LinkedInSucks found in LinkedIn leaked password list... shocker...

LinkedInSucks found in LinkedIn leaked password list… shocker…

Big news from the leading source of spam career opportunity e-mails, LinkedIn has lost over 8 million passwords that have been leaked on the internet by a Russian spy hacker. The file only contains about 6.5 million records, but it’s still enough to give me the willies. It turns out that these passwords are hashed with SHA1 encryption, however there is no salt, so cracking them shouldn’t take too long with a big enough rainbow table and enough computers. The fact that this list is available on the internet means that there are A LOT of computers now actively working to crack the hash. They appear to be in Hex format with 6 leading zeros. Some engineer wasn’t smart enough to know how to properly salt a password, so they intended on “securing” them by adding 0’s. Unfortunately, that’s not smart enough to beat even the lamest hacker.

Luckily, there are helpful people around the web looking to help you out to see if your password is in the list.

http://kryogenix.org/days/2012/06/06/how-i-checked-whether-my-linkedin-password-was-leaked

This website gives a detailed example of how to test your password using the Unix command line.

http://leakedin.org/

LeakedIn.org allows you to type your password and then it checks to see if it’s in the database. I don’t think that’s such a good idea. I’m sure they don’t have any malicious intent, however, this is an unencrypted connection. Typing your password in here could be hijacked fairly simply.

The way I checked my password was the following tool built by a friend of a member of the Ubuntu Michigan LoCo:

https://github.com/hungtruong/LinkedIn-Password-Checker/tree/

You’ll need python installed on your computer.

Essentially, you run “python linkedin.py”, it prompts you for your password, and then crawls through the txt file for it. If it finds it, it tells you it’s in there, otherwise it informs you it is not. What I like about this tool is that it runs on your computer and makes no server connections at all.

I had a little fun with this little scriptie. Luckily, my password (none of them) were found in the list, but I deleted my account anyway. I then proceeded to go through and test some other passwords. Here are some doozies for you that were found (note that ones marked with * are on the most common password lists http://techland.time.com/2011/11/22/the-25-most-popular-and-worst-passwords-of-2011/ ):

  • snickerdoodles
  • password*
  • password1234*
  • linkedinrules
  • linkedinsucks
  • mypassword
  • iamgod
  • abc123*
  • summer
  • 123456*
  • 12345678*
  • qwerty*
  • monkey*
  • letmein*
  • trustno1*

The point is, people use really bad passwords… all the time. People really need to start learning how to secure themselves, because these companies don’t care… at all… about your security. LinkedIn hasn’t even posted any updated in hours about the breach… How it happened… Nothing. The last post I’ve seen that has anything to do with the breach says:

Our security team continues to investigate this morning’s reports of stolen passwords. At this time, we’re still unable to confirm that any security breach has occurred. You can stay informed of our progress by following us on Twitter @LinkedIn and @LinkedInNews.

This from: http://blog.linkedin.com/2012/06/06/updating-your-password-on-linkedin-and-other-account-security-best-practices/

I’m sorry, but if the passwords “linkedinrules” and “linkedinsucks” are in there, you better be sure as shit that it has to do with your site, and a breach occurred. Stop keeping us in the dark douchemonkies.

I’ll keep this post updated as I hear more. Just stay safe people. Use strong passwords. Change them regularly, and SERIOUSLY, don’t use any on the worst passwords lists!