User: Password:
|
|
Subscribe / Log in / New account

8 million leaked passwords connected to LinkedIn, dating website (ars technica)

Ars technica reports that a cracker has posted 8 million cryptographic hashes to the Internet that appear to belong to users of LinkedIn and also a popular dating website. "The massive dumps over the past three days came in postings to user forums dedicated to password cracking at insidepro.com. The bigger of the two lists contains almost 6.46 million passwords that have been converted into hashes using the SHA-1 cryptographic function. They use no cryptographic "salt," making the job of cracking them considerably faster. Rick Redman, a security consultant who specializes in password cracking, said the list almost certainly belongs to LinkedIn because he found a password in it that was unique to the professional social networking site. Robert Graham, CEO of Errata Security said much the same thing, as did researchers from Sophos. Several Twitter users reported similar findings." If you have an account on LinkedIn you should probably change your password.
(Log in to post comments)

8 million leaked passwords connected to LinkedIn, dating website (ars technica)

Posted Jun 6, 2012 20:01 UTC (Wed) by cjb (guest, #40354) [Link]

> If you have an account on LinkedIn you should probably change your password.

.. but not necessarily on LinkedIn's site itself -- at least if you want to reuse the same password anywhere else -- because they've apparently been hacked without having any knowledge of it ("unable to confirm that any security breach has occurred"), which means they might still be compromised.

8 million leaked passwords connected to LinkedIn, dating website (ars technica)

Posted Jun 6, 2012 20:16 UTC (Wed) by liw (subscriber, #6379) [Link]

Don't reuse passwords. Use a password safe program so it's mostly painless to have a unique, strong password everywhere.

8 million leaked passwords connected to LinkedIn, dating website (ars technica)

Posted Jun 6, 2012 20:21 UTC (Wed) by hitmark (guest, #34609) [Link]

That relies on being able to keep the data files storing all those passwords safe. And not just from outside threats but also hardware and software failure.

8 million leaked passwords connected to LinkedIn, dating website (ars technica)

Posted Jun 6, 2012 20:24 UTC (Wed) by ms (subscriber, #41272) [Link]

Then use something like oplop.

8 million leaked passwords connected to LinkedIn, dating website (ars technica)

Posted Jun 6, 2012 20:47 UTC (Wed) by drag (subscriber, #31333) [Link]

> That relies on being able to keep the data files storing all those passwords safe. And not just from outside threats but also hardware and software failure.

If a attacker has access to your user account then they have access to your passwords. It doesn't matter if you type them in, use encrypted store on a keyring, a spreadsheet on a truecrypt encrypted USB drive, ssh private public keys, have your browser store them, or use a plain text file at ~/.secret. If you use it and can access it from your user account then the attacker can access it too.

Really, though, using a password management mechanism of some sort is extremely advantageous. Once you stop needing to memorize your passwords it's very easy to use unique, long, and very random ones.

8 million leaked passwords connected to LinkedIn, dating website (ars technica)

Posted Jun 7, 2012 0:06 UTC (Thu) by flammon (guest, #807) [Link]

I use Revelation for that and have a few backups of the file on different systems.

8 million leaked passwords connected to LinkedIn, dating website (ars technica)

Posted Jun 7, 2012 14:45 UTC (Thu) by proski (subscriber, #104) [Link]

I use Revelation too and I'm looking for an alternative. The problem with Revelation is that it keeps all data in one binary file. There is no automatic way to merge changes made on different systems.

8 million leaked passwords connected to LinkedIn, dating website (ars technica)

Posted Jun 7, 2012 14:44 UTC (Thu) by NAR (subscriber, #1313) [Link]

I've downloaded Bruce Schneier's password manager, used a new safe password, added some passwords to the tool - and the next week when I tried to access it, I forgot the master password :-( The problem of rarely used password.

By the way, currently I need two passwords (disk encryption, login) on my windows laptop to get to a point where I can start the password manager. Life sucks.

Don't reuse passwords

Posted Jun 7, 2012 11:34 UTC (Thu) by dskoll (subscriber, #1630) [Link]

Absolutely, one should never use the same password for two different sites.

