'LeakedIn' web app checks for compromised LinkedIn passwords

It is believed millions of the LinkedIn password hashes have been cracked, putting users at risk

A New York-based web developer and his colleagues have built a web-based application for people to see if their LinkedIn password hash is among 6.5 million released on a Russian hacker forum.

The password breach, revealed on Wednesday, is significant due to the detailed personal data stored by LinkedIn and the chance for hackers to spear phish high-level executives or spread malicious links.

LinkedIn is telling some users to reset their passwords, but there is another way for users to see if their account was compromised.

LeakedIn converts a person's clear-text password into its corresponding cryptographic representation using the SHA-1 algorithm, which was stored by LinkedIn. It does that conversion in the browser using JavaScript and does not transmit the password elsewhere, wrote one of LeakedIn's developers, Chris Shiflett, on his blog.

LeakedIn then checks to see if the hash is on the list of breached passwords. Not all of the hashes in the list have been converted to original passwords yet, but it is likely hackers are working on it. Shiflett wrote that "I discovered that my password was not only one of the 6.5 million that had been leaked, it was also among those that had been cracked. I was a victim."

Password hashes can be converted to plain-text by using powerful graphics processors and free password cracking tools such as "John the Ripper," which can be used with a regular PC, and "oclHashcat." How long that process takes depends on the passwords' complexity.

Those cracking applications use word lists compiled from other password breaches in so-called dictionary attacks, which seek to match already computed hashes with those on the new list. Another method is a brute-force attack in which the programs rapidly try different password combinations in the hope of finding a matching hash. Brute-force attacks are more time consuming for longer passwords that contain a mix of capital letters and symbols.

Robert David Graham, CEO of the security consultancy Errata Security, wrote that each letter of a password has 100 possible combinations composed of either upper or lower case, digits or symbols. A five-letter password would have 10 billion possible combinations and could be cracked in five seconds using a top-of-the-line Radeon HD 7970 graphics processor.

A six-letter password would take a little over seven minutes, but a seven-letter password would take 13 hours, Graham wrote. Eight characters pushes the time up to 57 days, with a nine-character password taking up to 15 years.

"In other words, if your password was seven letters, the hacker has already cracked it, but if it's nine letters, it's too difficult to crack with brute force," Graham wrote.

Many of the hashes in the dump have five zeros as the first five characters of the hash. Graham wrote that some people "think that this means that the hacker has already cracked any passwords that have been zeroed out this way."

LinkedIn did not "salt" its hashes, which involves inserting random characters into the hash that make it more difficult for people trying a brute-force attack. The company said it is now salting hashes.

Security vendor Sophos said it determined there were 5.8 million unique hashes out of the 6.5 million released after duplicates were eliminated. Of those 5.8 million, some 3.5 million hashes or about 60 percent had been successfully brute forced, wrote Chester Wisniewski, senior security advisor.

Sophos compared the passwords used for LinkedIn with those used by the Conficker worm to spread through network drives. All but two of the simple passwords used by Conficker were also used by LinkedIn users, Wisniewski wrote.

LinkedIn uses a person's email address as part of its sign-in process, and it's not known if the hackers also have those addresses, which would make the breach even more severe since it would allow them to directly access a person's account. LinkedIn will have to release more information in order to restore the confidence of its users, said Cameron Camp, a security researcher with the security company ESET in San Diego.

"It will be very interesting to see in the next two to three days to see what LinkedIn says," Camp said.

Send news tips and comments to jeremy_kirk@idg.com

Join the newsletter!

Or
Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?