LinkedIn's Password Breach and Official Response Dissected

Status
Not open for further replies.

A Bad Day

Distinguished
Nov 25, 2011
2,256
0
19,790
I never understood what the IT departments or the higher ups that had full control over what the ITs did were thinking. Did they really think they would get away with weak encryption, or even without encryption?

Then again, maybe they were completely blind to the news for the past year or were lazy, like an unnamed company that still uses Windows NT 4.0 because the OS still works (so why replace it?).
 

oafed

Distinguished
May 28, 2008
16
0
18,510
I think other personal information has gotten in the hands of spammers. I think this for 3 reasons.

1) An email account I rarely use (but have had for 10 years) was hacked this morning and locked out for sending spam. It had the same password as my LinkedIn account.

2) My friends gmail informed him that it had blocked someone in Peru who was accessing his account. He said his gmail was the only other account he had with the same password as LinkedIn.

3) I am hearing of a lot more spam coming from friends email addresses in the last couple days.

Coincidence?
 

freggo

Distinguished
Nov 22, 2008
2,019
0
19,780
[citation][nom]A Bad Day[/nom]I never understood what the IT departments or the higher ups that had full control over what the ITs did were thinking. Did they really think they would get away with weak encryption, or even without encryption?Then again, maybe they were completely blind to the news for the past year or were lazy, like an unnamed company that still uses Windows NT 4.0 because the OS still works (so why replace it?).[/citation]


There is only so much security you can implement.
The problem is not 'weak' security.
The problem is that there are not serious enough consequences for hacking.

Put a 20 year minimum sentence on major attacks; put serious law enforsment resources behind finding theose guilty; and make the -short- trials VERY public. Than the rest if these idiots will get the message. You get caught... your life as you know it is over.
Think about this from the perspective of the 6+Million accounts (not just people) affected. The amount of time lost, money lost, their worries. You are not just screwing with a 'big company'; you are screwing with the lives of Millions of people.

This is not kiddy stuff, this is a Major Financial crime all told.
Lock 'em up with Bubba and the gang, and loose the key.


 
G

Guest

Guest
"such as finding 050 starting from 000 and 999"
O really? Wasn't it 500 maybe?
 

Chipi

Distinguished
Sep 24, 2008
86
0
18,630
Holy cow! I just found my password has in the list, unbroken.

Good thing it's 12 characters long, with "random" letters and numbers, and I don;t use it for any email accounts.
 


You do realize the internet is global, you can hop on open wifi, and this person was (probably) in Russia right?

you can't even figure out who a hacker is unless they are an idiot let alone chase them down. nevermind that consequences don't do anything to prevent normal crime. the problem IS weak security because crime will never. ever. stop.
 

randomizer

Champion
Moderator
You don't need to use mnemonics and you don't need to use a password made up of entirely random characters. You just need a long password that uses a large character space (ie. at least one lowercase and uppercase letter, one number and preferably one special character). "pAssw0rd1112!" is a much stronger password than ")1!#Bjt1{.#" by orders of magnitude.
 

A Bad Day

Distinguished
Nov 25, 2011
2,256
0
19,790
[citation][nom]freggo[/nom]There is only so much security you can implement.The problem is not 'weak' security.[/citation]

Wonder why I use long complex passwords for Gmail and Yahoo Mail? Because I prefer forcing the hackers to break through those companies' security measures rather than giving them a weak password to play with.
 

Chipi

Distinguished
Sep 24, 2008
86
0
18,630
[citation][nom]randoMIZER[/nom]You don't need to use mnemonics and you don't need to use a password made up of entirely random characters. You just need a long password that uses a large character space (ie. at least one lowercase and uppercase letter, one number and preferably one special character). "pAssw0rd1112!" is a much stronger password than ")1!#Bjt1{.#" by orders of magnitude.[/citation]

Notice how the word random is in in quotation marks in my sentence. That means I'm not using it literally ;)
What I meant was that my password looks like a bunch of random letters and numbers, but it's actually a sentance in my head.

And I never said random symbols, I said letters and numbers. Maybe you should drink your coffee first, huh...

I'm not even gonna comment on your statement regarding the strength of those 2 passwords, it's just ridiculous :))
 

Jerky_san

Distinguished
Apr 22, 2009
230
0
18,680
it would seem hotmail does the same thing if you look at their login screen as its logging in... I tried to post it but it wouldn't let me.. but it appears they only use SHA1 on their stuff as well..
 

acku

Distinguished
Sep 6, 2010
559
0
18,980
[citation][nom]randoMIZER[/nom]You don't need to use mnemonics and you don't need to use a password made up of entirely random characters. You just need a long password that uses a large character space (ie. at least one lowercase and uppercase letter, one number and preferably one special character). "pAssw0rd1112!" is a much stronger password than ")1!#Bjt1{.#" by orders of magnitude.[/citation]
There are partial hashes in the list: linkedin, LinkedIn, L1nked1n, l1nked1n, L1nk3d1n, l1nk3d1n, linkedinsecret, linkedinpassword

substitution is easy to code and compensate for.