I go in assuming that web sites are ripe for compromise (present company excepted, of course!) so to contain the damage, I use long (16 character or more) randomly-generated passwords. I only use shorter ones for the occasional broken web site that won't take such a long password.

And like others, I use a password keeper to store my passwords. I only need to remember the master passphrase.

True, a hacker who has access to my computer could steal my passwords. But my one little desktop computer presents a much smaller vulnerability surface than a bunch of high-profile web sites, so I think the tradeoff is worth it.

Don't reuse passwords

Posted Jun 12, 2012 0:35 UTC (Tue) by nevets (subscriber, #11875) [Link]

> Absolutely, one should never use the same password for two different sites.

Why not? I have the same password for facebook and google.plus. I have the same password for LWN and /. (but different than FB and G+, and now the LWN admins know my /. account ;-)

And I use the same password for all those stupid 'register here' crap (NY Times, etc). Thus if you break into one of my accounts for posting on a news site, you can pretty much post as me on all news sites.

But do I really care? No.

My bank password is unique, my VPN password is unique, basically I have a separate password for every thing that actually matters. If I had a linkedin account (which I don't and delete once a week a new 'invite'), it probably would have been the same as my FB account, or my news account. Thus this break-in would only allow the attacker to mess with my virtual identities but not any of my real ones.

Don't reuse passwords

Posted Jun 12, 2012 19:12 UTC (Tue) by hummassa (subscriber, #307) [Link]

> Why not? I have the same password for facebook and google.plus. I have the same password for LWN and /. (but different than FB and G+, and now the LWN admins know my /. account ;-)

_Now_ G+ admins and FB admins know your account on each other...

8 million leaked passwords connected to LinkedIn, dating website (ars technica)

Posted Jun 6, 2012 20:31 UTC (Wed) by mattdm (subscriber, #18) [Link]

The hash matching the password I used is in the list. I happened to use a 10 character password chosen fully-randomly from letters, digits, and punctuation, so the chance of a coincidental match is quite low.

8 million leaked passwords connected to LinkedIn, dating website (ars technica)

Posted Jun 6, 2012 20:59 UTC (Wed) by richmoore (guest, #53133) [Link]

How did you verify this? eg. echo -n 'password' | sha1sum?

8 million leaked passwords connected to LinkedIn, dating website (ars technica)

Posted Jun 6, 2012 21:09 UTC (Wed) by mattdm (subscriber, #18) [Link]

More exactly,

echo -n ']8:b-HG;!C' | sha1sum

:)

8 million leaked passwords connected to LinkedIn, dating website (ars technica)

Posted Jun 8, 2012 15:55 UTC (Fri) by nevyn (guest, #33129) [Link]

8 million leaked passwords connected to LinkedIn, dating website (ars technica)

Posted Jun 6, 2012 22:34 UTC (Wed) by geuder (subscriber, #62854) [Link]

Yes, my linkedin (now ex-) password's hash is on the list. Not a very secure password (only lowercase letters), but 9 letters long and it should not be in any dictionary of any language. I deem it pretty unlikely that anybody else would have used the same one on any site. Luckily neither the password nor the email address is in use anywhere else. So let's see whether it will start to get spam.

One guy tweeted that he found his old password he had changed months ago. If that's true the crackers did not get the hashes just for the fun of succeding and the reputation. They obviously took their time to (mis)use some of them.

8 million leaked passwords connected to LinkedIn, dating website (ars technica)

Posted Jun 6, 2012 22:34 UTC (Wed) by endecotp (guest, #36428) [Link]

I just assume that all passwords I use on the internet are public knowledge. Doesn't everyone? I mean, none of this stuff actually matters, does it? It's not as if it were actually "real life"...

8 million leaked passwords connected to LinkedIn, dating website (ars technica)

Posted Jun 6, 2012 23:49 UTC (Wed) by theophrastus (guest, #80847) [Link]

(..?)
why you're absolutely correct!
what's the password to your bank account again? i seem to have forgot it.

