Slashdot Mirror

← Back to Stories (view on slashdot.org)

Lessons Learned From Cracking 2M LinkedIn Passwords

Posted by samzenpus on from the listen-to-the-learnings dept.

An anonymous reader writes "Qualys researcher Francois Pesce used open source password cracker John the Ripper to try to crack SHA-1 hashes of leaked LinkedIn passwords. He ran the John the Ripper default command on a small default password dictionary of less than 4,000 words. The program then switched to incremental mode based on statistical analysis of known password structures, which generated more probable passwords. The results? After 4 hours, approximately 900,000 passwords had been cracked. Francois then ran numerous iterations, incorporating older dictionaries to uncover less common passwords and ended up cracking a total of 2,000,000 passwords."

8 of 198 comments (clear)

  1. Did he crack any random passphrases? by khendron · · Score: 4, Funny

    Like "correct horse battery staple"?

    --
    Life is like a web application. Sometime you need cookies just to get by.
  2. slashdot by rapiddescent · · Score: 5, Funny

    own up, who used the password slashdot - 0000003627a75d6c96a3d965247584a78779bc3d

  3. Opportunity! by Anonymous Coward · · Score: 2, Funny

    Send me your password and I will verify that
    -No one else is using it
    -It is safe

    BONUS: If you send me your credit card information I will tell if you if it's lucky!

    THANKS,
    "HAPPY DUDE"
    742 EVERGREEN TERRACE

  4. Re:Do not use standard passwords by Anonymous Coward · · Score: 3, Funny

    The real lesson here is just because your password database is hashed (with or without salt) doesn't mean you should let just whoever download the thing.

    Genius. Pure genius. I hope the NSA snaps you right up. It's people like you with keen intellects that can come up with such a conclusion (that no one else has ever even considered) that will save this great nation of ours. Thank you. Thank you.

    I'm going to go and change my setup so that my password databases aren't visible to the Internet anymore. It's just incredible. Are you the result of a Mensa genetic engineering experiment or something?

  5. Re:Do not use standard passwords by RenderSeven · · Score: 5, Funny

    What an excellent opportunity! I just told everybody on my LinkedIn account what I *really* thought of them, waited an hour, and told them all my password was hacked. Good times, good times.

  6. Re:Do not use standard passwords by hoggoth · · Score: 4, Funny

    Yeah, me too. I told my brother that stealing my girlfriend in the 8th grade was a shitty thing to do and he should stop getting drunk in bars. Then an hour later I told him my account was hacked and that wasn't me who wrote that.

    --
    - For the complete works of Shakespeare: cat /dev/random (may take some time)
  7. Re:Do not use standard passwords by SilentStaid · · Score: 3, Funny

    She clearly left him because of his lax security behavior, you insensitive clod.

  8. I heard he left her... by publiclurker · · Score: 3, Funny

    because she refused to properly secure her ports to outside access.