We dive into the LinkedIn password breach and how the informationmay be cracked. Following the leak of 6.5 million LinkedIn passwords , many made a mad dash to change their passwords, and now thatthings have finally started to settle, the company has posted an official response on the matter . The second paragraph by Vicente Silveira, Director of LinkedIn,states, "First, it's important to know that compromised passwordswere not published with corresponding e-mail logins. At the timethey were initially published, the vast majority of those passwordsremained hashed, i.e., encoded, but unfortunately a subset of thepasswords was decoded. Again, we are not aware of any memberinformation being published at any time in connection with the listof stolen passwords. |
The only information published was thepasswords themselves." So maybe things aren't that bad? The answerdepends and requires more dissection. The last portion of the email talks about how LinkedIn is in theprocess of transitioning "from a password database system thathashed passwords, i.e. provided one layer of encoding, to a systemthat both hashed and salted the passwords." Say what? In other words, these passwords were merely protected with a singleSHA-1 hash, which amounts to a part time mall cop as opposed to anarmed escort. For those not in the know, hashing in its purest formis simply a way to a convert several data sets of varying lengthinto a smaller set of fixed length.
Think of it kind of like aone-way decoder ring. That's the extent of what LinkedIn did tosecure passwords. As we explored with WPA, salting (which is part of LinkedIn's newprotocol) is the more serious stuff that requires serious hardwareto crack. I played with the leaked password file about two days ago, and Ithink the forum post by John Graham-Cumming largely sums up my own observations.
In the password file, thereare roughly 3.5 million passwords that begin with 00000. Theseentries appear to be hashes that are already comprised and broken.The others not denoted by zeros at the beginning number another 3million or so, and these appear to be unbroken. These unbroken passwords aren't necessarily safe. In fact, I'vecracked many of them on my own. The problem is LinkedIn only used asingle SHA-1 conversion.
This makes it child's play for anyone witha fast graphics card and some GPGPU-optimized software. On these matters, Ivan Golubev 's my favorite guy to talk to. His cryptography work with GPGPU isamazing. Using his ihashgpu app, a single 6990 is capable of processing ~2.6 billion single SHA-1hashes per second.
Now consider the following: English language has ~300k words Conversation English has somewhere between 15k and 20k words. The search space with brute-force cracking is n^(length ofpassword), where n is the number of elements to choose from. If the password only contains words and numbers, I can searchthrough all two and three word/number combos in matter of minutes,and I can process the entire 3 million chuck of unbroken passwordson my coffee break. If the password is sufficiently random, it's much harder to break.Assuming we're dealing with alphanumeric and say 50 percent searchtime (passwords are usually discovered in the middle of a randomsearch, such as finding 500 starting from 000 and 999), it wouldtake me about half a day to break a single hashed password using a6990. The caveat is that we've capped password length to 8characters.
With ~3 million entries, this speed isn't practical.Bring it down to 7 characters max, and now we can process eachentry in around 15 minutes. The total search time for all ~3million entries is now 85 years. Give a team of hackers someCrossfire 6990 configs, and that time drops down to 5 years. At the end of the day, the LinkedIn's breach is serious, but thesignificance to your personal security is hard to estimate.LinkedIn's blog post is careful to point out email logins weren't published by hackers, but this doesn't exclude them from having this information. LinkedIn hasn't explicitly stated whether emaillogins were part of the original breach.
Hackers could have justchosen to publish the password hashes only. If email logins were part of the breach, I'd consider everyword-based password to be toast. Though, not everyone may be atrisk. LinkedIn claims a user base of ~160 million. The publishedfile contains no duplicates, which means we're dealing with ~6.5million unique passwords.
Given the amount of password reuse andpoor password choices (i.e. passwordpassword or LinkedIn), it's notimprobable every single password was leaked. However, severalpeople converted their password to an SHA-1 hash and told me their password was not on the list. For those who use random passwords, if it happens to be under 7characters in length, I'd say you're at risk and need to changeyour password. Other sites were also reportedly breached (i.e.eHarmony) in what might be related attacks, which is why thoseprofiles too should be updated.
If you fall into this camp, we havea recommendation. While more secure, there's no question that long random passwordsare hard to remember. Words-based passwords, though easy to recall,are also very easy to break. There is a way to bridge the gap andget the best of both words. Use a mnemonic.
Flip open a book, takean uncommon sentence, and use the first character (or second...) ofeach word. Then, add a number at the end. Thus, "To grunt and sweatunder a weary life" from Shakespeare's To Be Or Not To Be , becomes "tgasuawl9." This strategy has long been used by securityexperts for their own passwords, as it's easy to remember andconfounds brute-force cracking. Make sure the phrase is longer than8 words, and you should be good to go. Update: Check To See If Your Password Has Been Compromised Users at risk have been notified, but it's very likely the hackershave more passwords.
If you don't want the websites contacting youfor notification of a breach, you can check if your LinkedIn oreHarmony passwords have been compromised via LastPass: LinkedIn: https://lastpass.com/linkedin/ eHarmony: https://lastpass.com/eharmony/.
The e-commerce company in China offers quality products such as China High Bay Light Fixtures , China T5 Fluorescent Tubes, and more. For more , please visit Led Spot Lighting Fixtures today!
Related Articles -
China High Bay Light Fixtures, China T5 Fluorescent Tubes,