymous Coward | about 2 years ago | (#40232019)

Greetings comrade,
Try the following password: 12345
Sincerely Boris

Re:Could someone please look up my password for me (4, Funny)

vlm (69642) | about 2 years ago | (#40232087)

Thank you Boris, but that is my luggage combination, not my linkedin password.
Admittedly my luggage is more important to me than my linkedin account, but...

Re:Could someone please look up my password for me (1)

Anonymous Coward | about 2 years ago | (#40232267)

Sorry comrade,
Password file is big...
Have you tried rebooting your luggage?
Sincerely Boris

Re:Could someone please look up my password for me (0)

Anonymous Coward | about 2 years ago | (#40232039)

hunter42

Re:Could someone please look up my password for me (1)

vlm (69642) | about 2 years ago | (#40232209)

Just like Shakespeare is better when read in the original klingon, thats funnier in the original TDWTF ... the password is hunter fourty two pound... No not the octothorpe sign, pound sign!

Re:Could someone please look up my password for me (0)

DogDude (805747) | about 2 years ago | (#40233351)

Wow. You are cool. Why did you sign up in the first place, Einstein?

SALT YOUR HASHES! (1)

Anonymous Coward | about 2 years ago | (#40231961)

I mean, seriously. This is something that has been known since, what, the time of Robert H. Morris?

Re:SALT YOUR HASHES! (0)

Anonymous Coward | about 2 years ago | (#40232535)

Agreed, using hashes but not salting them is like making a car more secure with airbags that don't inflate.

Re:SALT YOUR HASHES! (2)

rvw (755107) | about 2 years ago | (#40232857)

I mean, seriously. This is something that has been known since, what, the time of Robert H. Morris?

Salt has to be added after it's hashed. Then it tasts better.

So what? (1)

liquidweaver (1988660) | about 2 years ago | (#40231967)

What are you going to do with millions of password hashes, even without usernames none the less?

Re:So what? (5, Insightful)

DocSavage64109 (799754) | about 2 years ago | (#40232025)

If he has the password hash, then he most likely also has the username. He just didn't share them with the rest of the world and is likely trying to sell them.

Re:So what? (-1)

Anonymous Coward | about 2 years ago | (#40232115)

Idiot. How do you people remember to breath? The guy has the user names too, he just didn't leak them.

Re:So what? (1)

vlm (69642) | about 2 years ago | (#40232247)

What are you going to do with millions of password hashes, even without usernames none the less?

I've occasionally daydreamed a fun academic paper would be to collect sets of password hashes, rub them up against a rainbow table, and make graphs and correlations and wild assumptions about the correlation coeff of IQ and rate of easily cracked pwd vs site etc etc. Sounds like fun so its probably been done before.

Re:So what? (5, Insightful)

cryptizard (2629853) | about 2 years ago | (#40232437)

People use these kinds of leaks to generate statistically sorted dictionary files for password breaking. The most commonly used (in the real world, as evidenced by these leaked databases) passwords are put at the front so you try all the more likely ones before moving on to the random guessing.

Re:So what? (2)

cryptizard (2629853) | about 2 years ago | (#40232455)

Replying to myself, in this case you can only get information about passwords that you are actually able to break (i.e. the easy ones), but it can also be useful as an academic analysis of password complexity in real applications.

Re:So what? (2)

chill (34294) | about 2 years ago | (#40232545)

LinkedIn uses e-mail addresses as usernames. Getting access to a crapload of valid e-mail addresses to test against is trivial.

Colour me surprised! (5, Interesting)

rogueippacket (1977626) | about 2 years ago | (#40231971)

If you install any app on your mobile device - especially those which thrive off of your data - don't be surprised if it's actually siphoning it off in the background. If groups like Facebook and LinkedIn simply wanted you to access the service remotely, they would just stick to HTML5. Instead, apps give them unfettered access to your contacts, calendar, location, and everything else on your personal device, regardless of platform.
Just remember, it has never been about convenience to the user, and always profitability to the provider.

