LinkedIn may have suffered a serious blow in terms of the securityand safety of its users today. Hackers claim to have leaked over 6.5 million password hashes originating from the career-focused social networking site.Although the hash values appear to indicate LinkedIn had protecteduser passwords with SHA-1 encryption, the company did not salt userpasswords. This could be a major issue, but more on this later. At the time of this writing, LinkedIn has yet to confirm a securitybreach has taken place. The company has informed users that aninvestigation is under; however, some users on Twitter are claimingthey have already found their password's hash in the 265MB textfile. This may not be unexpected, but some of those users alsoclaim to have fairly long, complex passwords. Finding hashes forsuch unique passwords in the hash dump could act as confirmation. Passwords encrypted with SHA-1, without the aid of HMAC or salting,always produce the same hash values for the same passwords. Forexample, the password "linkedin" will always generate thefollowing value: 7728240c80b6bfd450849405e8500d6d207783b6. Thismakes dictionary attacks far more effective than they ought to be,as password hash databases can be downloaded and computed locally. As a result, "cracking" a common MD5 or SHA-1 passwordhash value may only be a Google search away . Salting, on the other hand, adds a random element which minimizessuch attacks. Interestingly, the hash value for "linkedin" isn't in thefile, but if you replace the first five characters with zeros, itis. This may sound like a fluke, but the same applies not only toother common passwords (i.e. password, passw0rd, secret) but foruncommon ones like "l1nkedin", "linkedout","recruiter", "recru1ter" and more. The oddspecificity of these passwords does help support the file'sauthenticity. At 160-bit cypher strength, attempting to programmatically decrypta SHA-1 password hash is, for all intents and purposes, anintractable proposition. However, conjuring up a random passwordsand turning them into SHA-1 hash values takes but a tiny fractionof a second. Thus, creating passwords and comparing their hashesagainst a list of stolen passwords is a very simple method forhackers to work around encrypted passwords. LinkedIn users are urged to change their passwords immediately,regardless of whether or not their account was compromised. Update : LinkedIn confirms some accounts were compromised. Identified users will be prompted to change their passwords thennext time they log on. LinkedIn also added that they have recentlybegun salting passwords. The e-commerce company in China offers quality products such as IPL Hair Removal Machines , China Cavitation Slimming Machine, and more. For more , please visit Lipo Laser Machines today!
Related Articles -
IPL Hair Removal Machines, China Cavitation Slimming Machine,
|