HeliX Posted June 7, 2012 Share Posted June 7, 2012 6.5million unique passwords have been leaked from LinkedIn. Approx 3.5million have been cracked so far (+8 that I just cracked in 10minutes of half-arsed faffing). If you use your LinkedIn password elsewhere (which you shouldn't), change that one too. http://www.bbc.co.uk/news/technology-18338956 Link to comment Share on other sites More sharing options...
Slim Posted June 7, 2012 Share Posted June 7, 2012 Keepass is a good solution to keep your passwords complex and (almost) uncrackable, and it's free. Link to comment Share on other sites More sharing options...
Mission Posted June 7, 2012 Share Posted June 7, 2012 Keep ass? Rather unfortunate name for a product. Link to comment Share on other sites More sharing options...
HeliX Posted June 7, 2012 Author Share Posted June 7, 2012 Keepass is a good solution to keep your passwords complex and (almost) uncrackable, and it's free. Yup! And if you need to share files containing passwords between locations, dropbox + truecrypt. Link to comment Share on other sites More sharing options...
HeliX Posted June 7, 2012 Author Share Posted June 7, 2012 For anyone wondering if their password has been cracked yet: http://leakedin.org/ Though this is PURELY for curiosity, whatever result it comes back with change your blummin' pass! Link to comment Share on other sites More sharing options...
Chinahand Posted June 7, 2012 Share Posted June 7, 2012 @Helix - the link you've provided looks hugely dodgy. You are providing it with a password, and when you submit it your IP address. That looks like a phishing expedition if ever there was one! Question: were both passwords AND email addresses stolen? If all they've got is passwords its not that useful, surely? What's important is the link between the password and the login id/email. Surely, most companies only give you so many log in attempts and then lock you out to stop people with a huge database of common passwords just working down the list? Or is Linkedin different? Link to comment Share on other sites More sharing options...
pongo Posted June 7, 2012 Share Posted June 7, 2012 @Helix - the link you've provided looks hugely dodgy. You are providing it with a password, and when you submit it your IP address. That looks like a phishing expedition if ever there was one! If you are worried then the obvious thing to do would be to change your password before checking whether your previous password is on the list. Link to comment Share on other sites More sharing options...
pongo Posted June 7, 2012 Share Posted June 7, 2012 If all they've got is passwords its not that useful, surely? What's important is the link between the password and the login id/email. The passwords aren’t linked to usernames, but Finnish security company Cert-Fi says that it’s likely the hacker has access to the usernames as well. Mashable says that though the passwords are encrypted with the SHA-1 hash function, they aren’t salted. In plain English, that means that it’s easier for an enterprising hacker to figure out what passwords the encrypted hashes represent through trial and error; a salt adds a significantly more complicated degree of encryption, but apparently wasn’t in use by LinkedIn. LinkedIn said on Twitter that it’s investigating the potential password hack. In the meantime, it's another good reminder to use a different password for each of your different Web services; if you have a LinkedIn account and use the same password elsewhere, you may want to start changing some of those passwords now. http://www.macworld.com/article/1167113/linkedin_privacy_issues_possible_password_breach_ios_app_data_leak.html Link to comment Share on other sites More sharing options...
pongo Posted June 7, 2012 Share Posted June 7, 2012 Rainbow Tables and salting. Link to comment Share on other sites More sharing options...
The Old Git Posted June 7, 2012 Share Posted June 7, 2012 @Helix - the link you've provided looks hugely dodgy. You are providing it with a password, and when you submit it your IP address. That looks like a phishing expedition if ever there was one! Steve Gibson from GRC and other I trust say it's OK. It seems to be all javascript that runs in your browser. Link to comment Share on other sites More sharing options...
Slim Posted June 7, 2012 Share Posted June 7, 2012 @Helix - the link you've provided looks hugely dodgy. You are providing it with a password, and when you submit it your IP address. That looks like a phishing expedition if ever there was one! I changed my password then ran the old one through the test. It's encrypting it locally in js and matching the hashes which you can verify from the source of the page. If all they've got is passwords its not that useful, surely? What's important is the link between the password and the login id/email. The passwords they find will go into rainbow tables and get used for brute forcing. As most people use the same password for multiple sites, the hit rate will increase. I found my password, but my account (apparently) isn't included. So my fairly random/strong password was the same as someone elses. I've now made it stronger! I wouldn't pay much attention to Steve Gibson though. Link to comment Share on other sites More sharing options...
pongo Posted June 7, 2012 Share Posted June 7, 2012 I wouldn't pay much attention to Steve Gibson though. I would. And he knows a heck of a lot more about security than you do. Actually - I wouldn't pay much attention to anyone who wouldn't pay much attention to Steve Gibson. Link to comment Share on other sites More sharing options...