Re:Colour me surprised! (4, Insightful)

fuzzyfuzzyfungus (1223518) | about 2 years ago | (#40232083)

The surprising thing is not that Social 2.0 Mobile Enterprise BuzzCloud App-centric bullshit is shoving everything that it can get its sticky little fingers on to every 3rd party with questionable security and a dire privacy policy that it can find; but that they seem to be so incompetent at it.

Exfiltrating the data in the clear is certainly easy enough(luckily 'mobile' frequently means 'even if I were competent enough, my crypto-crippled appliance wouldn't let me control outbound traffic anyway') but it makes it likely that, sooner or later, somebody is going to sniff some packets at their router and we'll get a little story about exactly how much exfiltration your ghastly little app is doing.

It's like corruption. Even when everybody knows that it is happening, it is still considered crass to get caught with your hand in the cookie jar. You are supposed to pretend to care.

Re:Colour me surprised! (1)

DogDude (805747) | about 2 years ago | (#40232233)

Android and Apple phones do that. Windows phones keep the apps sandboxed.

Re:Colour me surprised! (1)

markkezner (1209776) | about 2 years ago | (#40232607)

Android and iOS both have permissions and protections in place to prevent apps from accessing personal data such as Contacts and Location. Although there have been incidents of breaches, the protections work most of the time. Android also sandboxes the apps, and although I'm not 100% sure I believe that iOS does so as well.

What is it about the Windows Phone implementation specifically that is so different and presumably better?

A New Euphemism! (5, Funny)

Rob Riggs (6418) | about 2 years ago | (#40232035)

"Harvested" -- I love it!

"Bernie Madoff harvested money from his investors."

"H.I. harvested diapers from the convenience store."

"LinkedIn harvested private data from my phone."

They're doing you a favor by "harvesting". Because it's not doing anyone any good if it remains "unharvested".

Re:A New Euphemism! (0)

Anonymous Coward | about 2 years ago | (#40232153)

"I need to harvest my Farmville farms."

Re:A New Euphemism! (0)

Anonymous Coward | about 2 years ago | (#40232163)

Yup, I have the exact same sentiments when it comes to "organ harvesting." These aren't crops, you fudgepackers!

Re:A New Euphemism! (2, Informative)

Anonymous Coward | about 2 years ago | (#40232253)

harvest
      [hahr-vist] Show IPA
noun
1. Also, harvesting. the gathering of crops.
2. the season when ripened crops are gathered.
3. a crop or yield of one growing season.
4. a supply of anything gathered at maturity and stored: a harvest of wheat.
5. the result or consequence of any act, process, or event: The journey yielded a harvest of wonderful memories.
verb (used with object)
6. to gather (a crop or the like); reap.
7. to gather the crop from: to harvest the fields.
8. to gain, win, acquire, or use (a prize, product, or result of any past act, process, plan, etc.).
9. to catch, take, or remove for use: Fishermen harvested hundreds of salmon from the river.

Re:A New Euphemism! (0)

Anonymous Coward | about 2 years ago | (#40233095)

Bend over and I'll harvest you.

Re:A New Euphemism! (2)

Ksevio (865461) | about 2 years ago | (#40233117)

You can also use "leaked" in the reverse sense!

"Investors leaked money to Bernie Madoff"

"The convenience store leaked diapers to H.I."

"My phone leaked private data to LinkedIn"

broken glass all over the road (5, Insightful)

Anonymous Coward | about 2 years ago | (#40232049)

As an IT/security guy reading about these seemingly constant ongoing password change requests, I can't help but think that the problem lies not only with how many special characters we're using in our passwords, or whether or not we're using our pet's name, but more so in how the infrastructures of all of these magically eutopian social networks are storing this information. Correct me if I am wrong, but haven't the majority of the recent problems that have forced us all to change our passwords, whether it is LinkedIn, World of Warcraft or whatever been due to leaks from the back-end, not poor Johnny at the keyboard giving it to Ivan the hacker (no offense to the real Ivans or Johnnys)? Kind of like having to keep replacing the car tires because the roads are made of broken glass. Its not my fault, but I have to suffer. It would seem we need to put more PCI/SOX/whatever-like standards in place to better protect and mandate how our information is stored as more and more encouragement is put in place to unzip our metaphorical zippers online.

