Forgot your password?
typodupeerror
Security IT

Lessons Learned From Cracking 2M LinkedIn Passwords 198

Posted by samzenpus
from the listen-to-the-learnings dept.
An anonymous reader writes "Qualys researcher Francois Pesce used open source password cracker John the Ripper to try to crack SHA-1 hashes of leaked LinkedIn passwords. He ran the John the Ripper default command on a small default password dictionary of less than 4,000 words. The program then switched to incremental mode based on statistical analysis of known password structures, which generated more probable passwords. The results? After 4 hours, approximately 900,000 passwords had been cracked. Francois then ran numerous iterations, incorporating older dictionaries to uncover less common passwords and ended up cracking a total of 2,000,000 passwords."
This discussion has been archived. No new comments can be posted.

Lessons Learned From Cracking 2M LinkedIn Passwords

Comments Filter:
  • by Anonymous Coward on Monday June 11, 2012 @10:27AM (#40283201)

    Surely this is not news.

    • by Richard_at_work (517087) <<richardprice> <at> <gmail.com>> on Monday June 11, 2012 @10:40AM (#40283377)

      The problem is, even passwords that would have been considered "non-standard" 5 years ago is now easily crackable - according to GRC, a password I used 5 years ago consisting of ten characters, alpha numeric, mixed case and a symbol would take just an hour or so to crack. That was quite eye opening.

      So what next?

      • by Shetan (20885) on Monday June 11, 2012 @10:50AM (#40283513)

        So what next?

        Two factor authentication.

      • by Kjella (173770)

        Well there's two ways here, online and offline cracking. I imagine LinkedIn has some kind of policy to stop people doing millions of authentication attempts online. If they get the PW from linkedin and can crack it offline then IMO linkedin's security has already failed. If you can get the passwords the hacker can probably get most anything else, so it's just damage control - don't reuse the password on anything you care about. In fact it's a bad idea anyway because you've no idea if someone with legal acce

      • My house is "secure" but if you are able to start hitting it with industrial equipment and take the roof off my choice of front door key doesn't matter.
        When you can down load the whole password file and brute it off line, its just a matter of time. Time to wait for tech to get better and time to press the big red go button to run the code on the bit of fast(n) tech.

        So type in a password you couldn't possible recall and each and every time you want to go back to the site - request a new password. This ma
        • by PReDiToR (687141)
          Have you ever heard of Password Hasher [wijjo.com]?
          Mine defaults to even for sites that I'll never visit again I have as standard 26 character upper, lower and symbol passwords that I don't have to remember. All I need to know is the passphrase, something like "0nLy 1 Know Thi$ pA$$phrase!" or "mmm pizza". Makes no odds, you still get a 26 char PW that has Ul$ in it.

          I know a lot of people don't use Firefox, but this really is a killer extension.
      • by Hadlock (143607)

        [blockquote]So what next?[/blockquote]So assume your password is going to be compromised eventually (the bigger the service, the greater that chance approaches 1), use a different, randomized password for each website, and rely on "forgot your password?" links for when your browser's cookie times out.
         
        For most websites, the "forgot your password?" link + checking your email takes less time than trying to guess if that was a capital P or lowercase p in "p455w0rD".

        • trying to guess if that was a capital P or lowercase p in "p455w0rD".

          As an aside, most capable crackers test for "leet" (7334) substitutions very early in their permutation rules. The word "password" is at the top of every dictionary file and is always included in the "top 100" password lists that crackers frequently expose to more detailed permutations.

          This password is almost as weak as using a somewhat obscure dictionary word like "flagellate" or "dismember". (those words may or may not have been carefully chosen)

      • by Bengie (1121981)
        One does have to add that the password would have to be focused on, which doesn't happen with database dumps like these, and it would cost a pretty penny. 10 char password with mixed/etc would take on average 1 year when doing 1 tril checks/sec. To break within an hour, one would need access to ~80-800 peta-flops of compute. Definitely something someone targeting a password could do, but it isn't cheap.
      • by falzer (224563)

        What next? You use 15 or 20 character passwords, or a passphrase of several words.

