Slashdot Mirror

← Back to Stories (view on slashdot.org)

Lessons Learned From Cracking 2M LinkedIn Passwords

Posted by samzenpus on from the listen-to-the-learnings dept.

An anonymous reader writes "Qualys researcher Francois Pesce used open source password cracker John the Ripper to try to crack SHA-1 hashes of leaked LinkedIn passwords. He ran the John the Ripper default command on a small default password dictionary of less than 4,000 words. The program then switched to incremental mode based on statistical analysis of known password structures, which generated more probable passwords. The results? After 4 hours, approximately 900,000 passwords had been cracked. Francois then ran numerous iterations, incorporating older dictionaries to uncover less common passwords and ended up cracking a total of 2,000,000 passwords."

4 of 198 comments (clear)

  1. Do not use standard passwords by Anonymous Coward · · Score: 5, Insightful

    Surely this is not news.

    1. Re:Do not use standard passwords by Qzukk · · Score: 4, Insightful

      Salting doesn't stop brute force crackers like JtR, it only stops attackers from using a rainbow table and/or discovering that two people have the same password.

      The real lesson here is just because your password database is hashed (with or without salt) doesn't mean you should let just whoever download the thing.

      --
      If I have been able to see further than others, it is because I bought a pair of binoculars.
  2. Real lesson -- make guessing expensive! by redelm · · Score: 4, Insightful

    The predictable whining (and obligatory xkcd rebut) will be to make passwds "stronger", because open hashes or fast guessing is acceptable provider security.

    I call BS! More "blaming the victim". Any secadmin/netadmin who has hashes available or allows unthrottled passwd guessing is INCOMPETANT. Staff are paid for professional-level knowledge so users do not need to be concerned.

    The work itself is very nice, MD5 hashes can be cracked quickly in massive parallel on GPU hardware. This only matters after the hashes have already been stolen.

    Practical security should be more systemic -- the cost of a wrong guess is more than a nanosecond of GPU. There are at least network delays, and in many cases lockouts. The latter make random guessing too costly/slow, especially progressive systems that allow 5 wrongs immediately, 10 in an hour, 20 in a day, and lock hard (manual intervention) above that.

    My father had one of the early ATM cards but had me operate the machinery. It had an 8 digit assigned PIN, but dropped quickly to 4 when it was realized the 8 were hard to remember, and swallowing the card after 3 wrong guesses was more than adequate.

  3. Re:Value of a linkedin account by Anonymous Coward · · Score: 5, Insightful

    It probably has little value, but the account name is an email address. Many people use the same account/pass combination for multiple sites, including perchance their paypal account. If they manage to pull a few million email/password combos from linkedin, I can guarantee you that some of those combinations will match paypal exactly.