HeliX Posted June 7, 2012 Author Share Posted June 7, 2012 @Helix - the link you've provided looks hugely dodgy. You are providing it with a password, and when you submit it your IP address. That looks like a phishing expedition if ever there was one! Question: were both passwords AND email addresses stolen? If all they've got is passwords its not that useful, surely? What's important is the link between the password and the login id/email. Surely, most companies only give you so many log in attempts and then lock you out to stop people with a huge database of common passwords just working down the list? Or is Linkedin different? The link is fine, the pass is hashed client-side before the server processes it. If you're worried hash the password yourself and put it in. Yes, both were probably stolen. Only passes have been released so far, but if they were taken from the database there is 0% chance that they didn't take the Usernames too. Link to comment Share on other sites More sharing options...
HeliX Posted June 7, 2012 Author Share Posted June 7, 2012 On top of the ~3.5mil passwords that the hackers have cracked, I've now cracked this 125: Loaded 6458020 password hashes with no different salts (Raw SHA-1 [sSE2 4x]) Remaining 6458014 password hashes with no different salts SocialMedia (?) linkeddeknil (?) lihatlihat (?) tnemtiurcer (?) linkedinfrance (?) LinkedLinked (?) LesEchos (?) maafmaaf (?) España (?) München (?) Nürnberg (?) Paraná (?) Whitstable (?) Zürich (?) attaché (?) garçon (?) garçons (?) métairie (?) piraña (?) rivière (?) réseau (?) véronique (?) éolienne (?) quadrigesima (?) Collateralized (?) Cornmill (?) Lighthouseman (?) beerbellies (?) akratic1 (?) jammable1 (?) Jinzhou1 (?) Moogs1 (?) Agroforester1 (?) Calpain1 (?) Darcies1 (?) Douleia1 (?) Fleckers1 (?) Hooleys1 (?) Jemimas1 (?) Pheresis1 (?) Poonces1 (?) Punchbags1 (?) Toyings1 (?) abujaabuja (?) arleenarleen (?) armondarmond (?) breaksbreaks (?) cymrucymru (?) dingledingle (?) dorseydorsey (?) efrainefrain (?) ileanaileana (?) janithjanith (?) liberalibera (?) lucienlucien (?) mumbaimumbai (?) nansennansen (?) natalanatala (?) robsonrobson (?) salemasalema (?) streepstreep (?) sudhirsudhir (?) sunmansunman (?) trudietrudie (?) avantiavanti (?) bandarbandar (?) bonzerbonzer (?) brownybrowny (?) caligocaligo (?) flyboyflyboy (?) frijolfrijol (?) gazalgazal (?) giftedgifted (?) grampsgramps (?) liberolibero (?) mashiemashie (?) perpsperps (?) rucsrucs (?) shoppyshoppy (?) sweirsweir (?) yahsyahs (?) obutanip (?) renilthgierf (?) CONSERVATORIUM (?) LAPAROSCOPY (?) elysées (?) mañanas (?) brylcrm (?) chmnyswp (?) rbbrstmp (?) AtivanAtivan (?) BikoBiko (?) BolBol (?) GracieGracie (?) KendraKendra (?) MalangMalang (?) MorMor (?) ZiboZibo (?) FerFer (?) MoggieMoggie (?) OuiOui (?) PlasmaPlasma (?) Epotipe (?) arbassabra (?) ekkassakke (?) lomassamol (?) Childminding2 (?) Telicity2 (?) Jobshare! (?) Dingers3 (?) Nupes5 (?) Quesadillas5 (?) Euphobia6 (?) denziling (?) greensboring (?) tuckying (?) coldsing (?) eldercaring (?) hondlesing (?) paddlesing (?) praisering (?) quiltsing (?) silencesing (?) Dreamtiming (?) Jaehning (?) guesses: 125 time: 0:00:00:09 DONE (Thu Jun 7 14:42:15 2012) c/s: 10735G Considering how easy it was (For some of them I just grabbed keywords and mangled them, the rest are dictionary words joined together + numbers), if your password is in this list you are bad and should feel bad. Link to comment Share on other sites More sharing options...
P.K. Posted June 8, 2012 Share Posted June 8, 2012 Not exactly a life-threatening breach of security though is it? The Mash: LinkedIn hack 'an anti-prick hate crime' THE theft of passwords from networking site LinkedIn is a direct attack on the world’s prick and douchebag communities, it has been claimed. LinkedIn had become hugely popular with the world’s sizeable prick population, as it allows those who claim to be ‘Global President of Cross-Platform Technologies’ at a make-believe company to connect with similarly-deluded dipshits. Etc: http://www.thedailym...e-2012060729702 I accidentally found someone I know on LinkedIn and I can personally vouch for just how unerringly true the above statements are. Some snippets from his over-worked imagination posted on www.pretentiouspricks.net LinkedIn that demonstrate so readily just how far some folks have their head up their own arse: "Equally confident operating as Project Manager, Consultant and Business Analyst. Adept at working with prospective clients, customers, suppliers and technical teams at all levels. A wide range of industrial sector experience, having worked in retail banking, general insurance, software houses, mobile telecommunications, manufacturing and finance houses in the UK and Europe. An expert requirements analyst, risk manager, researcher, planner, man-manager and project manager. A confident team player, flexible about travel and proven cross-national and cross-cultural work experience. Attentive to detail and results oriented." Missing from the above: "Have been unemployed for the last six years or so." The Defence rests.... Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.