UPDATE: LinkedIn confirms hacking. Read more here.
A user in a Russian forum is claiming to have hacked LinkedIn to the tune of almost 6.5 million account details. The user uploaded 6,458,020 hashed passwords, but no usernames. It's not clear if they managed to download the usernames, but it's likely that both have been downloaded.There is a possibility that this could be a hoax, but several people have said on Twitter that they found their real LinkedIn passwords as hashes on the list. Many of the hashes include "linkedin," which seems to add credence to the claims.
We spoke with Mikko Hypponen, Chief Research Officer at F-Secure, who thinks this is "a real collection." He told us he is "guessing it's some sort of exploit on their web interface, but there's no way to know. I am sure sure LinkedIn will fill us in sooner or later."
It's worth noting that the passwords are stored as unsalted SHA-1 hashes. SHA-1 is a secure algorithm, but is not foolproof. LinkedIn could have made the passwords more secure by 'salting' the hashes, which involves merging the hashed password with another combination and then hashing for a second time. Even so, unless your password is a dictionary word, or very simple, it will take some time to crack. We've reached out to LinkedIn to determine the accuracy of the claims, but in the meantime, we recommend changing your password just in case.
Update: LinkedIn has just tweeted that it is looking into the matter.
Update 2: LinkedIn has tweeted again, and has been unable to confirm any security breach yet. Given the growing number of users that have found their password in the hashes, that's worrying news.
Update 3: Security researcher Steve Gibson has highlighted a website which will check if your password can be found on the list of stolen hashes. Bear in mind if you have a common password a positive result may not mean that your account has been compromised.
Thanks, Sponplat!
Comments
That’s annoying. I never change my passwords because I always forget them, but I might have to make an exception.
By Xavdog on 06.06.12 8:38am
If you cannot remember your password use this technique:
Which of the following two passwords is stronger,
more secure, and more difficult to crack?
D0g…………………
PrXyc.N(n4k77#L!eVdAfp9
You probably know this is a trick question, but the answer is: Despite the fact that the first password is HUGELY easier to use and more memorable, it is also the stronger of the two! In fact, since it is one character longer and contains uppercase, lowercase, a number and special characters, that first password would take an attacker approximately 95 times longer to find by searching than the second impossible-to-remember-or-type password!
Source: https://www.grc.com/haystack.htm
By SnippetSpace on 06.06.12 8:41am
http://xkcd.com/936/
By sponplat on 06.06.12 8:51am
I love it when an XKCD is actually relevant.
By Xavdog on 06.06.12 8:55am
they got their math wrong but indeed that is the idea :)
By SnippetSpace on 06.06.12 8:56am
If you’re saying that Randall Schwartz got his math wrong in that XKCD, you’re calculating the probability wrong. Schwartz is assuming that there is a 2048-word vocabulary, and that the adversary knows your vocabulary and that your password is a random combination of words from that vocabulary (in other words, he’s applying Kerckhoffs’ principle correctly – the attacker knows the algorithm and the namespace of the key, but not the value of the key). That gives you 2048^4 or (2^11)^4 or 2^44. That “D0g…………………” password? The Kolmogorov complexity of that is equivalent to a 5-byte password; once the attacker knows to try dictionary words with vowels replaced by numerics and with repeated periods at the end, the “strength” of that password becomes much, much lower.
By ptrourke on 06.06.12 1:46pm
Randall Munroe, FYI
By PXT on 06.06.12 2:16pm
In related news: “correct horse battery staple” is now the 3rd most common password online. :)
By Dougplanet on 06.06.12 11:11am
The SHA-1 hash for “correcthorsebatterystaple”, bfd3617727eab0e800e62a776c76381defbc4145 does actually appear in the LinkedIn password leak.
By frumpsnake on 06.06.12 6:36pm
It actually says it wasn’t leaked.
By cortezdelobao on 06.07.12 9:09pm
Thats not what the website used to say, but in any event, “CorrectHorseBatteryStaple” does appear as well.
By frumpsnake on 06.08.12 10:27am
Good examples. We should all be aware that passwords should not have personal relevance but do not need to be random. More often than not, passwords are cracked through brute-force and dictionary attacks. Thus, we need to deter the computer, not a human. If anything, your second example just confuses both. Like I said, good examples.
By cmajorbeats on 06.06.12 9:31am
You need to read further down on the page.
“The #1 most commonly used password is "123456", and the 4th most common is "Password." So any password attacker and cracker would try those two passwords immediately. Yet the Search Space Calculator above shows the time to search for those two passwords online (assuming a very fast online rate of 1,000 guesses per second) as 18.52 minutes and 17.33 centuries respectively! If "123456" is the first password that’s guessed, that wouldn’t take 18.52 minutes. And no password cracker would wait 17.33 centuries before checking to see whether "Password" is the magic phrase.”
By rsmith4321 on 06.06.12 9:45am
Not correct. Any brute force password cracker software I’ve seen tries plaintexts in a Markov order rather than alphabetically, so frequently occurring parts like a bunch of dots in a row would fail pretty quickly.
By Castamir on 06.06.12 10:46am
It would still go through all passwords at min char length, then min+1, min+2, etc so the extra security comes from the length. It might fail quicker than the second example but it’s still secure enough that it would take some order of years to brute force.
By EyeCorporations on 06.06.12 10:54am
But then wouldn’t adding a ‘4’ to the end of the second password make it much stronger than the first?
By SmithOSU on 06.06.12 1:02pm
From what I understand, but the question should really be what the cutoff is to determine whether or not a password is “secure enough.”
By EyeCorporations on 06.06.12 3:06pm
Never, ever use GRC as a source for security. They’re usually wrong, or very wrong, as you can see by the other replies to your post.
By Cool Matty on 06.06.12 10:51am
I’d love to see some evidence that GRC is “usually wrong”. Furthermore, I don’t see any replies that prove anything.
By eagle63 on 06.06.12 2:16pm
There were several, including even the amusing XKCD with statistical math applied.
By Cool Matty on 06.06.12 2:27pm
XKCD and GRC were in concurrence.
By JokerES on 06.06.12 2:50pm
Great tip. I’ve changed my password to the first example, so everything should be secure now.
By sebastianganson on 06.06.12 10:52am
lulz!
By Thebloodletting on 06.06.12 11:33am
I wonder if there is a hybrid password strength meter that takes this into account
By quicktek on 06.06.12 2:43pm
You need to use a password manager – 1password, lastpass, something like this. You’d still need to remember a password but it’ll only be one. And the rest you can make as secure as you want, e.g. 24 characters, upper and lower case, digits and symbols – nobody’s cracking that anytime soon.
As for the one password, try this – a nonsensical but memorable phrase made out of 3-4 words, each word capitalized and the spaces between replaced with digits. It’s easier to remember and while may not be optimal, it’s still a hell of a lot harder to crack than random 8 characters with a couple of digits.
By 2late2die on 06.06.12 8:53am