The recent LinkedIn accounts compromise in which 6.5 million password hashes were
published in the Russian hacker community grabbed a lot of media attention.
In a hellish period of publicly known breaches that hit the front page news, with perimeter security defenses failing left and right in any possible vertical and geography, this incident stirs some deeper emotions than usual. It seems to be a bit more worrying.
It’s personal. I bet that every reader here has a LinkedIn account (raise your hand of you don’t). Certainly every journalist has one.
Unlike other social networks, the vast majority of these 6.5 million accounts represent unique identities of real people. You have one account, it’s not shared with anyone else, and it’s really you – no alias. It is your cyberspace business card, the one
digital public face you’re extremely careful not to ruin by posting what you ate five minutes ago and which gossip article you just read. If you use a work-related social network account, it’s going to be LinkedIn. It’s such a great way to collaborate and
communicate that you can’t afford not to use it.
All of this makes you feel it’s worth protecting. We don’t really know why, but we sense it’s not a good idea for fraudsters to know our LinkedIn credentials, although it’s not a bank account or a credit card number. And if you haven’t done so already, you’re
probably going to change your LinkedIn password in the next few days. And, as a follow-up, you might change the passwords for other Internet applications, because one often uses the same password for at least 3 more sites. It’s bad habit, but one that takes
effort to change.
By the way, if you think of it in terms of “passphrase”, it’s better as it lets you pick up a long string of text that may be even easier to remember, but has a much
higher entropy.
As an example, the following string is the SHA1 hash of a password that has 9 digits. The first six are a lower case English word and the other three are numbers.
c0d91101de2abe3807ae2a37bc28825f59d264ba
This hash is extremely easy to crack: Use the
following free SHA1 decrypting site to see the password. If you're not technical, don't worry, the site is very simple to use.
Note that this site doesn’t really decrypt hashes – but rather searches in a pre-calculated list of hashes that correspond to 8.7 billion passwords. This is called a ‘rainbow table’.
As an interesting side note, the bottom of the decrypting site shows recently successful decryptions, including the geo-location of the person trying to crack the hash. Half use anonymized servers, and the other half come from a particularly interesting
distribution of countries, whom I shall not name to avoid generalizations. Yes, they might be academic researchers trying to check some hashes or innocent users who wish to use the site to see if their password can be easily cracked. It doesn’t HAVE to be
people who want to de-hash illegitimately obtained passwords. Well, I’m going to quote the Princess Bride here: “Probably some local fisherman out for a pleasure cruise at night... through eel infested waters”. Not really…
If you’re bored, try to decrypt the following hash:
182930b6531d18add5ac7cec49540a45016cb088
You’ll see that you can’t crack it using the website I provided, as it’s not in the 8.7 billion pre-cracked hashes. It’s actually a sentence from the Princess Bride, with each word separated by symbols like !, @, #, $ and %. Very easy to remember passphrase,
by the way.
Is your favorite password something the site will easily crack? Easy to check. Click here, type your favorite password, get a hash, and try it on the previous site. Enjoy!