Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


6.5 Million LinkedIn passwords posted and what you should do about it

  • Please log in to reply
3 replies to this topic

#1 Grinler


    Lawrence Abrams

  • Admin
  • 43,617 posts
  • Gender:Male
  • Location:USA
  • Local time:01:34 AM

Posted 06 June 2012 - 10:41 AM

A person on a Russian hacker forum has posted text files containing approximately 6.5 million LinkedIn SHA1 password hashes. What this means, is that if you use LinkedIn you should change your password immediately! If you use the same password on other sites, immediately change them there as well! LinkedIn has tweeted that they are looking into whether or not this file is valid. I can confirm that this password list is indeed a valid list of LinkedIn passwords as my password that I encrypted with SHA1 was in the list. As I use a unique, and very strong, password at each site I visit, I know that this password is only used on LinkedIn. Though the hacker has only posted the list of encrypted passwords, security researchers are pretty sure that the user also has an unpublished list of the associated user names. Therefore you should not think your safe just because only your password has been published.

As a primer on how passwords are encrypted and cracked, when you create an account or change your password on LinkedIn, the password is entered as plain text. The web site then takes this password, such as mypassword, and encrypts it using the SHA1 encryption protocol to an encrypted string like 91dfd9ddb4198affc5c194cd8ce6d338fde470e2. This encrypted password is then stored in LinkedIn's database. This same procedure is done when you login to LinkedIn. When you login and enter your password, the web site encrypts it again using the SHA1 encryption protocol and compares it to the password that it had previously stored in the database. If the two encrypted strings match, then it allows you to login.

The problem is that the list of SHA1 password hashes are still vulnerable to brute force attacks and other methods. A brute force attack is when an attacker uses a program to generate encrypted passwords based on random strings or word found in what is called a dictionary file. This dictionary file contains millions of common words in various languages. When the brute force program encrypts the password using SHA1, as an example, it then compares that password to the ones stored in the encrypted password list. If there is a match, the brute force program outputs the encrypted password and the decrypted string that match each other and now the attacker knows the textual password that you use to login to the site.

The amount of time it takes for a password to be brute forced depends on the length and complexity of the attack. For example, if you use the password birthday then the brute force program on a desktop computer with a good graphics card could take as little as 2 seconds to crack your password. If we make the password a little harder, Birthday21, then this attack takes much longer at about 2 and 1/2 hours. Now, if we make the password even more complex, such as !!Birth$day%21, then it becomes impractical to brute force as it would take around 36 years to crack the password. As you can see the more complex and random the password is, the safer it is to use. The problem, though, is that on very powerful hardware, and as more powerful hardware becomes cheaper and cheaper, the amount of time to crack passwords is getting smaller and smaller.

Therefore, you should always use different passwords at each site so that if one site is compromised you are not affected at other sites. You should also use passwords that are complex and consist of random letters, numbers, and symbols with at least 8-12 characters. For example, a password like A8%tA95r%!Ab would take approximately 580 years to brute force using high-end hardware. Trying to remember a password like this, though, is just not realistic. Therefore, you should use a program like Keepass to generate and store your passwords for you. Keepass has add-ones that integrate into most popular web browsers such as FireFox, Chrome, and Internet Explorer so that your password will be automatically filled into login forms when visit a web site. Using a program like Keepass is an obvious way to stay safe on the Internet.

Now go and change those passwords and stay safe online!

Update 6/6/12 11:56 AM EST: According to one twitter update, these passwords are 7-8 months old.

Edited by Grinler, 06 June 2012 - 10:57 AM.

BC AdBot (Login to Remove)


#2 Winterland


  • Members
  • 995 posts
  • Gender:Male
  • Location:The Land of Enchantment
  • Local time:11:34 PM

Posted 07 June 2012 - 04:37 AM

Grinler ~ thanks for the update, the information and the explanation about how all this is done.

Sorry your password was on the list.

with great regard,


Photobucket removed my cool flag - idiots!


Every calculation based on experience elsewhere fails in New Mexico.

#3 MarcusW


  • Members
  • 73 posts
  • Local time:12:34 AM

Posted 07 June 2012 - 02:00 PM

Thanks for the info Mr.B!

#4 Larry D. Lawrence II

Larry D. Lawrence II

  • Members
  • 48 posts
  • Gender:Male
  • Location:Evansville, IN
  • Local time:11:34 PM

Posted 07 June 2012 - 04:28 PM

Thank you for posting this.
Larry D. Lawrence II
Dell, HP, Toshiba, Apple, Lenovo, and IBM Certified Technician

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users