        But for the server side, use key strengthening with something like bcrypt or scrypt.
        If it takes 1 second on very fast hardware to hash a single password, then your attacker has to also spend a lot of time on each hash attempt.
        scrypt was also designed with custom hardware attacks in mind (it uses lots of memory) so it is still slow and expensive even if the attacker has key derivation logic in an asic or fpga.

        If it takes a tent

  • gpg (Score:5, Interesting)

    by Anonymous Coward on Monday June 11, 2012 @10:32AM (#40283269)

    gpg - --gen-rand 1 9 | gpg -cat > linkedin.asc

    And presto, 72 bits of sweet entropy in your password which you don't even need to remember. It suffices to remember ONE password.
    Need your linkedin password?
    gpg linkedin.asc | xsel
    (and type your one password).

    Note that this way your linkedin password is never typed and never shows up on the screen.

    • by tuffy (10202)
      I've tried a similar one-password principle using HMAC digests:

      python -c "from hashlib import sha1; from hmac import HMAC; from getpass import getpass; print HMAC('site.com', getpass(), sha1).digest().encode('base64')"

      By simply remembering the site name and a strong master password, one can generate a unique password for each site.

  • by vlm (69642) on Monday June 11, 2012 @10:39AM (#40283363)

    What is the value of a random persons stolen linkedin account... I'm trying to figure out how its not zero. I have a pretty devious mind but I can't think of any way to make money off this with a reasonable chance of success. If you poison enough of the well, the whole data set becomes worthless so you can't threaten to modify data. Maybe they tried to extort money from linkedin inc and failed so they released purely by spite? Post IPO = the titanic has been struck by the iceberg and you've already gotten away, so it doesn't matter how fast the ship sinks, therefore no point in paying extortion fees?

    Assuming only a fraction of accounts have been stolen and not the entire user list.... Why do people assume its only a tiny fraction and not the whole list of users? The same people who don't understand the concept of a "salt" must surely be correct when they say only a couple million records are out there. I would assume based on their heroic security performance to date, that ALL records are out there, we just only know about a couple.

    • by Anonymous Coward on Monday June 11, 2012 @10:43AM (#40283417)

      It probably has little value, but the account name is an email address. Many people use the same account/pass combination for multiple sites, including perchance their paypal account. If they manage to pull a few million email/password combos from linkedin, I can guarantee you that some of those combinations will match paypal exactly.

      • by rhsanborn (773855)
        And even if it doesn't match their paypall login, it may match their email login, from which, you can reset many passwords.
    • Re: (Score:2, Informative)

      by Anonymous Coward

      Instead of faking facebook accounts, someone could steal a real linkedin account to do the same:

      How spies used Facebook to steal Nato chiefs’ details

      NATO'S most senior commander was at the centre of a major security alert when a series of his colleagues fell for a fake Facebook account opened in his name - apparently by Chinese spies.

      http://www.telegraph.co.uk/technology/9136029/How-spies-used-Facebook-to-steal-Nato-chiefs-details.html

    • by Fnord666 (889225)

      What is the value of a random persons stolen linkedin account... I'm trying to figure out how its not zero.

      Because people have been known to reuse passwords on other sites that might have a non-zero value.

    • by llZENll (545605)

      A very easy way to profit is to release the stolen account data waiting for the negative press to push the stock down.

    • by Kergan (780543)

      What is the value of a random persons stolen linkedin account... I'm trying to figure out how its not zero. I have a pretty devious mind but I can't think of any way to make money off this with a reasonable chance of success.

      Many people, especially younger people, have a unique weak password. So if you've their login and their password, chances are you can also access their Facebook account, their paypal account, their bank account, etc.

    • by trdrstv (986999)

      What is the value of a random persons stolen linkedin account... I'm trying to figure out how its not zero. I have a pretty devious mind but I can't think of any way to make money off this with a reasonable chance of success.

      I'm trying to figure out the value of an active LinkedIn account. Seriously, does anyone know of anybody who got hired thanks to linkedin ?

