A person on a Russian hacker forum has posted text files containing approximately 6.5 million LinkedIn SHA1 password hashes. What this means, is that if you use LinkedIn you should change your password immediately! If you use the same password on other sites, immediately change them there as well! LinkedIn has tweeted
that they are looking into whether or not this file is valid. I can confirm that this password list is indeed a valid list of LinkedIn passwords as my password that I encrypted with SHA1 was in the list. As I use a unique, and very strong, password at each site I visit, I know that this password is only used on LinkedIn. Though the hacker has only posted the list of encrypted passwords, security researchers are pretty sure that the user also has an unpublished list of the associated user names. Therefore you should not think your safe just because only your password has been published.
As a primer on how passwords are encrypted and cracked, when you create an account or change your password on LinkedIn, the password is entered as plain text. The web site then takes this password, such as mypassword
, and encrypts it using the SHA1
encryption protocol to an encrypted string like 91dfd9ddb4198affc5c194cd8ce6d338fde470e2
. This encrypted password is then stored in LinkedIn's database. This same procedure is done when you login to LinkedIn. When you login and enter your password, the web site encrypts it again using the SHA1 encryption protocol and compares it to the password that it had previously stored in the database. If the two encrypted strings match, then it allows you to login.
The problem is that the list of SHA1 password hashes are still vulnerable to brute force attacks and other methods
. A brute force attack is when an attacker uses a program to generate encrypted passwords based on random strings or word found in what is called a dictionary file. This dictionary file contains millions of common words in various languages. When the brute force program encrypts the password using SHA1, as an example, it then compares that password to the ones stored in the encrypted password list. If there is a match, the brute force program outputs the encrypted password and the decrypted string that match each other and now the attacker knows the textual password that you use to login to the site.
The amount of time it takes for a password to be brute forced depends on the length and complexity of the attack. For example, if you use the password birthday
then the brute force program on a desktop computer with a good graphics card could take as little as 2 seconds to crack your password. If we make the password a little harder, Birthday21,
then this attack takes much longer at about 2 and 1/2 hours. Now, if we make the password even more complex, such as !!Birth$day%21
, then it becomes impractical to brute force as it would take around 36 years to crack the password. As you can see the more complex and random the password is, the safer it is to use. The problem, though, is that on very powerful hardware, and as more powerful hardware becomes cheaper and cheaper, the amount of time to crack passwords is getting smaller and smaller.
Therefore, you should always use different passwords at each site so that if one site is compromised you are not affected at other sites. You should also use passwords that are complex and consist of random letters, numbers, and symbols with at least 8-12 characters. For example, a password like A8%tA95r%!Ab
would take approximately 580 years to brute force using high-end hardware. Trying to remember a password like this, though, is just not realistic. Therefore, you should use a program like Keepass
to generate and store your passwords for you. Keepass has add-ones that integrate into most popular web browsers such as FireFox, Chrome, and Internet Explorer so that your password will be automatically filled into login forms when visit a web site. Using a program like Keepass is an obvious way to stay safe on the Internet.
Now go and change those passwords and stay safe online!Update 6/6/12 11:56 AM EST
: According to one twitter update
, these passwords are 7-8 months old.