8 million leaked passwords connected to LinkedIn, dating website (ars technica)

Posted Jun 7, 2012 1:50 UTC (Thu) by Trelane (subscriber, #56877) [Link]

One.
Two.
Three.
Four...

Five.

8 million leaked passwords connected to LinkedIn, dating website (ars technica)

Posted Jun 7, 2012 8:13 UTC (Thu) by dgm (subscriber, #49227) [Link]

That password would make my admin just happy.

Uppercase letters: check
lowercase letters: check
punctuation: check
digits: check, I guess...

8 million leaked passwords connected to LinkedIn, dating website (ars technica)

Posted Jun 7, 2012 16:53 UTC (Thu) by endecotp (guest, #36428) [Link]

> what's the password to your bank account again?

My bank doesn't have a password; instead, you need to know a 4-digit PIN, and various easily-discovered facts like the name of my first school.

8 million leaked passwords connected to LinkedIn, dating website (ars technica)

Posted Jun 8, 2012 11:24 UTC (Fri) by AndreE (guest, #60148) [Link]

So your bank account password isn't important? Or do you use a magical bank that isn't part of "real life"?

8 million leaked passwords connected to LinkedIn, dating website (ars technica)

Posted Jun 9, 2012 0:37 UTC (Sat) by martinfick (subscriber, #4455) [Link]

Not if it can be changed by anyone who knows the details he just mentioned. Which is why backup questions are the dumbest things ever. You only have to compromise the weakest link. It doesn't matter how strong your password is if anyone can change it with knowledge of "unchangeable pseudo secrets" about yourself. If I care about security on a site, I would never answer those questions with anything but a random answer (just record it in a safe place).

8 million leaked passwords connected to LinkedIn, dating website (ars technica)

Posted Jun 6, 2012 22:51 UTC (Wed) by Zizzle (guest, #67739) [Link]

Has there been an official communication from LinkedIn?

I don't see anything in my inbox from them. Seems like poor form on their part.

I'll wait to see what they say, but unsalted password hashes - I think I might close my account.

8 million leaked passwords connected to LinkedIn, dating website (ars technica)

Posted Jun 7, 2012 11:38 UTC (Thu) by pboddie (guest, #50784) [Link]

On the blog? How professional! They could have easily punctuated their daily "do you know/are you interested in/check out the founder's new book" spams with an acknowledgement of the situation.

What's the point...

Posted Jun 6, 2012 23:37 UTC (Wed) by daney (subscriber, #24551) [Link]

What are they going to do with all these passwords?

1) Send me some additional Job Offer spam?

2) Deface my profile?

3) ????

4) Profit!

I guess I don't get it. What is step 3 supposed to be?

It is slightly ironic that this would happen to the 'Facebook for professionals'.

What's the point...

Posted Jun 7, 2012 0:01 UTC (Thu) by SEJeff (subscriber, #51588) [Link]

How about see if the password for your email is the same and perhaps social engineer from there? For many people, it wouldn't be so hard.

What's the point...

Posted Jun 7, 2012 2:12 UTC (Thu) by tetromino (subscriber, #33846) [Link]

> Send me some additional Job Offer spam?

More likely they will use your account to send spam and malware links to others. Also, they will be able to see any non-public information in your profile, which may be useful for spear-phishing attacks.

What's the point...

Posted Jun 7, 2012 18:35 UTC (Thu) by dlang (subscriber, #313) [Link]

there has been a lot of linkedin related phishing going on over the last few months in any case.

What's the point...

Posted Jun 11, 2012 14:28 UTC (Mon) by nix (subscriber, #2304) [Link]

More likely they will use your account to send spam
... which is distinguishable from what LinkedIn normally does how? (There's a reason all email from LinkedIn is rejected by my MTA.)

What's the point...

Posted Jun 7, 2012 2:41 UTC (Thu) by decaffeinated (subscriber, #4787) [Link]

I know the answer to this one:

a) suppose you chose a standard username for all of the accounts that you care about (could be, for example, your e-mail addr).

b) suppose you used the same password for all of the accounts that you care about.