And for the record, I am not an anonymous coward, but I forgot my password and my email isn't the same as it was 8+ years ago when I set up my slashdot account...

ignorance is bliss in this case :)

Re:broken glass all over the road (4, Insightful)

fuzzyfuzzyfungus (1223518) | about 2 years ago | (#40232109)

Are you suggesting that power should be accompanied by responsibility?

Why do you hate America, you godless communist?

Re:broken glass all over the road (0)

Anonymous Coward | about 2 years ago | (#40232305)

Well said!

But yes... even more than responsibility though is common sense. I know, I know, lowest common denominator and all that, but come on. Why must we hang truck nuts on everything we touch?

I thought we renamed it to Amercia?

Re:broken glass all over the road (1)

AbRASiON (589899) | about 2 years ago | (#40232861)

I really hate to link xkcd but they are on the money with this one.
http://xkcd.com/936/ [xkcd.com]

I'm getting tired of having to have ridiculous passwords, now I'm just either ALWAYS making the first character an uppercase because it's easier, or doing quick pattern based passwords for the ultra fussy systems.
123qwe!@#QWE - that's surprisingly quick to input yet keeps those stupid systems quiet.

So the real question is how secure is SHA 1 then (4, Interesting)

Sir_Sri (199544) | about 2 years ago | (#40232093)

This would seem to raise two questions. the first is whether or not usernames can be tied to their corresponding hash. Even if they can't that's not a hugely difficult problem to overcome though.

The more serious question is how good is SHA 1 then. A database like this (a table of hashes) is what you'd expect someone could hack from a reasonably secure system (although you would have wanted to see some salting as well as hashing but either way). Having a hash of a password doesn't mean you can regenerate the password. If your password is subject to a simple dictionary attack then sure it can be regenerated, you're pretty much doomed, but you're not much more doomed than you were before. A strong password... now that's where this gets interesting. The question is whether or not there are vulnerabilities in SHA 1 that will let you regenerate good passwords (or even bad passwords that aren't dictionary attacks).

If you had a strong password, and SHA 1 is robust enough you could die of old age before anyone manages to figure it out. If SHA 1 has meaningful holes in it... well that's not so good.

Also, linkedin has 160 million users (or at least accounts) if not more than that. So their full database would be significantly larger than this. It will be interesting to know if this is a particular subset of the data (all iOS users, all android 2.3.2 users, all chrome users, that sort of thing) or something else. Purely hypothetically this could be all of the really early linked in users that haven't changed passwords since they implemented SHA 2 if they ever did for example, or it could be a particular version of the website fails.

People on twitter finding their password doesn't mean a whole lot, unless you know the password was strong and unique, and where those users are from, and when they joined linkedin.

Re:So the real question is how secure is SHA 1 the (2)

jrumney (197329) | about 2 years ago | (#40232295)

How strong strong passwords are doesn't really matter. Enough people on linkedin will have weak passwords that spammers will be queuing up to get their hands on a new "trusted" delivery mechanism for their wares.

Re:So the real question is how secure is SHA 1 the (1)

mtinsley (1283400) | about 2 years ago | (#40232473)

There is no real risk of someone deriving a plain text password from a SHA1 hash (a preimage attack). There are concerns about SHA1 being vulnerable to a collision attack, but that isn't a problem for password hashing. The real concern when it comes to password hashing is speed. A fast hashing algorithm means it is easier to perform brute force searches. Of course, in order to perform a brute force or dictionary attack you need to know exactly how the hashes were generated. That means you need to know the algorithm, the salt (assuming one is used) and the number of rounds. If all you have is a list of hashes then you most likely won't accomplish anything.

