8 million leaked passwords connected to LinkedIn, dating website
- Thread starter JournalBot
- Start date
Upvote
0
(0
/
0)
If any of you are stupid enough to use a formulaic password like "EDCrfvTGByhnUJM" or "!qaz@WSX3edc" you deserve to have your fucking password cracked.
When I was working as a civilian contractor in Iraq and Afghanistan, I was appalled at watching no less than four "admins" I worked with used the exact same "pattern password" to secure their admin-level accounts on government networks.
Don't use pattern passwords, or passwords that someone could easily guess. You're only setting yourself and others up for failure if you do.
Upvote
0
(0
/
0)
I'm assuming a password like this is unlikely to be cracked even in an unsalted hash list?
I'm further assuming whoever designed LinkedIn's password database is busy updating their own profile?
Upvote
0
(0
/
0)
If you're stupid enough to use unsalted SHA1 to store your passwords, you deserve to lose all your customers. How could a site as big as LinkedIn have failed so monumentally?
Upvote
0
(0
/
0)
I never really got into hacking or cracking myself, but reading stuff like this fascinates me. I've read other articles indicating that passphrases are a better option, random word combinations like "unicornmudjumpsoda" in mixed or even same case, can be just as tough to crack by machines but easier for humans to remember. It seems like that would result in fewer passwords being left laying around, but it also seems like it would be more susceptible to dictionary attacks. Thoughts?
Upvote
0
(0
/
0)
Panther Modern":39qux7r2 said:
You are getting entirely the wrong lesson from this. "Weak" passwords only matter if somebody is bruteforcing/dictionary attack on random logins. This is not the case here. They managed to crack two sites and obtain and decrypt their entire password lists. So nobody is bruteforcing anything. They ALREADY HAVE YOUR PASSWORD. It doesn't matter how random it is.
The important point is to not reuse passwords and/or usernames from one site to another.
Upvote
0
(0
/
0)
Panther Modern":1m8l0gtp said:
Because that's totally how human being's work right? If there's anything human beings excel at, it's remembering large lists of completely random, hard to guess, unique character strings.
I counted, I have over 50 separate places where I have username/password combos.
Each one should theoretically need a separate, hard to guess, hard to remember, long password.
These are systems which need to be used by human beings, the fact that they are not easily useable by human beings is the fault of the systems and designers, not of the people using them. People don't work like this. They never have, and they never will. Continuing to blame people for not working like computers is silly.
And yes, I'm aware of password "vault" programs, all that does is move all your eggs to one single basket.
We need a completely new approach to this. Endless hard to guess passwords isn't it. We need to think about how human beings actually work, what we're good at and what we're not, and design around that.
Upvote
0
(0
/
0)
While the article is interesting, it is missing the most crucial point for readers:
1) Something the average user should be concerned about (i.e. can these be used to access said accounts?)
2) Is there a way to check to see if one's information is on there?
3) What should the average user be doing to react personally to maintain information security.
.*Edit below line*
Since I can't read, the information is actually in the article (thanks to comments who pointed it out). And promoted comment makes it clear too.
1) Something the average user should be concerned about (i.e. can these be used to access said accounts?)
2) Is there a way to check to see if one's information is on there?
3) What should the average user be doing to react personally to maintain information security.
.*Edit below line*
Since I can't read, the information is actually in the article (thanks to comments who pointed it out). And promoted comment makes it clear too.
Upvote
0
(0
/
0)
Upvote
0
(0
/
0)
It doesn't matter how clever of a password you dream up if the "host" isn't secure. Your only security is to not use the same password for multiple accounts.
I'd also like to point out to the tea bagger crowd that the vast majority of these security breaches occur in the private sector.
I'd also like to point out to the tea bagger crowd that the vast majority of these security breaches occur in the private sector.
Upvote
0
(0
/
0)
Panther Modern":274hs9tj said:
Interesting. I haven't heard of simple password patterns used in dictionary type attacks before. I've employed password patterns in the past, though not with patterns as simple as you listed. Is the concern over easy-to-guess patterns? Or is it just inherent that pattern-based passwords are more insecure than say XKCD's correcthorsebatterystaple?
