As a primer on how passwords are encrypted and cracked, when you create an account or change your password on LinkedIn, the password is entered as plain text. The web site then takes this password, such as mypassword, and encrypts it using the SHA1 encryption protocol to an encrypted string like 91dfd9ddb4198affc5c194cd8ce6d338fde470e2. This encrypted password is then stored in LinkedIn's database. This same procedure is done when you login to LinkedIn. When you login and enter your password, the web site encrypts it again using the SHA1 encryption protocol and compares it to the password that it had previously stored in the database. If the two encrypted strings match, then it allows you to login.
The problem is that the list of SHA1 password hashes are still vulnerable to brute force attacks and other methods. A brute force attack is when an attacker uses a program to generate encrypted passwords based on random strings or word found in what is called a dictionary file. This dictionary file contains millions of common words in various languages. When the brute force program encrypts the password using SHA1, as an example, it then compares that password to the ones stored in the encrypted password list. If there is a match, the brute force program outputs the encrypted password and the decrypted string that match each other and now the attacker knows the textual password that you use to login to the site.
The amount of time it takes for a password to be brute forced depends on the length and complexity of the attack. For example, if you use the password birthday then the brute force program on a desktop computer with a good graphics card could take as little as 2 seconds to crack your password. If we make the password a little harder, Birthday21, then this attack takes much longer at about 2 and 1/2 hours. Now, if we make the password even more complex, such as !!Birth$day%21, then it becomes impractical to brute force as it would take around 36 years to crack the password. As you can see the more complex and random the password is, the safer it is to use. The problem, though, is that on very powerful hardware, and as more powerful hardware becomes cheaper and cheaper, the amount of time to crack passwords is getting smaller and smaller.
Therefore, you should always use different passwords at each site so that if one site is compromised you are not affected at other sites. You should also use passwords that are complex and consist of random letters, numbers, and symbols with at least 8-12 characters. For example, a password like A8%tA95r%!Ab would take approximately 580 years to brute force using high-end hardware. Trying to remember a password like this, though, is just not realistic. Therefore, you should use a program like Keepass to generate and store your passwords for you. Keepass has add-ones that integrate into most popular web browsers such as FireFox, Chrome, and Internet Explorer so that your password will be automatically filled into login forms when visit a web site. Using a program like Keepass is an obvious way to stay safe on the Internet.
Now go and change those passwords and stay safe online!
Update 6/6/12 11:56 AM EST: According to one twitter update, these passwords are 7-8 months old.
Edited by Grinler, 06 June 2012 - 10:57 AM.