Re:So the real question is how secure is SHA 1 the (0)

Anonymous Coward | about 2 years ago | (#40232567)

The LinkedIn passwords are unsalted. We know the algorithm (SHA1) and the number of rounds. So now all someone has to do is run a dictionary attack. The stronger the password, the longer the dictionary attack will take to find it, but eventually....

Re:So the real question is how secure is SHA 1 the (1)

Bengie (1121981) | about 2 years ago | (#40232885)

I don't use SHA1

Pseudo-code:
PasswordHash = SHA512(MergeArray(txtPassword.GetBytes(),Salt[]))
Where Salt[] is a Cryptographic.RNG.GetBytes(32), which is stored in the DB and generated new every time the password is set.

Re:So the real question is how secure is SHA 1 the (1)

Sir_Sri (199544) | about 2 years ago | (#40233103)

Nor should you.

That was my point with the blurb as to whether or not this might be a specific problem. Linkedin has been around since 2003, it's not inconceivable that they would have used SHA 1 in 2003, or in some countries for some circumstances etc.

Database itself (1)

Anonymous Coward | about 2 years ago | (#40232111)

For the moment, you can get the database here:

        https://disk.yandex.net/disk/public/?hash=pCAcIfV7wxXCL/YPhObEEH5u5PKPlp%2BmuGtgOEptAS4%3D

Surely it will soon find its way into other filesharing sites and torrents, if they take it down from above.

This is the famous iPad HTML5 app, right? (1)

Lisandro (799651) | about 2 years ago | (#40232137)

The LinkedIn iPad app is supposedly 95% HTML5 [venturebeat.com] . Makes me wonder how suitable it is as a "platform" handling sensitive data.

Analysis... (1)

patniemeyer (444913) | about 2 years ago | (#40232157)

I don't know how LinkedIn's login APIs work, but if they use secure user/pass logins and store authentication tokens on the client side as is good practice then in theory exposing these server side generated hashes wouldn't really compromise the system. The problem is that SHA-1 has been broken :( So in theory someone could reverse these and get plaintext passwords and salts or whatever is in them.

This is one reason you don't send password hashes over the network...

Re:Analysis... (0)

Anonymous Coward | about 2 years ago | (#40232369)

The problem with hashes is that they can be bruted. It doesn't matter if the algorithm used to create the hashes is secure or not, anyone with enough time on their hands can brute the password. The only defenses (assuming a secure hashing algorithm) are (1) keeping the hashes secret and (2) using a sufficiently complex password to make brute forcing uneconomical.

And, it also helps to use unique passwords for each website, so that if your password is revealed on one website, it cannot be used on other websites.

Re:unique passwords for each website (1)

presidenteloco (659168) | about 2 years ago | (#40232711)

And of course don't forget to store all your unique passwords that you have no hope of remembering in a plain-text file on your laptop and your smartphone, as well as on that piece of lined paper in the top drawer of your dresser.

Re:Analysis... (1)

Anonymous Coward | about 2 years ago | (#40232781)

Salting. Look, here's what salting does for you. Suppose you have an unsalted password. You can generate a rainbow table like this:

Imagine that the maximum length of the password is l characters, and that there are 95 characters that are permissible in passwords

rainbow = dict()
for every i in range(l**95):
    rainbow.add(i,hash(i))

Without a salt, you can use one rainbow table as a dictionary for any password to hash combination.

If you salt with the username, even if you interpret Kerckhoffs' principle as meaning that the attacker knows the userlist (if, e.g., they have the passwd file), now the attacker has to do this:

userlist = [username1,username2,username3,...]
rainbow = dict()
for every username in userlist:
    for every i in range(l**95):
        rainbow.add(i,hash(username+i))

In other words, Eve/Evan still has to build a rainbow table FOR EACH KNOWN SALT VALUE.

