|
|
 |
|
|
'leakedin' web app checks for compromised linkedin passwords by ferujkll sdff
|
|
|
'leakedin' web app checks for compromised linkedin passwords |
|
|
|
|
|
Business,Business News,Business Opportunities
|
|
A New York-based web developer and his colleagues have built aweb-based application for people to see if their LinkedIn passwordhash is among 6.5 million released on a Russian hacker forum. The password breach, revealed on Wednesday, is significant due tothe detailed personal data stored by LinkedIn and the chance forhackers to spear phish high-level executives or spread maliciouslinks. LinkedIn is telling some users to reset their passwords, but thereis another way for users to see if their account was compromised. LeakedIn converts a person's clear-text password into its correspondingcryptographic representation using the SHA-1 algorithm, which wasstored by LinkedIn. It does that conversion in the browser usingJavaScript and does not transmit the password elsewhere, wrote oneof LeakedIn's developers, Chris Shiflett, on his blog.
LeakedIn then checks to see if the hash is on the list of breachedpasswords. Not all of the hashes in the list have been converted tooriginal passwords yet, but it is likely hackers are working on it.Shiflett wrote that "I discovered that my password was not only oneof the 6.5 million that had been leaked, it was also among thosethat had been cracked. I was a victim." Password hashes can be converted to plain-text by using powerfulgraphics processors and free password cracking tools such as "Johnthe Ripper," which can be used with a regular PC, and "oclHashcat."How long that process takes depends on the passwords' complexity. Those cracking applications use word lists compiled from otherpassword breaches in so-called dictionary attacks, which seek tomatch already computed hashes with those on the new list. Anothermethod is a brute-force attack in which the programs rapidly trydifferent password combinations in the hope of finding a matchinghash.
Brute-force attacks are more time consuming for longerpasswords that contain a mix of capital letters and symbols. Robert David Graham, CEO of the security consultancy ErrataSecurity, wrote that each letter of a password has 100 possible combinationscomposed of either upper or lower case, digits or symbols. Afive-letter password would have 10 billion possible combinationsand could be cracked in five seconds using a top-of-the-line RadeonHD 7970 graphics processor. A six-letter password would take a little over seven seconds, but aseven-letter password would take 13 hours, Graham wrote. Eightcharacters pushes the time up to 57 days, with a nine-characterpassword taking up to 15 years.
"In other words, if your password was seven letters, the hacker hasalready cracked it, but if it's nine letters, it's too difficult tocrack with brute force," Graham wrote. Many of the hashes in the dump have five zeros as the first fivecharacters of the hash. Graham wrote that some people "think thatthis means that the hacker has already cracked any passwords thathave been zeroed out this way." LinkedIn did not "salt" its hashes, which involves inserting randomcharacters into the hash that make it more difficult for peopletrying a brute-force attack. The company said it is now salting hashes.
Security vendor Sophos said it determined there were 5.8 millionunique hashes out of the 6.5 million released after duplicates wereeliminated. Of those 5.8 million, some 3.5 million hashes or about60 percent had been successfully brute forced, wrote Chester Wisniewski, senior security advisor. Sophos compared the passwords used for LinkedIn with those used bythe Conficker worm to spread through network drives. All but two ofthe simple passwords used by Conficker were also used by LinkedInusers, Wisniewski wrote. LinkedIn uses a person's email address as part of its sign-inprocess, and it's not known if the hackers also have thoseaddresses, which would make the breach even more severe since itwould allow them to directly access a person's account.
LinkedInwill have to release more information in order to restore theconfidence of its users, said Cameron Camp, a security researcherwith the security company ESET in San Diego. "It will be very interesting to see in the next two to three daysto see what LinkedIn says," Camp said. Send news tips and comments to jeremy_kirk@idg.com. I am a professional writer from Relays, which contains a great deal of information about best 3ccd camcorder , blaupunkt satellite radio, welcome to visit!
Related Articles -
best 3ccd camcorder, blaupunkt satellite radio,
|
Rate This Article  |
|
|
|
|
|
Do you Agree or Disagree? Have a Comment? POST IT!
| Reader Opinions |
|
|
|
|
|
|
|
|
|
| Author Login |
|
|
 |
Advertiser Login
ADVERTISE HERE NOW!
Limited Time $60 Offer!
90 Days-1.5 Million Views
|
|
STEPHEN BYE
Stephen Bye is a fiction writer. His most recent novels are a 5-book “The Developer” series which be...more
|
|
|
|
|
GENE MYERS
Author of four books and two screenplays; frequent magazine contributor. I have four other books "in...more
|
|
|
|
|
TIM FAY
After 60-plus years of living, I am just trying to pass down some of the information that I have lea...more
|
|
|
|
|
ADRIAN JOELE
I have been involved in nutrition and weight management for over 12 years and I like to share my kn...more
|
|
|
|
|
LAURA JEEVES
At LeadGenerators, we specialise in content-led Online Marketing Strategies for our clients in the t...more
|
|
|
|
|
MICHAEL BRESCIANI
Rev Bresciani is the author of two Christian books. One book is an important and concisely written b...more
|
|
|
|
|
LEVAL AINAH
I am an internet marketer and also an educator. My goal is to help others who are looking to improve...more
|
|
|
|
|
PAUL PHILIPS
For more articles, blog messages & videos and a free e-book download go to www.NewParadigm.ws your p...more
|
|
|
|
|
ALEX BELSEY
I am the editor of QUAY Magazine, a B2B publication based in the South West of the UK. I am also the...more
|
|
|
|
