Slashdot Mirror

← Back to Stories (view on slashdot.org)

Lessons Learned From Cracking 2M LinkedIn Passwords

Posted by samzenpus on from the listen-to-the-learnings dept.

An anonymous reader writes "Qualys researcher Francois Pesce used open source password cracker John the Ripper to try to crack SHA-1 hashes of leaked LinkedIn passwords. He ran the John the Ripper default command on a small default password dictionary of less than 4,000 words. The program then switched to incremental mode based on statistical analysis of known password structures, which generated more probable passwords. The results? After 4 hours, approximately 900,000 passwords had been cracked. Francois then ran numerous iterations, incorporating older dictionaries to uncover less common passwords and ended up cracking a total of 2,000,000 passwords."

5 of 198 comments (clear)

  1. Re:Do not use standard passwords by Shetan · · Score: 5, Informative

    So what next?

    Two factor authentication.

  2. Re:Do not use standard passwords by ShanghaiBill · · Score: 5, Informative

    Salting doesn't stop brute force crackers like JtR

    Salting doesn't make brute force crackers impossible, but it makes brute force much, much less effective. If I have two million unsalted passwords, I just need to compute a hash for a dictionary word one time and then do two million string comparisons. If I have two million salted passwords, then I need to hash the dictionary word two million times. That is far, far more time consuming.

  3. Re:Check your password by Jahava · · Score: 5, Informative

    www.leakedin.org/

    Nobody should use this site, period.

    You seriously expect people to go to an arbitrary site and enter their password, knowing that the hashes have been leaked alongside account information?

    In the kindest possible world this may be seen as a service, but the skeptic in everyone should hear very loud alarm bells. This site could easily log all of the passwords that are entered for "testing", use them to solve the harder-to-brute-force hashes, and deliver to the site operator the resulting account information and plaintext password!

    Even if you had the best intentions posting that link, and even if the site actually is completely innocuous, one should never encourage any user to enter their password into a random third-party site. Please take it down immediately.

  4. Re:Do not use standard passwords by Junta · · Score: 4, Informative

    If you have a salt in *code* (I presume a static one), I would wager it would be easy to discern. A salt is not supposed to be 'secret', it's just supposed to prevent easy identification of common passwords and a simplistic rainbow table attack.

    Now if each client had a machine generated salt to append before transmit to server, that actually is servicable. Of course, the standard practice of complete obfuscation of the password through local algorithms is better.

    --
    XML is like violence. If it doesn't solve the problem, use more.
  5. Re:gpg by Terrasque · · Score: 4, Informative

    http://hashapass.com/ have a bookmarklet. Not completely auto, you still need to write in a keyword for the site, but still.. Does a good job.

    --
    It's The Golden Rule: "He who has the gold makes the rules."