Cheers,
Andrew Ku
TomsHardware.com
 

acku

Distinguished
Sep 6, 2010
559
0
18,980


That would be harder, but not impossible. Strong passwords should look completely random. Word-based passwords are weak.

Check out what this guy did with only a CPU. (cracked 900k passwords in 4 hours)
https://community.qualys.com/blogs/securitylabs/2012/06/08/lessons-learned-from-cracking-2-million-linkedin-passwords


If I tried to match the word linkedin slightly modified (reversed or with '1' or '!' instead of 'i' like in l1nked1n):



In the first iteration, 558 passwords found in the 554,404 (0.1%) are related to the ‘Linkedin’ string;
In the second iteration, 3248 out of 22,688 (14%) are related to the ‘Linkedin’ string;
Third iteration: 1,733 out of 3,682 (47%);
Fourth iteration: 539 out of 917 (59%);
Fifth iteration: 217 out of 330 (66%);
Sixth iteration: 119 out of 152 (78%);
Seventh iteration: 40 out of 51 (78%);
And so on through the tenth iteration.



An example of what I found on the 7th pass is: m0c.nideknil



Another example is: lsw4linkedin, which was found on the tenth pass. To illustrate how the rules work for modifying words in the dictionary, below is the actual set of modifications used to get from the dictionary entry 'pwlink' to the successfully cracked password 'lsw4linkedin' over the ten iterations:



pwdlink from pwlink with the rule "insert d in 3rd position"
pwd4link from pwdlink with the rule "insert 4 in 4th position"
pwd4linked from pwd4link with the rule "append ed"
pw4linked from pwd4linked with the rule "remove 3rd char"
pw4linkedin from pw4linked with the rule "append in"
mpw4linkedin from pw4linkedin with the rule "prepend m"
mw4linkedin from mpw4linkedin with the rule "remove second character"
smw4linkedin from mw4linkedin with the rule "prepend s"
sw4linkedin from smw4linkedin with the rule "remove second character"
lsw4linkedin from sw4linkedin with the rule "prepend l"
 

STravis

Distinguished
Nov 3, 2009
405
0
18,780
[citation][nom]A Bad Day[/nom]Wonder why I use long complex passwords for Gmail and Yahoo Mail? Because I prefer forcing the hackers to break through those companies' security measures rather than giving them a weak password to play with.[/citation]

Gmail provides for two factor authentication - there is NO reason NOT to use said feature.
 

acku

Distinguished
Sep 6, 2010
559
0
18,980
[citation][nom]STravis[/nom]Gmail provides for two factor authentication - there is NO reason NOT to use said feature.[/citation]

Agreed.

Cheers,
Andrew Ku
TomsHardware.com
 

PreferLinux

Distinguished
Dec 7, 2010
1,023
0
19,460
[citation][nom]randoMIZER[/nom]You don't need to use mnemonics and you don't need to use a password made up of entirely random characters. You just need a long password that uses a large character space (ie. at least one lowercase and uppercase letter, one number and preferably one special character). "pAssw0rd1112!" is a much stronger password than ")1!#Bjt1{.#" by orders of magnitude.[/citation]
Ever heard of a dictionary attack? It is easy to include those modifications in the dictionary (which will make it several times longer, but nowhere near as much as a completely random password that is several characters shorter).

By the way, one thing that was missed in the article is rainbow tables – using them would drop the cracking time massively, even for long random passwords.
 

bebangs

Distinguished
Sep 23, 2009
443
0
18,790
wow. i have linkedin account 5years ago. i've never used it. so now i have to change password for all other accounts and email!? YOU SUCK!
 

tntom

Distinguished
Sep 1, 2001
356
0
18,780
I am always getting on my wife for using the same password for everything. I have to go in and change them for her. I know it is not as secure as memorization but I keep them in a password protected file. I only use similar passwords for things like webforums where I want something easy to remember but could careless if someone hacked it.
 

acku

Distinguished
Sep 6, 2010
559
0
18,980
[citation][nom]PreferLinux[/nom]Ever heard of a dictionary attack? It is easy to include those modifications in the dictionary (which will make it several times longer, but nowhere near as much as a completely random password that is several characters shorter).By the way, one thing that was missed in the article is rainbow tables – using them would drop the cracking time massively, even for long random passwords.[/citation]

The existing rainbow tables appear to have already been used. That's built into the ~3.5 million hashes that start with 00000. Now it's dictionary and brute-force cracking with iteration/variation strings.

It's my impression that hackers used RTs first (working backwards from the text file). They would be the easiest to check against, because they are pregenerated hashes. You don't need a fast computer to do that. Plus, if your password can be looked up using a RT, it's definately not a secure password. RTs are for common stuff. Anyone with "passwordpassword" is just looking for trouble.

Cheers,
Andrew Ku
TomsHardware.com
 
Status
Not open for further replies.