Linkedin - Sleaze pit (0)

Anonymous Coward | about 2 years ago | (#40232283)

There's plenty to like about a social networking site that caters to business communication. There are already lots of per-internet business networking institutions (Local chambers of commerce, golf games, etc) .. The unspoken downside is that the "business of business" attracts a lot of amoral individuals looking to make a buck. Linkedin offers a degree of depersonalization and quick access that is ripe for exploit. I've never had any interaction with Linkedin that didn't leave me wanting to take a shower. I don't know if I admire or despise the individuals who's job it is to deal with this crap day in and day out.

More fun from placing your personal life online (-1)

Anonymous Coward | about 2 years ago | (#40232317)

What makes you kids all think you're celebrities? Now get off my lawn!

Social Engineering (0)

Anonymous Coward | about 2 years ago | (#40232411)

"he is 'guessing it's some sort of exploit on their web interface, but there's no way to know.' "

Wrong and wrong?

Last week I saw 7 fishing emails within 30 minutes for LinkedIn hit my corporate email in less than 30 minutes. The first of which came from a .ru address.

Nazi policies make cracking EASIER (1)

RobertLTux (260313) | about 2 years ago | (#40232451)

i think a sane password policy would be

1 between 6 and 16 characters
2 case sensitive (but don't actually REQUIRE mixed case)
3 allow the full Latin-1 character set (with a limited number of excluded characters)
4 no dictionary words
5 encourage but don't require numbers and symbols
6 no reusing passwords
7 limit password changes to N a month (with further changes being done at the IT office).

but all these multi clause policies reduce the number of possible passwords (could somebody run the math on my suggestion and the most common Nazi set??)

Re:Nazi policies make cracking EASIER (1)

Infernal Device (865066) | about 2 years ago | (#40232599)

And then your users will all use 'password1', 'password2', 'password3' or some variant thereof every time they change their password, IF they change their password.

Unfortunately, sometimes that's just what you get stuck with.

Random seed (1)

wave9x (2625231) | about 2 years ago | (#40232529)

It is a bit shocking that LinkedIn stores a simple hash of the password. Passwords can then be discovered by using a hash dictionary. A better approach would be to generate a random seed and combine the seed with the password to generate the hash, and store the seed with the hash. Then hash dictionary attacks become impossible.

Re:Random seed (1)

MrAngryForNoReason (711935) | about 2 years ago | (#40233149)

A better approach would be to generate a random seed and combine the seed with the password to generate the hash, and store the seed with the hash.

What you are describing is basically salted hashes. You have a salt that you add to the password before you hash it. Normally the same salt is used for every password. This sounds less secure than what you describe as an attacker could generate one hash dictionary to attack all of the hashes but only using one salt means that you don't need to store them in the database with the hashes. This gives an extra level of security as an attacker who only has access to the database doesn't get the salt along with all of the hashes.

Re:Random seed (0)

Anonymous Coward | about 2 years ago | (#40233371)

In other words, do it the way they teach you in any decent undergraduate security course? :)

easy solution (1)

ch-chuck (9622) | about 2 years ago | (#40232561)

Sign in, change passwd, sign out. Now only 6,458,019 valid hashes, and likely much less.

Re:easy solution (1)

SuiteSisterMary (123932) | about 2 years ago | (#40232691)

Don't forget to change the password on all the other accounts with the same password on various websites and services that you use.

Re:easy solution (0)

Anonymous Coward | about 2 years ago | (#40233097)

Easier solution: account deleted. I never got any use out of the damn thing anyway.

Information security standards? (3, Insightful)

Wrath0fb0b (302444) | about 2 years ago | (#40232631)

In cases like these, I feel like whoever is in charge of security over there needs to be held responsible for not following best practices and salting the damn password hashes. This has been security standard since PKCS #5 v2.0 [wikipedia.org] -- and you know security professionals don't publish these standards just for their own health. And this is not a new fangled thing, it was finalized in 2000 [ietf.org] 12 years ago.

Failure to do so is malpractice ...

