• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

LinkedIn Passwords Leaked; Change Your Password

June 6, 2012 By Corey Nachreiner

According to many reports, Russian attackers have somehow gotten their hands on 6.5 million hashed LinkedIn passwords. They have posted the hashed passwords to a Russian hacking web site, asking the hacking community to help them crack the hashes. With the increases in computing power and cracking technology, I suspect it’s only a matter of time until they have actual passwords. LinkedIn users; change your passwords immediately!

So far, no one knows exactly how these attackers were able to get their hands on LinkedIn’s password database, though LinkedIn reports they are investigating the incident. If I had to guess, I would place my bet on a SQL injection attack, as it’s a great vector for leeching this kind of data from the database backend behind a complex, insecurely coded web application.

Next, let’s talk about the state of the passwords. As I mention earlier, the stolen LinkedIn password are “hashed.” In computing and cryptography, hash functions are usually one-way crytographic algorithms that map data sets (of any length) to a unique, fixed-length key. These one-way algorithms are designed so that the key should uniquely match one and only one data set, but also should not help you recreate the original data. Hashes only verify whether the data set you have is valid, it doesn’t encrypt the data.

The good news is that LinkedIn stored their customer’s passwords as hashes, which makes it harder for unauthorized users to figure out the clear text passwords. The bad news is LinkedIn used unsalted SHA-1 hashes. Without getting into all the technical details, a salt is essentially a little more random information you can mix with a one-way function to make it that much harder for certain cryptographic attacks (dictionary attacks) to succeed. At the risk of sounding like a cooking show host, LinkedIn should have salted their hashes.

Back to the state of LinkedIn’s passwords. The passwords posted on the Russian site are still hashed, so the bad guys don’t have your clear text password yet. However, between increased computing power, distributed computing, rainbow tables, and LinkedIn’s lack of salting, I expect motivated attackers will quickly crack many of these passwords any day. So don’t expect the hashes to protect you for long.

As I mentioned at the beginning of this post, if you have a LinkedIn account you should change your password immediately! Furthermore, if you use that password anywhere else (which you shouldn’t), you need to change your passwords on those accounts too. We’ve seen these sort of big password leaks before (Zappos), and will surely see them again. Security professionals have always realized the important of password security, but with so many businesses moving their assets to the cloud, password security has become paramount! So, I’ll leave you with a few “password best practice” tips I’ve dusted off from the last big password breach. If you didn’t follow this advice back then, I truly hope you consider doing so today.

  • Change your password(s) after a security breach – If a site you use ever has a security breach where attackers gain access to passwords (hashed or not), change your password immediately.
  • Use strong passwords – I believe passwords should be greater than 10 characters. One easy way you can create long passwords, with enough entropy, is by using passphrases, or more specifically something I call pass-sentences. WatchGuard’s Bud Logs In video talks about these concepts in more detail (and is good for basic end users).
  • Use different passphrases on different web sites – This is crucial aspect of password security, especially when considering these types of web breaches. If you, like most people, use the same password for many different web sites, attackers could gain access to all those accounts. If you have been using the same password everywhere, you should change it to a different password on every site. That said, many people find this advice hard to implement in practice; which brings me to the next tip…
  • Leverage password vault software – Password vaults make it easier for you to manage multiple passwords securely. They are not perfect. If you use multiple machines and OSs, you may have trouble finding password management software that meets all your needs. Plus, password vaults become a single point of potential failure, as they almost literally store all the keys to your kingdom. It’s extremely important to use secure password vaults, and protect them. That said, they offer the only practical solution to managing multiple passwords today. This article suggests a few good ones to use (I have used 1password myself).

— Corey Nachreiner, CISSP (@SecAdept)

Share This:

Related

Filed Under: Security Bytes Tagged With: leak, linkedin, passwords, Security breach, Social network

Comments

  1. Devin says

    June 11, 2012 at 6:22 am

    Since LinkedIn still isn’t sure how the data got stolen, the attackers should be able to keep stealing passwords from them. While changing our passwords is timely advice, what would you suggest is a good interval for changing passwords on a system that is clearly compromised and not yet “patched”?

    Reply
  2. John Le Tellier says

    June 11, 2012 at 6:38 am

    Waht do you think about the Windows Vault that comes with Windows 7?

    Reply
  3. facebook password generator says

    February 3, 2014 at 10:24 am

    Hi there, after reading this amazing piece of writing i am as well glad to share my knowledge
    here with mates.

    Reply
  4. freemoviesonline.s3-website-us-west-1.amazonaws.com says

    June 13, 2014 at 2:36 am

    Great blog here! Also your site loads up fast! What web host are you using?
    Can I get your affiliate link to your host? I wish my site
    loaded up as quickly as yours lol

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • Here Come The Regulations
  • Successfully Prosecuting a Russian Hacker

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use