June 7, 2012

93% of top passwords appear in LinkedIn leak

LinkedIn launched itself back into the limelight with yesterday's massive user account security breach. Over 6 million unsalted SHA-1 password hashes were posted online, triggering an orgy of consternation, smugness, and schadenfreude across the geek boards. It was barely a year and a half ago that LinkedIn was in the press because of leaked password issues (not their fault)--one would have thought that they would have spent a little time auditing their security procedures. Now Last.fm is reporting their own leak just 24 hours later.

I downloaded the hashes and did find my LinkedIn password hash in the dump, though apparently uncracked. You can check yours over at LastPass or LeakedIn.org. Luckily I have unique passwords for all my logins so the damage was minimal. The damage to LinkedIn's reputation though, is not so contained:

  • LinkedIn had (or still has) a security hole that allowed someone to gain access to their user account database
  • LinkedIn's use of unsalted SHA-1 hashing is gross negligence at best
  • LinkedIn's public incident response was pathetic: 2 tweets and 2 blog posts (2 more tweets simply linking to the blog posts)

Luckily LinkedIn search currently shows 480,153 profile matches for "Director of Security". Maybe they might want to start cold calling some of them.

The File

The file that I was able to download off of the torrent sites is a single column dump of SHA-1 hashes that looks like:

00000fac2ec84586f9f5221a05c0e9acc3d2e670
0000022c7caab3ac515777b611af73afc3d2ee50
deb46f052152cfed79e3b96f51e52b82c3d2ee8e
00000dc7cc04ea056cc8162a4cbd65aec3d2f0eb
00000a2c4f4b579fc778e4910518a48ec3d2f111
b3344eaec4585720ca23b338e58449e4c3d2f628
674db9e37ace89b77401fa2bfe456144c3d2f708
37b5b1edf4f84a85d79d04d75fd8f8a1c3d2fbde
00000e56fae33ab04c81e727bf24bedbc3d2fc5a
0000058918701830b2cca174758f7af4c3d30432

The consensus is that all of the hashes that start with 00000 were artifically masked and have already been cracked. This is supported by the evidence that known common hashes, like for the string password:

5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8

are not in the file, but their masked counterparts:

000001e4c9b93f3f0682250b6cf8331b7ee68fd8

are in the file. Initial reports said that 6.5 million hashes were release, but the file that I downloaded was slightly different:

  • Filename: SHA1.txt
  • Total count: 6,143,150
  • Masked hash count: 3,521,180

So about 57% of the passwords are assumed to have been cracked. I was curious as to what percentage of the most common passwords were present in this dump, as a proxy for gauging the password choices for a supposedly more professional population. A quick search led me to security guy Mark Burnett, who maintains a list of the top 10,000 most used passwords across the internet. He admits to some skew caused by a significant amount of sourcing from adult websites, but I don't think it really matters.

I dumped all the hashes into a Redis instance, produced a list of SHA-1 hashes from Mark's list, and looked for matches on both full and masked hash variants. Here's what I found:

  • 7,142 of the most common passwords were present
  • 546 of the most common passwords were not present
  • 2,312 of the most common passwords were too short for LinkedIn's 6 character minimum

I've posted my final CSV of the top 10,000 passwords with SHA-1 hashes and their status in the LinkedIn dump. What does it all say? Well, adjusted for the minimum password length:

93% of the eligible subset of the 10,000 most common passwords were found in the LinkedIn password leak.

Unfortunately, the leaked hashes were only uniques and did not contain any frequency information so I wasn't able to match it to the distribution that Mark reports. Still, this reaffirms that the vast majority of people don't concern themselves with password security. Stop the madness! Generate site-specific passwords and manage them using LastPass. Sign up for two-factor authentication on Google.

« Older post Newer post »
gipoco.com is neither affiliated with the authors of this page nor responsible for its contents. This is a safe-cache copy of the original web site.