  • by khendron (225184) on Monday June 11, 2012 @10:39AM (#40283365) Homepage

    Like "correct horse battery staple"?

    • "IfYouCanReadThisYou'reTooCloseToMyPrivats".

      "PrivacyIsDeadDon'tYouAgree".

      "YouWin,NowFckOff".

      "BeingParanoidDoesn'tMeanNobodyIsReadingThis".

    • by MetricT (128876)

      I've been running them through my own cracker (doing so helps me to find new patterns I can use to audit our passwords at work). Almost 3 million cracked so far. No "correct horse battery staple", but getting there.

      I'd still go with at least a 10 character computer-generated random password with a mix of all character types.

      Length Password
      40 1234567890123456789012345678901234567890
      24 sociological imagination
      24 linkedinlinkedinlinkedin
      23 newlinkedinpassword1234
      22 harekrishnaharekrishna

    • by kasperd (592156)

      Like "correct horse battery staple"?

      That one is not in the file. However CorrectHorseBatteryStaple hashes to a9cb82349d8c4f9aa4ba3210fadde81049300d0b, which is in the leaked list of hashes. That means either:

      • The leak happened after 936 [xkcd.com]
      • The hackers put it in there as a prank
      • This is actually the password for Randal Munroe's linkedin profile

      And if the hypothesis about the first five characters in the file having been overwritten on those entries that were cracked already is true, this means this one was not

  • by redelm (54142) on Monday June 11, 2012 @10:40AM (#40283375) Homepage

    The predictable whining (and obligatory xkcd rebut) will be to make passwds "stronger", because open hashes or fast guessing is acceptable provider security.

    I call BS! More "blaming the victim". Any secadmin/netadmin who has hashes available or allows unthrottled passwd guessing is INCOMPETANT. Staff are paid for professional-level knowledge so users do not need to be concerned.

    The work itself is very nice, MD5 hashes can be cracked quickly in massive parallel on GPU hardware. This only matters after the hashes have already been stolen.

    Practical security should be more systemic -- the cost of a wrong guess is more than a nanosecond of GPU. There are at least network delays, and in many cases lockouts. The latter make random guessing too costly/slow, especially progressive systems that allow 5 wrongs immediately, 10 in an hour, 20 in a day, and lock hard (manual intervention) above that.

    My father had one of the early ATM cards but had me operate the machinery. It had an 8 digit assigned PIN, but dropped quickly to 4 when it was realized the 8 were hard to remember, and swallowing the card after 3 wrong guesses was more than adequate.

    • What the hell are you talking about?? The problem wasn't the hashing - SHA1 is perfectly strong - it was the lack of salting, which makes attacks like this one possible. And "unthrottled passwd guessing" might be "incompetant" but preventing it doesn't do you a lick of good if you're testing against a list you downloaded.

      Yeah, they screwed up. They shouldn't have allowed the password hashes to be compromised, and they should've salted the hashes so they would be essentially worthless if compromised, but that doesn't negate the value of a strong password.

      • by Lisandro (799651)

        While the issue was clearly not the hash algorithm here, it should be noted that SHA-1 is now effectively broken [schneier.com] - you can get collisions in less time than using brute force.

        It's still a perfectly usable hash algorithm, but it has been slowly phased out for SHA-2 (SHA-512) for some time now.

        • Well, yes... I was being hyperbolic about SHA-1. The reason JtR is making headway is because the hashes are unsalted, not because the hash has problems. But if I understand it, doesn't salting even help with a weak hash? Given the hash of the password, you can perhaps find a colliding cleartext (is that the name for the input string?) in faster-than-bruteforce time but if you don't know the salt it doesn't help you because you can't completely control the input.

        • by Rich0 (548339)

          While SHA1 is broken, I doubt it makes much difference here.

          Per your link, you can find collisions in SHA1 with 2^69 hash operations per password.

          The people doing the cracking here did CONSIDERABLY fewer operations per password than this.

          Sure, everybody should be moving on, but the fundamental issue here is that passwords that people can remember generally don't have enough entropy.