Upvote
0
(0
/
0)
They only have the hashes of the passwords. They still have to crack them (with modified dictionary attacks, or brute force) to get your plaintext password.brionl":2sm95y87 said:
Upvote
0
(0
/
0)
Hrmf, i had a profile there for all of 6 months. Then i deleted it. I really do wonder if the login details are still on file...
Upvote
0
(0
/
0)
With no salt, rainbow tables are going find the weaker ones in no time.sep332":j2stfna0 said:
Upvote
0
(0
/
0)
sidran32":ktl60iid said:
Here you go: https://disk.yandex.net/disk/public/?ha ... OEptAS4%3D
Oh yeah, forgot about rainbow tables! The thing about rainbow tables is that they're random. They don't crack "weaker" ones first.hobgoblin":ktl60iid said:
Upvote
0
(0
/
0)
sep332":2ou1f0my said:
Like they did for the guy with "20 plus characters and was random"? Once they have the hash table it's much easier to find out that one specific password to that site. If you didn't reuse that specific one any place else it doesn't matter. Your account on that site is probably already boned anyway.
Upvote
0
(0
/
0)
brionl":14ewj1ex said:
I already changed my linkedin for security, but what I wasn't sure is if this list includes emails (i.e. is it actionable, or is it just the passwords). And what you said should be in the article
Upvote
0
(0
/
0)
The passwords were stored by the website (LinkedIn and/or eHarmony) as unsalted SHA-1 which are trivial to crack. Rainbow tables will reveal the shorter ones, a couple GPUs will take care of the rest.
The comments over at HackerNews offer way more insight. http://news.ycombinator.com/item?id=4073309
Upvote
0
(0
/
0)
1. Most likely the hacker has the usernames(its in the article)H2O Rip":31iqbqtq said:
2. I would assume so(since Redman did)
3. Change your password to linkedin and any other places that use the same password(hopefully the number is 0, but its probably not if your asking hese questions. disclaimer, i use the same password in a bunch of places, i need to set up a password vault.)
Upvote
0
(0
/
0)
Upvote
0
(0
/
0)
Yes, a basket you control (open source if you use KeePass, that can be locked to a password and a cryptographic key) that won't be compromised when some incompetent developer stores passwords in an insecure way (no salt? :facepalm
All security measures have flaws, and you can only gain a reasonable level of security by using multiple layers of flawed systems, and making your accounts not worth the trouble of hackers and criminals that are going for volume.
Upvote
0
(0
/
0)
From the hacker news comments, a script that can tell you whether your password is in the dump and whether or not it was already cracked (the cracked passwords are marked in the file with leading zeros)
http://news.ycombinator.com/item?id=4074416
My fairly complicated password was in the list and had already been cracked :S
http://news.ycombinator.com/item?id=4074416
My fairly complicated password was in the list and had already been cracked :S
Upvote
0
(0
/
0)
sep332: that does not have usernames just things that sort of appear to be hashes.
Upvote
0
(0
/
0)
brionl":khiy7ama said:
No, they do not. They have unsalted hashes, which must then be cracked (a salted hash is more difficult).
To help crack the unsalted hashes, they'll try using common patterns and strings (like l33tsp34k in the company name, say, "3h4rm0ny" or "eharm0ny" to help the process along.
If you choose a password that has a guessable pattern like those above, you are only fucking yourself in the ass when it comes to events like this.
Upvote
0
(0
/
0)
brionl":3lh64vfz said:
Second this. The summary here is: Programmers continue to do dumb things because they're lazy and/or incompetent.
Upvote
0
(0
/
0)
Right, these are the SHA-1 hashes that are supposedly from LinkedIn. If your password has been cracked already it is marked with 000000. Example: 'linkedin':spotter":1k06b7jf said:
7728240c80b6bfd450849405e8500d6d207783b6 is not present
0000040c80b6bfd450849405e8500d6d207783b6 is present
So calculate the SHA-1 of your password and then search for the last digits to see if it has been cracked.
More discussion: https://news.ycombinator.com/item?id=4073309
Upvote
0
(0
/
0)
Panther Modern":e8q9zv1p said:
No. In a leak like this the strength of the password does not matter. Because they're stored as unsalted SHA-1. People can check to see if they're on the list by hashing their password and ctrl+f'ing the list. The only thing stopping someone from doing the same with every possible char combination is time. With a couple GPU's and a well crafted script, little time.
