[ale] unsalted hashes of 6 million linkedin passwords published on the internet

Michael H. Warfield mhw at WittsEnd.com
Thu Jun 7 14:03:42 EDT 2012


On Thu, 2012-06-07 at 13:44 -0400, Ron Frazier (ALE) wrote:
> On the latest Security Now podcast, Steve Gibson reported that the
> unsalted hashes of 6 million linkedin passwords have been leaked to
> the internet. This is 10% of the entire linkedin user database.
> Apparently, they are being decrypted at a rapid pace. The presumption
> is that user names were stolen too. I don't understand all the
> technical details, but Steve is recommending that everyone immediately
> change your linkedin password. You might also consider changing that
> password anywhere else you use it. I suppose that they could use this
> to break into your linkedin account, but I don't know what else they
> could do with it. I have an old linkedin account from long ago that I
> never use, but they still send me emails. I have to go and check the
> password. Just thought I'd pass it along.

Unsalted and unseeded.  If the hashing had been seeded, the brute
forcing would be impossible without the private seed.  Salting makes
brute force more difficult and makes rainbow tables virtually impossible
but stupid passwords are still easy to crack.  In the list of top most
common stupid passwords found in brute force attacks (12345, password,
pass1234, etc, etc) all were found at LEAST once in that list.

Regards,
Mike

> Info here: http://twit.tv/show/security-now/356
> Forward into the program to 29:30 to find this part.

> More info: http://thenextweb.com/socialmedia/2012/06/06/bad-day-for-linkedin-6-5-million-hashed-passwords-reportedly-leaked-change-yours-now/
> http://shiflett.org/blog/2012/jun/leakedin
> http://leakedin.org/
> 
> Sincerely,
> 
> Ron
> 
> 
> 
> --
> 
> Sent from my Android Acer A500 tablet with bluetooth keyboard and K-9 Mail.
> Please excuse my potential brevity.
> 
> (To whom it may concern. My email address has changed. Replying to former
> messages prior to 03/31/12 with my personal address will go to the wrong
> address. Please send all personal correspondence to the new address.)
> 
> (PS - If you email me and don't get a quick response, you might want to
> call on the phone. I get about 300 emails per day from alternate energy
> mailing lists and such. I don't always see new email messages very quickly.)
> 
> Ron Frazier
> 770-205-9422 (O) Leave a message.
> linuxdude AT techstarship.com
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo

-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20120607/014f6ed2/attachment-0001.bin 


More information about the Ale mailing list