LinkedIn launched itself back into the limelight with yesterday's massive
user account security breach. Over 6 million unsalted SHA-1 password hashes were posted online,
triggering an orgy of consternation, smugness,
and schadenfreude across the geek boards. It was barely a year and a half ago that LinkedIn was in the press because of leaked password issues (not their fault)--one would have thought that they would have spent a little time auditing their security procedures. Now Last.fm is reporting their own leak just 24 hours later.
I downloaded the hashes and did find my LinkedIn password hash in the dump, though apparently uncracked. You can check yours over at LastPass or LeakedIn.org. Luckily I have unique passwords for all my logins so the damage was minimal. The damage to LinkedIn's reputation though, is not so contained:
- LinkedIn had (or still has) a security hole that allowed someone to gain access to their user account database
- LinkedIn's use of unsalted SHA-1 hashing is gross negligence at best
- LinkedIn's public incident response was pathetic: 2 tweets and 2 blog posts (2 more tweets simply linking to the blog posts)
Luckily LinkedIn search currently shows 480,153 profile matches for "Director of Security". Maybe they might want to start cold calling some of them.
The file that I was able to download off of the torrent sites is a single column dump of SHA-1 hashes that looks like:
The consensus is that all of the hashes that start with
00000 were artifically masked and have already been cracked. This is supported by the evidence that known common hashes, like for the string
are not in the file, but their masked counterparts:
are in the file. Initial reports said that 6.5 million hashes were release, but the file that I downloaded was slightly different:
- Filename: SHA1.txt
- Total count: 6,143,150
- Masked hash count: 3,521,180
So about 57% of the passwords are assumed to have been cracked. I was curious as to what percentage of the most common passwords were present in this dump, as a proxy for gauging the password choices for a supposedly more professional population. A quick search led me to security guy Mark Burnett, who maintains a list of the top 10,000 most used passwords across the internet. He admits to some skew caused by a significant amount of sourcing from adult websites, but I don't think it really matters.
I dumped all the hashes into a Redis instance, produced a list of SHA-1 hashes from Mark's list, and looked for matches on both full and masked hash variants. Here's what I found:
- 7,142 of the most common passwords were present
- 546 of the most common passwords were not present
- 2,312 of the most common passwords were too short for LinkedIn's 6 character minimum
I've posted my final CSV of the top 10,000 passwords with SHA-1 hashes and their status in the LinkedIn dump. What does it all say? Well, adjusted for the minimum password length:
93% of the eligible subset of the 10,000 most common passwords were found in the LinkedIn password leak.
Unfortunately, the leaked hashes were only uniques and did not contain any frequency information so I wasn't able to match it to the distribution that Mark reports. Still, this reaffirms that the vast majority of people don't concern themselves with password security. Stop the madness! Generate site-specific passwords and manage them using LastPass. Sign up for two-factor authentication on Google.