LinkedIn, the popular networking site, was hacked and more than 6 million passwords were leaked. The breach was confirmed today.
It took only minutes for the full dump of passwords to spread virally (combo_not.zip)
The decrompessed file weighs 258 MB and contains 6458019 lines of hashed passwords.
LinkedIn hashed the passwords (meaning they created a checksum of the plain text strings) but did not apply any other level of security, including salting.
For example the password ‘password’ was stored as e4c9b93f3f0682250b6cf8331b7ee68fd8 (SHA1).
It is trivial to find the original (clear text) password using tools such as hash-cat:
It is quite interesting to look at passwords people use… it reveals a lot about human nature Warning, coarse language ahead!
LinkedIn announced that they are taking immediate action by blocking accounts that have been affected as well as introducing new security measures (in the form of salting their passwords).
This is a reminder that there is no total security. However, strong passwords are still a great protection. For example, to retrieve those passwords hackers use a ‘wordlist’ or dictionary attack. That means if your password was weak, it will be uncovered in seconds. If your password was fairly complex, it will take hackers a lot of pain and effort to crack it.
On that topic, we should change the word password to passphrase. The term is so much more meaningful and shows that actual phrases such as ‘Jimmylovescarsespeciallyatnightonchannel99′ are so hard to crack versus your typical password.