        • SHA-1, like MD5, is broken for digital signatures. When someone finds a way to reverse a hash back into a password, then it will be broken for passwords.

          The only real argument against SHA-1 for passwords is that you can brute-force them rather quickly, but SHA-2 has the same problem. If this is an issue for you, use PBKDF2 or some similar algorithm.

      • by redelm (54142)

        As another reply commented, SHA1 is not "perfectly strong". And yes, salting is an easy assist to hash security. And yes, strong passwords have value, the problem is the human cost. Don't you evaluate user costs?

        Unprofessionalism (in IT and elsewhere) transfers costs from the incompetent to users/customers. Of course some costs have to be transferred. But they have a cost-benefit including user costs. Even competent management [rare] will have trouble catching mistransfers because the diffuse user commu

      • by heypete (60671)

        Yes, but modern GPUs can compute SHA-1 hashes of various passwords at enormously fast rates. Even if they used per-user salts, it's likely that they would also be acquired during the original compromise: with the salts being known, the attacker could run through the various password possibilities at a high rate of speed.

        Using just a plain hashing algorithm, even one like SHA-512, for password security is a bad idea as those hashes are designed (in part) for speed. Using something like PBKDF2 with a high num

        • by 0123456 (636235)

          Yes, but modern GPUs can compute SHA-1 hashes of various passwords at enormously fast rates. Even if they used per-user salts, it's likely that they would also be acquired during the original compromise: with the salts being known, the attacker could run through the various password possibilities at a high rate of speed.

          Yeah, just TWO MILLION times slower.

        • by rb12345 (1170423)
          The issue is that with unsalted hashes, you only need to use brute-force once to generate your rainbow table, at which point all the passwords are cracked simultaneously. (OK, in practice you would not wait for a full rainbow table to be produced; you'd download a list of pre-computed common passwords and start with those.) With salt and a strong password, you still have to do all of that brute-force work just to obtain a single password, even if you have several GPUs doing the calculations.
    • Locking an account after 20 wrong guesses enables a simple denial-of-service attack by your enemies.
      And you mispeled "incompetant".
      • Locking an account after 20 wrong guesses enables a simple denial-of-service attack by your enemies.

        Adding an ever-increasing delay for the attacker's IP-address would more-or-less solve both issues.

        • That works fine, unless there is a botnet that is attacking you, with each bot trying 3 attempts on the same login. That's the attack pattern I see on SSH on my server...
    • by Bengie (1121981)
      You just mixed a lot of online and offline ideas together. You can't throttle offline cracking, unless you ask the cracker "pretty please with sugar on top".

      I haven't heard much of online cracking being an issue because of what you said; one simply can't effectively attempt many passwords without causing a DoS.

      "The work itself is very nice, MD5 hashes can be cracked quickly in massive parallel on GPU hardware. This only matters after the hashes have already been stolen." This part is true.

      Locking dow
  • slashdot (Score:5, Funny)

    by rapiddescent (572442) on Monday June 11, 2012 @10:47AM (#40283461)

    own up, who used the password slashdot - 0000003627a75d6c96a3d965247584a78779bc3d

  • by Anonymous Coward

    Send me your password and I will verify that
    -No one else is using it
    -It is safe

    BONUS: If you send me your credit card information I will tell if you if it's lucky!

    THANKS,
    "HAPPY DUDE"
    742 EVERGREEN TERRACE

  • Let me admit upfront, I've never explored the world of password cracking. However part of the article doesn't make sense to me. He mentions password based on rules. However he listed the rules and it seemed really strange.

    pwdlink from pwlink with the rule "insert d in 3rd position"
    pwd4link from pwdlink with the rule "insert 4 in 4th position"
    pwd4linked from pwd4link with the rule "append ed"
    pw4linked from pwd4linked with the rule "remove 3rd char"
    pw4linkedin from pw4linked with the rule "append in"
    mpw4l

    • by Rich0 (548339)

      I'm not an expert, but basically you want to generate a large search dictionary. You start with a small one (like the english dictionary), and then apply rules to generate more words to search. The kinds of rules you listed are typical, and you start applying them individually, and in combination. So, if you have 1000 words, and 10 rules you apply individually, you end up with 10k words. If you allow permutations of 10 rules then you have 1k*10^10 or something like that (depending on the rules order may

  • If so-called professional websites used proper hashing and salting, even password123 would be a halfway decent password.

