24 September 2017
Uri Rivner

The Joy of Fraud Fighting

Uri Rivner - BioCatch

78Posts 361,921Views 36Comments
Information Security

Information Security

The risks from Cyber cime - Hacking - Loss of Data Privacy - Identity Theft and other topical threats - can be greatly reduced by implementation of robust IT Security controls ...

Is your LinkedIn Password Compromised?

11 June 2012  |  6585 views  |  3

The recent LinkedIn accounts compromise in which 6.5 million password hashes were published in the Russian hacker community grabbed a lot of media attention.

In a hellish period of publicly known breaches that hit the front page news, with perimeter security defenses failing left and right in any possible vertical and geography, this incident stirs some deeper emotions than usual. It seems to be a bit more worrying. It’s personal. I bet that every reader here has a LinkedIn account (raise your hand of you don’t). Certainly every journalist has one.

Unlike other social networks, the vast majority of these 6.5 million accounts represent unique identities of real people. You have one account, it’s not shared with anyone else, and it’s really you – no alias. It is your cyberspace business card, the one digital public face you’re extremely careful not to ruin by posting what you ate five minutes ago and which gossip article you just read. If you use a work-related social network account, it’s going to be LinkedIn. It’s such a great way to collaborate and communicate that you can’t afford not to use it.

All of this makes you feel it’s worth protecting. We don’t really know why, but we sense it’s not a good idea for fraudsters to know our LinkedIn credentials, although it’s not a bank account or a credit card number. And if you haven’t done so already, you’re probably going to change your LinkedIn password in the next few days. And, as a follow-up, you might change the passwords for other Internet applications, because one often uses the same password for at least 3 more sites. It’s bad habit, but one that takes effort to change.

By the way, if you think of it in terms of “passphrase”, it’s better as it lets you pick up a long string of text that may be even easier to remember, but has a much higher entropy.

As an example, the following string is the SHA1 hash of a password that has 9 digits. The first six are a lower case English word and the other three are numbers.


This hash is extremely easy to crack: Use the following free SHA1 decrypting site to see the password. If you're not technical, don't worry, the site is very simple to use.

Note that this site doesn’t really decrypt hashes – but rather searches in a pre-calculated list of hashes that correspond to 8.7 billion passwords. This is called a ‘rainbow table’.

As an interesting side note, the bottom of the decrypting site shows recently successful decryptions, including the geo-location of the person trying to crack the hash. Half use anonymized servers, and the other half come from a particularly interesting distribution of countries, whom I shall not name to avoid generalizations. Yes, they might be academic researchers trying to check some hashes or innocent users who wish to use the site to see if their password can be easily cracked. It doesn’t HAVE to be people who want to de-hash illegitimately obtained passwords. Well, I’m going to quote the Princess Bride here: “Probably some local fisherman out for a pleasure cruise at night... through eel infested waters”. Not really…

If you’re bored, try to decrypt the following hash:


You’ll see that you can’t crack it using the website I provided, as it’s not in the 8.7 billion pre-cracked hashes. It’s actually a sentence from the Princess Bride, with each word separated by symbols like !, @, #, $ and %. Very easy to remember passphrase, by the way. 

Is your favorite password something the site will easily crack? Easy to check. Click here, type your favorite password, get a hash, and try it on the previous site. Enjoy!


Princess Bride swimming in eel infested waters TagsSecurity

Comments: (4)

A Finextra member
A Finextra member | 12 June, 2012, 17:06

I used to use SHA1 at an previous employer to compare a hash of username and password with that on the database when a user logged into the system.

I was quite paranoid in those days so I hashed the password, then hashed the username and hash of the password and compared that with the value that was held on the system. That's probably still secure...!

Geek bit of trivia: SHA stands for Secure Hashing Algorithm and it was invented by the US of A's NSA.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 14 June, 2012, 17:46


Great pair of websites. Thanks for profiling them!

After a very quick and dirty test with a couple of passwords, I've jumped to the following conclusion which fellow readers might want to accept on faith or reject outright: Passwords in foreign (i.e. non-English) languages are impossible to crack, though easier to remember (in case you know only a few foreign words).

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member
A Finextra member | 19 June, 2012, 09:29

Use foreign words for a passcode, had not thought of that.

What are your thoughts on this xkcd post - http://xkcd.com/936/ - is it 'better' to use a passcode, or go for a non dictionary password that also contains symbols and numbers?

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Uri Rivner
Uri Rivner - BioCatch - Tel Aviv | 20 June, 2012, 11:44

Yes, it is better to use a passphrase than a password. Using 'brute force' attacks against a long passphrase - say, 20 characters - takes too much time. And you can memorize it better. But lets also understand that if everyone moves to pass phrases, rainbow tables will be calculated for common phrases, and common words used in various combinations.

So for example the following passphrase "Doctor Livingstone I presume" is far better than R9x$k32(; - and far more memorable - from a brute force perspective. On the other hand, it's more likely that a rainbow table entry will be created for such a trivial passphrase (to save you time, evil hackers, the hash for this passphrase is: 8c3561cda2c346758895f42084bff6e2d5369ff4).

So when creating a passphrase, avoid obvious choices such as "Me Tarzan You Jane" or "Live Long And Prosper". But you can 'salt' it easily with some other characters: for example, "Live!Long and Prosper" adds a bit more cracking difficulty and isn't too hard on the memory.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Latest posts from Uri

Brazil vs. Germany: A Surprising Find

12 July 2014  |  3696 views  |  1 comments | recomends Recommends 0 TagsSecurityMobile & onlineGroupInnovation in Financial Services

Sweetheart Scams: When Fraudsters Turn to Romance

30 June 2014  |  3034 views  |  0 comments | recomends Recommends 0 TagsSecurityMobile & onlineGroupInnovation in Financial Services

BitCoin Explained: How to Become a BitCoin Thief - part 1

04 December 2013  |  22064 views  |  1 comments | recomends Recommends 1 TagsMobile & onlinePaymentsGroupInformation Security

A Message from Hell

01 October 2013  |  3731 views  |  0 comments | recomends Recommends 0 TagsSecurityMobile & onlineGroupInnovation in Financial Services

Uri's profile

job title Head of Cyber Strategy
location Tel Aviv
member since 2008
Summary profile See full profile »
Internet. The perfect fraud frontier. These are the thoughts of Uri Rivner, head of Cyber Strategy at BioCatch and formerly Head of new technologies, identity protection, at RSA, the security division...

Uri's expertise

Member since 2008
78 posts36 comments
What Uri reads

Who's commenting on Uri's posts