Hashes list link (5, Informative)

xded (1046894) | about 2 years ago | (#40232643)

http://www.mediafire.com/?n307hutksjstow3

When checking for your password, check both for its SHA-1 hash and for the SHA-1 hash with the first five chars zeroed. Quoting [ycombinator.com] :

Some observations on this file:

0. This is a file of SHA1 hashes of short strings (i.e. passwords).

1. There are 3,521,180 hashes that begin with 00000. I believe that these represent hashes that the hackers have already broken and they have marked them with 00000 to indicate that fact.

Evidence for this is that the SHA1 hash of 'password' does not appear in the list, but the same hash with the first five characters set to 0 is.

5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 is not present
000001e4c9b93f3f0682250b6cf8331b7ee68fd8 is present

Same story for 'secret':

e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4 is not present
00000a1ba31ecd1ae84f75caaa474f3a663f05f4 is present

And for 'linkedin':

7728240c80b6bfd450849405e8500d6d207783b6 is not present
0000040c80b6bfd450849405e8500d6d207783b6 is present

2. There are 2,936,840 hashes that do not start with 00000 that can be attacked with JtR.

3. The implication of #1 is that if checking for your password and you have a simple password then you need to check for the truncated hash.

4. This may well actually be from LinkedIn. Using the partial hashes (above) I find the hashes for passwords linkedin, LinkedIn, L1nked1n, l1nked1n, L1nk3d1n, l1nk3d1n, linkedinsecret, linkedinpassword, ...

5. The file does not contain duplicates. LinkedIn claims a user base of 161m. This file contains 6.4m unique password hashes. That's 25 users per hash. Given the large amount of password reuse and poor password choices it is not improbable that this is the complete password file. Evidence against that thesis is that password of one person that I've asked is not in the list.

Re:Hashes list link (1)

fincan (989293) | about 2 years ago | (#40233121)

Even if this is the real deal, I don't think this is all the password hash db of linked in, my randomly generated 16+ character password's hash does not exist in this even when substituting the first five chars with zeroes.

Re:Hashes list link (0)

Anonymous Coward | about 2 years ago | (#40233235)

Was this password used 7-8 months ago?

  From twitter msgs, that seems to be when the list was stolen.

Re:Hashes list link (0)

Anonymous Coward | about 2 years ago | (#40233189)

I had a look at the file and this (with some other examples) checks out.

Im seeing a distinct list of passwords i.e. no duplicates. It is therefore possible that this is the complete hash list.

6.5 million distinct passwords for 160 million users?

Re:Hashes list link (1)

_0xd0ad (1974778) | about 2 years ago | (#40233259)

Thanks for that info.

I checked the tail end of the SHA-1 hash of my LinkedIn password; it wasn't in the list, neither zeroed or in full. I'd already signed into LinkedIn and changed it, so it's moot, but yeah, my password wasn't in the dump.

Re:Hashes list link (0)

Anonymous Coward | about 2 years ago | (#40233299)

I can say that it most likely is not complete, my password does not show up in the hashes.

Re:Hashes list link (0)

Anonymous Coward | about 2 years ago | (#40233317)

Thanks for the info! Both mine and my wife's hashes are in there, one's been cracked, the other not (mine of course).

Delete your Linked In account. (0)

Anonymous Coward | about 2 years ago | (#40232737)

Everyone should do as I did and close their Linked-In account. Companies should be punished for incompetence, and the only way to punish a company that provides a free service is to not use their service anymore.

Just how many nails does the cloud's coffin take? (2)

WOOFYGOOFY (1334993) | about 2 years ago | (#40232767)

Just how many nails does this here cloud's coffin take ?

Legally mandated opening EULA clause:

"Your data is no longer private....".

Re:Just how many nails does the cloud's coffin tak (0)

Anonymous Coward | about 2 years ago | (#40233021)

Correct clause: "Your data are ... "

These are not current password Hashs (5, Informative)

Jadeinfosy (960509) | about 2 years ago | (#40232837)

I changed my LinkedIn password a while back (about a month ago or so) my old password shows up in the Hash not my new password.

oh again (1)

Anonymous Coward | about 2 years ago | (#40232915)

Leakedin, Leakedin

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...