Blog article
See all stories »

Is your LinkedIn Password Compromised?

The recent LinkedIn accounts compromise in which 6.5 million password hashes were published in the Russian hacker community grabbed a lot of media attention.

In a hellish period of publicly known breaches that hit the front page news, with perimeter security defenses failing left and right in any possible vertical and geography, this incident stirs some deeper emotions than usual. It seems to be a bit more worrying. It’s personal. I bet that every reader here has a LinkedIn account (raise your hand of you don’t). Certainly every journalist has one.

Unlike other social networks, the vast majority of these 6.5 million accounts represent unique identities of real people. You have one account, it’s not shared with anyone else, and it’s really you – no alias. It is your cyberspace business card, the one digital public face you’re extremely careful not to ruin by posting what you ate five minutes ago and which gossip article you just read. If you use a work-related social network account, it’s going to be LinkedIn. It’s such a great way to collaborate and communicate that you can’t afford not to use it.

All of this makes you feel it’s worth protecting. We don’t really know why, but we sense it’s not a good idea for fraudsters to know our LinkedIn credentials, although it’s not a bank account or a credit card number. And if you haven’t done so already, you’re probably going to change your LinkedIn password in the next few days. And, as a follow-up, you might change the passwords for other Internet applications, because one often uses the same password for at least 3 more sites. It’s bad habit, but one that takes effort to change.

By the way, if you think of it in terms of “passphrase”, it’s better as it lets you pick up a long string of text that may be even easier to remember, but has a much higher entropy.

As an example, the following string is the SHA1 hash of a password that has 9 digits. The first six are a lower case English word and the other three are numbers.


This hash is extremely easy to crack: Use the following free SHA1 decrypting site to see the password. If you're not technical, don't worry, the site is very simple to use.

Note that this site doesn’t really decrypt hashes – but rather searches in a pre-calculated list of hashes that correspond to 8.7 billion passwords. This is called a ‘rainbow table’.

As an interesting side note, the bottom of the decrypting site shows recently successful decryptions, including the geo-location of the person trying to crack the hash. Half use anonymized servers, and the other half come from a particularly interesting distribution of countries, whom I shall not name to avoid generalizations. Yes, they might be academic researchers trying to check some hashes or innocent users who wish to use the site to see if their password can be easily cracked. It doesn’t HAVE to be people who want to de-hash illegitimately obtained passwords. Well, I’m going to quote the Princess Bride here: “Probably some local fisherman out for a pleasure cruise at night... through eel infested waters”. Not really…

If you’re bored, try to decrypt the following hash:


You’ll see that you can’t crack it using the website I provided, as it’s not in the 8.7 billion pre-cracked hashes. It’s actually a sentence from the Princess Bride, with each word separated by symbols like !, @, #, $ and %. Very easy to remember passphrase, by the way. 

Is your favorite password something the site will easily crack? Easy to check. Click here, type your favorite password, get a hash, and try it on the previous site. Enjoy!



Comments: (4)

A Finextra member
A Finextra member 12 June, 2012, 17:06Be the first to give this comment the thumbs up 0 likes

I used to use SHA1 at an previous employer to compare a hash of username and password with that on the database when a user logged into the system.

I was quite paranoid in those days so I hashed the password, then hashed the username and hash of the password and compared that with the value that was held on the system. That's probably still secure...!

Geek bit of trivia: SHA stands for Secure Hashing Algorithm and it was invented by the US of A's NSA.

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 14 June, 2012, 17:46Be the first to give this comment the thumbs up 0 likes


Great pair of websites. Thanks for profiling them!

After a very quick and dirty test with a couple of passwords, I've jumped to the following conclusion which fellow readers might want to accept on faith or reject outright: Passwords in foreign (i.e. non-English) languages are impossible to crack, though easier to remember (in case you know only a few foreign words).

A Finextra member
A Finextra member 19 June, 2012, 09:29Be the first to give this comment the thumbs up 0 likes

Use foreign words for a passcode, had not thought of that.

What are your thoughts on this xkcd post - - is it 'better' to use a passcode, or go for a non dictionary password that also contains symbols and numbers?

Uri Rivner
Uri Rivner - Refine Intelligence - Tel Aviv 20 June, 2012, 11:44Be the first to give this comment the thumbs up 0 likes

Yes, it is better to use a passphrase than a password. Using 'brute force' attacks against a long passphrase - say, 20 characters - takes too much time. And you can memorize it better. But lets also understand that if everyone moves to pass phrases, rainbow tables will be calculated for common phrases, and common words used in various combinations.

So for example the following passphrase "Doctor Livingstone I presume" is far better than R9x$k32(; - and far more memorable - from a brute force perspective. On the other hand, it's more likely that a rainbow table entry will be created for such a trivial passphrase (to save you time, evil hackers, the hash for this passphrase is: 8c3561cda2c346758895f42084bff6e2d5369ff4).

So when creating a passphrase, avoid obvious choices such as "Me Tarzan You Jane" or "Live Long And Prosper". But you can 'salt' it easily with some other characters: for example, "Live!Long and Prosper" adds a bit more cracking difficulty and isn't too hard on the memory.

Uri Rivner

Uri Rivner

CEO and Co-Founder

Refine Intelligence

Member since

14 Apr 2008


Tel Aviv

Blog posts




This post is from a series of posts in the group:

Information Security

The risks from Cyber cime - Hacking - Loss of Data Privacy - Identity Theft and other topical threats - can be greatly reduced by implementation of robust IT Security controls ...

See all

Now hiring