    Without offline cracking, password weaknesses aren't very exploitable (even the most inept server will shut you down after a couple hundred attempts at brute-forcing your way through an online login).

    People like to harp on those "idiots" who pick weak passwords that can be cracked with a rainbow table, but unlike the moron web devs who still fail to salt their password DB in 2012, yo
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Why is it the devs who get the short end of the stick in most 'xyz should be fired!' comments in this topic?

      I've worked at several places (in QA) where the devs were perfectly aware that there were security weaknesses (usually a result of some small system that organically grew into some big web service - but never was designed to be a big web service) - but until something is on fire (read: bad press), management tends to not prioritize highly needed refactoring (lets not argue over what to call it) over n

  • SMS to phone

    coming to a computer near you, for everything

    • I barely trust most web-service providers with an email address that can be closed/blocked/changed with little cost or effort. Satan will skate before I start giving out my mobile number!

      • then you aren't doing any banking or using Craigslist

        I don't use facebook but I believe they are doing phone authentication now too.

        It's coming for all sites, I'm sorry. It's good for security, I believe.

        • Facebook might be doing phone authentication, but they're not forcing it (yet), and I sure wouldn't trust FB with my phone #.

      • by rwv (1636355)

        Satan will skate before I start giving out my mobile number!

        I do believe they have roller-derby in hell... so I guess zentigger will be sharing his or her mobile number soon!

        On a serious note... I thought that was a clever euphemism for "when hell freezes over".

    • SMS to phone

      coming to a computer near you, for everything

      I have a wireless service that doesn't seem to work with anyone's SMS notification system, and I assume my provider's not the only one like this.

    • by Mashiki (184564)

      I strongly dislike SMS two factor, as smartphones are just as easy to get trojans/loggers on as PC's. Keyfobs work better, but then there's the possibility of the source+keystore being stolen. But at the end of the day both are more viable options than a simple password. Most people have cellphones, I don't but for anything important I already have a fob for it.

      • 1. it's hassle for the company. you have to send to the customer, deal with customer service inquires for new ones/ lost ones, etc. it's now a logistics headache
        2. it's a hassle for the customer. i have one for banking, and i'm always misplacing it, not having it when i need it, etc. just one more thing to keep track of in my life i don't want to. and a different fob for every important relationship? I have to carry around a jangle of fobs? Or leave them someplace and I can only do my banking there? No than

  • by arcctgx (607542) on Monday June 11, 2012 @11:09AM (#40283717)

    We all know that people tend to choose weak passwords, this is not really newsworthy. Ever since the database was leaked, many people, including professionals, have performed various analyses of cracked passwords. This is fine, but I think there are more important things we need to know right now:

    1) When exactly was the database leaked? It seems that it's been floating around the internet for some time before it hit the news last week.
    2) What the attack vector was?
    3) What security measures have been taken by LinkedIn to ensure this will not happen again?

    And perhaps one more: is there a relation between LinkedIn, eHarmony and last.fm database leaks? Did the same person/group do this?

  • This is a nice piece of work where he uses incremental modifications of existing password templates to show that password "seasoning" with a few stray twiddles such as s/o/0/ or s/$/! isn't worth much.

    linkedin is the only social network I've signed up for, and I visit less than twice a year. Don't think I used a strong password, but I do know I used a password totally unrelated to any other password on any other active account.

    Sure beats being the guy with the password lsw4facebook or lsw4citibank on sites

  • There are only a handful of sites that I frequent that actually allow for useful passwords (ie. longer than 30 characters). Most are "between 4 and 12" or something idiotic.

    As long as the people designing sites are inept and stupid, passwords will continue to be shit.

The one day you'd sell your soul for something, souls are a glut.

Working...