Suppose all of the accounts that you care about include:

linkedin.com
your_cking_acct.com
your_brokerage_acct.com

Ooops. Okay...I know LWN readers don't do this, but I'll bet other netizens do.

What's the point...

Posted Jun 10, 2012 10:04 UTC (Sun) by nicolas@jungers (subscriber, #7579) [Link]

Well, my slashdot account an my (now cancelled) LinkedIn account share the same password, and... my LWN account.

What's the point...

Posted Jun 7, 2012 4:40 UTC (Thu) by dirtyepic (subscriber, #30178) [Link]

Send invites from compromised accounts to non-members in order to acquire fresh passwords? Or is it a coincidence that I've received 6 of these emails in the last 3 days (up from 0).

What's the point...

Posted Jun 7, 2012 9:28 UTC (Thu) by DavidS (guest, #84675) [Link]

That might also be all those who never look at their linkedin profile, now change there password and notice, that, oh! look I could invite someone!

8 million leaked passwords connected to LinkedIn, dating website (ars technica)

Posted Jun 7, 2012 13:31 UTC (Thu) by slashdot (guest, #22014) [Link]

Having an hash of one of your passwords distributed is totally harmless if it was a long randomly-generated password as it should be.

Of course they might have got cleartext password as well since they compromised their systems, and that would be a good reason for changing.

8 million leaked passwords connected to LinkedIn, dating website (ars technica)

Posted Jun 7, 2012 22:21 UTC (Thu) by kmself (guest, #11565) [Link]

Not entirely harmless.

It tells the attackers which hashes are of value (e.g.: are used).

Since this hashlist was unsalted, it would also make it possible to compare directly with other unsalted hashes (a too-common occurrence) and determine which hashes were worth attempting to brute force in order to gain access to multiple systems.

I'd strongly recommend changing your password for something long, random, and unique.

8 million leaked passwords connected to LinkedIn, dating website (ars technica)

Posted Jun 8, 2012 11:15 UTC (Fri) by dps (subscriber, #5725) [Link]

If I had lots of unique random passwords then I would have to write them down, which is also on the list of things not to do. I, like many other people, reuse a few which I know and should resist dictionary attacks.

Some things are sufficiently important to merit their own password but most don't. You wont find a list of my passwords and where to apply them outside my head but some of those places are easy to guess.

There is no excuse for using plain text or unsalted password hashes. Just because M$ windows uses unsalted plain text equivalent password hashes does not mean you should too.

8 million leaked passwords connected to LinkedIn, dating website (ars technica)

Posted Jun 8, 2012 11:28 UTC (Fri) by paulj (subscriber, #341) [Link]

Writing passwords down is a *good* thing, if it allows you to increase your security. E.g., if you have to choose between re-using passwords across various not-terribly-trustworthy websites OR writing them down so that you can use a unique (preferably random) password for each site, then the latter option is better. Most browsers have password-storage features to make this easier (I don't trust such a feature alone though, I will also write them down elsewhere - having been burned by browsers changing the format of such storage before).

Your memory does not scale. You can only remember a small number of passwords. So you should use these few passwords only for a few of your most sensitive accounts.

8 million leaked passwords connected to LinkedIn, dating website (ars technica)

Posted Jun 8, 2012 19:26 UTC (Fri) by dlang (subscriber, #313) [Link]

relying on the browser to store your passwords only works if you only use one machine/browser to access things.

8 million leaked passwords connected to LinkedIn, dating website (ars technica)

Posted Jun 8, 2012 22:03 UTC (Fri) by paulj (subscriber, #341) [Link]

Browsers can be configured to store passwords on central servers these days.

8 million leaked passwords connected to LinkedIn, dating website (ars technica)

Posted Jun 8, 2012 22:13 UTC (Fri) by dlang (subscriber, #313) [Link]

how much do you trust the provider of that central server?

are you willing to have no access to any of the sites if there is a problem getting to that one server?

