It probably is not news to you that Linkedin was compromised resulting in ~6.45 Million password hashes being dumped on the Internet. The good news is that the hash dump did not include the user accounts associated with the hashes, so the general masses do not have that association. The original hackers do, so take that good news as it could be worse!
I hope that most people run out and change their Linkedin password immediately, as that is a pretty smart move right now. The part I worry most about with a compromise like this one is password reuse. Will everyone that changes their Linkedin password remember to change the other accounts for which they used this same password? How many corporations can now be breached because an end user used the same password for their Linkedin account as they did with their corporate account? My first guess is a lot!
As a quick little experiment I grabbed two password lists I found doing a simple Google search for “Top Worst Passwords”. The first password list I grabbed from here: The Top 500 Worst Passwords. This list is supposed to represent the Top 500 Worst passwords published back in 2008. The second list I grabbed was from here: Top 100 RockYou Passwords. This list represents the Top 100 passwords from the RockYou password compromise back in December 2009 which resulted in ~32 Million people’s credentials being exposed.
I then wrote this really quick bash script on my MAC OS X terminal to check both of these lists against the hashes found in the Linkedin password hash dump “combo_not.txt”.
#!/bin/bash for pass in `cat $1`; do hash=`echo -n $pass | openssl sha1 | cut -c15-` if `grep -q $hash combo_not.txt` ; then echo "Found: $pass:$hash"; else echo "Not Found: $pass:$hash"; fi done
One thing to note is this is by no means a production quality or optimized script, so if you use it you do so at your own risk! I am sure there are 1,000 times better-optimized methods for doing this, but this is what I used to get the job done on the quick and dirty! The main reason I hacked the script together was a result of the Linkedin password hash dump appears to contain sha1 passwords that have been modified to mask the first 6 characters of the password hash. My script takes that into consideration before it attempts to make a match. To hopefully make this a little clearer consider the password string “password”. The sha1 hash for the string “password” is “5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8”, but if you search the Linkedin dump for that password you won’t find it. You will find this sha1 hash though: “000001e4c9b93f3f0682250b6cf8331b7ee68fd8”. Since there are about 3.5 Million hashes starting with this 6-character masking I made the assumption that this hashing meant something to the attacker. My guess is that it represents the passwords that have already been cracked, but that is just a guess.
Getting back to the main reason I wrote the script, I ran the script against the two password lists. The results were not overly shocking in that I suspected overall we had not really improved end user password selection or reuse.
|Password List||Found||Not Found|
|Top 500 Worst Passwords||373||127|
|RockYou Top 100 Passwords||96||4|
What does this mean? I am not entirely sure nor have I spent a lot of time thinking about it. Like I said it was a quick experiment and not an in-depth research project. It is interesting that out of the 2008 top 500 worst passwords 373 of them were found in the Linkedin password hash dump or in other words 75% of them! In the late 2009 RockYou top 100 passwords 96 of them were found in the Linkedin password hash dump or 96% of them were used by Linkedin users. Are you shocked? Probably not!
My first thoughts are it is probably a wise idea if you are a corporation to force a mandatory password reset for all your users. Why? Well Linkedin is a “professional” social networking site and your users most likely posted where they worked within their profiles. If they are reusing a password it would not be considered grasping at straws to assume the hackers will attempt to use these compromised credentials to test authentication against your corporate network.
My second thought is we are still failing at getting our users to select more complex passwords. Maybe it is time we stop allowing users to select their passwords and start forcing them to use password management software such as Lastpass or KeePass. I am not recommending someone use either of these two password management applications, but I would recommend looking into evaluating these types of applications to see if one will meet your requirements. Pick one that best meets your requirements, as I bet you will find these applications are better at generating complex and unique passwords when compared with your users!