Upvote
0
(0
/
0)
Z1ggy":330ay99h said:
LOL...that's what I was thinking, "please input your username and password here to see if it's been hacked!"
Upvote
0
(0
/
0)
Z1ggy":2iukbbl3 said:
This is a very short python script. You download it to your machine and run it locally against the text file. It's trivially easy to verify that the script is non-malicious -- it just hashes your password then loops through the dump file to see if your hashed password is present.
Upvote
0
(0
/
0)
Is there any indication that LinkedIn has fixed the method the hacker used to get the hashes?
Upvote
0
(0
/
0)
No.. Follow the link. It provides the source to a simple python script that you can run locally (if you have the hash list). It just runs sha1() on your input and searches the list.Z1ggy":w9h7upeh said:
edit: too slow
Upvote
0
(0
/
0)
beebee":1nq4fogt said:
That is patently untrue, although it depends on what your interpretation of "insecure" is. If the host is hacked then salts can add some layer of protection, but will probably not protect much against short passwords (because LinkedIn needs to do verification in a limited time). However, if you link the hash generation to some physical element (e.g. a smartcard) then the attacker will need to do the bruteforcing while in contact with the host. This will significantly slow down the password cracking, and once the breach has been detected no further bruteforcing should be possible. However, the disadvantage to implementing such a solution is portability of the hashes.
Upvote
0
(0
/
0)
OmniWrench":20m5auwz said:
Really? That few? I have 40 for Work alone. I have about 100 more for general 'Net sites, and then there's banking ones, job search related ones, passwords for other family members (like my kids' logins to Animal Jam and Poptropica)...
Yes. But the point is that it's a SINGLE basket with an arbitrarily difficult password (I know both mine and my wife's are exceptionally difficult) that YOU control. As long as you use a local password store then it's not in some random database on a remote system which can get hacked and stolen. They would have to target YOU specifically, most likely a device in YOUR control. If someone wants to do that, then you're most likely screwed anyway, but I think it's safe to say that most people are in no more danger of that than being struck by lightning. Repeatedly. Yes, it happens. It's not a real concern though.
And so what do you gain by this? That when some random site gets its passwords stolen AGAIN that you'll have to worry about only that one site. As an example I just changed my LinkedIn password, and I'm not worried about the other 200+ passwords I have because they're all unique. Here, you can even have my old LinkedIn password -- KhDpD0wUJzIAhCDvdfYW . Have fun. Oh, and that's the first time I've ever seen it in clear text, because frankly I don't care what my passwords are. The only one I need to know is my master password.
Good luck; have fun. Realize that passwords were originally exactly that -- humans are actually very good at remembering short strings associated with a particular thing. Problem is, short strings are also easily broken by computers. Long strings aren't easily broken, but they're not easily memorized either (phrases can help, but I'm not going to memorize 200+ different multi-word phrases).
The only viable solution I can think of is to go to something like SecureID or Battle.net's mobile authenticator for every site -- but that's not dramatically different from using a password program. And the reality is that nobody's going to agree on a single standard so you'll be carrying a dozen fobs or mobile programs around with you.
Really, use a password vault. Personally, I use KeePass -- it's free, it's open source (for varying definitions of open; but you can at least check that it's not storing things in the clear and it's using the crypto it claims to), and it's available on every platform I use, including my iPhone (that wasn't free, but I don't mind shucking a few bucks to the developer). There are plenty of alternatives out there. It's a lot better than changing a dozen passwords when one of them gets compromised.
Upvote
0
(0
/
0)
1Password.
I just logged onto LinkedIn, changed my password to some new randomly generated string of numbers, characters, and letters, and I don't know (or care) what the password is.
Look, stuff like this is going to happen ALL THE TIME. It's how you DEAL with it that matters......
I just logged onto LinkedIn, changed my password to some new randomly generated string of numbers, characters, and letters, and I don't know (or care) what the password is.
Look, stuff like this is going to happen ALL THE TIME. It's how you DEAL with it that matters......
Upvote
0
(0
/
0)
- Status