8 million leaked passwords connected to LinkedIn, dating website (ars technica)

Posted Jun 8, 2012 23:25 UTC (Fri) by paulj (subscriber, #341) [Link]

I'm willing to trust the operator of that one server, more than any of the many sites that want passwords. I believe they have very good backup systems, however I also have my own local backup.

8 million leaked passwords connected to LinkedIn, dating website (ars technica)

Posted Jun 8, 2012 23:28 UTC (Fri) by dlang (subscriber, #313) [Link]

it's not just having backups, it's keeping your data safe (both from outsiders and insiders)

if someone gets those passwords, they get access to everything.

8 million leaked passwords connected to LinkedIn, dating website (ars technica)

Posted Jun 8, 2012 23:34 UTC (Fri) by paulj (subscriber, #341) [Link]

The servers are run by the same organisations who provide the code for the browsers, that I run and use to access those websites. So I already trust them quite a lot, whether I realise it or not.

8 million leaked passwords connected to LinkedIn, dating website (ars technica)

Posted Jun 8, 2012 23:43 UTC (Fri) by dlang (subscriber, #313) [Link]

trusting them to not have something in the code that sends a copy of the passwords out to them secretly is one thing (especially with people interested in watching what browsers send out, and the code being available for inspection)

trusting them to not have any insiders who would be interested in your bank's account and passoword, and to keep their systems secure enough to prevent outsiders who are interested in your bank's account and password is something very different.

Yes, I'm one of those paranoid folks who doesn't even let my browser remember passwords locally on my system. :-)

8 million leaked passwords connected to LinkedIn, dating website (ars technica)

Posted Jun 8, 2012 23:54 UTC (Fri) by paulj (subscriber, #341) [Link]

I don't let my browser store credentials for any highly-sensitive web-sites, like online banking (and anyway, my online banking login is deliberately designed so that browser credential-storing can't work). Highly-sensitive credentials like that I keep only in my head.

8 million leaked passwords connected to LinkedIn, dating website (ars technica)

Posted Jun 9, 2012 0:48 UTC (Sat) by martinfick (subscriber, #4455) [Link]

Oh I hate when they do that, etrade used to, but they quit. I complained to them that it actually makes things less secure. I suspect that they eventually agreed.

Seeing as phishing is a very common theme, having to type your password over and over again makes you very succeptible to it. At least when your browser remembers your password you won't likely accidentaly type it into a phishing site. If your browser remembers the password for you, and you visit what you think is your commonly accessed site, and your browser does not auto populate your password, it should send up red flags in your head: "why does it not remember my password?" Oh perhaps because I misstyped and that isn't really an etrade url!

8 million leaked passwords connected to LinkedIn, dating website (ars technica)

Posted Jun 11, 2012 8:51 UTC (Mon) by jezuch (subscriber, #52988) [Link]

> Oh perhaps because I misstyped and that isn't really an etrade url!

Then don't type the address? Always access the site via bookmarks or maybe rely on the browser's autocompletion (based on bookmarks and/or browsing history). And, of course, never, ever click on links in email.

8 million leaked passwords connected to LinkedIn, dating website (ars technica)

Posted Jun 9, 2012 15:20 UTC (Sat) by Cyberax (✭ supporter ✭, #52523) [Link]

At least Firefox uses a master password to encrypt password data uploaded to the cloud storage.

8 million leaked passwords connected to LinkedIn, dating website (ars technica)

Posted Jun 8, 2012 18:54 UTC (Fri) by jone (guest, #62596) [Link]

wait .. LinkedIn is a dating site?

8 million leaked passwords connected to LinkedIn, dating website (ars technica)

Posted Jun 8, 2012 19:39 UTC (Fri) by dlang (subscriber, #313) [Link]

no, there were two sites that had their passwords exposed, linkedin and a dating site

8 million leaked passwords connected to LinkedIn, dating website (ars technica)

Posted Jul 2, 2012 20:43 UTC (Mon) by barrygould (guest, #4774) [Link]

_Possibly_ eHarmony, according to the linked article.


Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds