6,5 Million Linkedin passwords exposed, what else…

Wow, what a momentum in the infosec world, apart from facebook and whatever security breaches, in my personal opinion this week 6.5 Million Linkedin password exposure reached the top.

We are not talking about a social network made for fun and casual events, Linkedin is a Professional social network and I consider that any risk of exposure can be a serious threat for our jobs, can you guys imagine your account being pwned for malicious intent and if those bad guys simply jeopardize years of notoriety and visibility in front of your contact network, and what if you are a CEO, CIO or any Senior Exec of Fortune 500 or quoted company? Can you imagine the impact of a malicious announcement on a Linked account of one of these gentlemen’s? Now you may have the picture of what I am talking here.

I am a cautious guy in what regards to security, I do not freak with it, but I can tell you that I do not skip the fundamentals. All my digital IDs have complex passwords, I even need a PT keyboard to figure out where all those special characters are, even though that’s not enough as you can see in the following print screen:


Yes, I ended up being one of those 6.5 Million lucky guys exposed on the Russian Forum. Two days after the exposure Linkedin confirmed that some users confirmed their passwords were already in clear text, but now you ask, how they did it?

Somehow the Russian hacker or any other unknown associated parties managed to dump a database with 6.5Million passwords hashes cyphered with simple SHA-1. At glance two concerns come up, how they managed to dump a Database with 6.5 Million password hashes? It’s something that Linkedin still has a lot to explain. By other way, passwords only cyphered with SHA-1?????? Seriously?????

When I initially heard about that around 300k simple passwords were already revealed in clear text, the reason behind that is simple, your password hash cyphered in SHA-1 will have the exact same hash of anyone else that is using the same passphrase as you do, imagine user A password is “abc123” and user B password is also “abc123”, both cyphered in SHA-1 will have the same password hash (6367c48dd193d56ea7b0baad25b19455e529f5ee).

You can now imagine how simple it is to reverse passwords, imagine that you pick up a dictionary with zillions of passwords and you cypher every single one with SHA-1, let’s say that you put in an Excel a column with all your dictionary phrases and a second column with the corresponding SHA-1 hash, now you pick up a Database such as the Linkedin with 6.5M passwords hashes cyphered with SHA-1 (as you know the same text or in this case passphrase will have the same SHA-1 hash),if we correlate the SHA-1 hashes between your dictionary and leaked Database and you find any matches you will easily identify to which Passphrase the SHA-1 hash corresponds.

SHA-1 should never be left alone, there is an additional technique to avoid such level of weakness in SHA-1, it’s named “Salt”. Salting is about adding some random bits to a one-way input, for this case is about adding something random in a passphrase which will avoid that the same Passphrases end up with the same SHA-1 hash. Imagine that User A has the password “abc123” and user B has the password “abc123”, e.g. salting both users pwds means that user A has now an input “abcqwe123” (0630e6b1e18a2d5e2e8fd7db89673c3a968f8568) and user B “abclkj123” (0531024c3614c3221d9cb98fc383e5b0b01f1388), as you can see the cypher with SHA-1 will never have the same hash in this way.

Linkedin announced that they are still investigating the security breach and they took several security measures, all users pwds had been reset and need to be redefined and passwords are now salted on the database. I believe that other non-disclosure measures are being implemented.

Two advices:
1st – Dev community of relevant webservices with PII data: If you ever consider to cypher with SHA-1 or if you are supporting some sort of application, website, portal, etc, implement the necessary code changes to Salt the Passwords and guarantee a safe SHA-1 Hash.

Interesting code sample for password salt:

2nd – All Linkedin users: No matter if you have been notified or not to change your Linkedin password ASAP, if you reutilize your password (common behavior…) in any other webservices you should rush to modify all those passwords.

R-Tape Loading error,
Luís Rato


~ por Luis Rato em 11 de Junho de 2012.

Deixe uma Resposta

Preencha os seus detalhes abaixo ou clique num ícone para iniciar sessão:

Logótipo da WordPress.com

Está a comentar usando a sua conta WordPress.com Terminar Sessão / Alterar )

Imagem do Twitter

Está a comentar usando a sua conta Twitter Terminar Sessão / Alterar )

Facebook photo

Está a comentar usando a sua conta Facebook Terminar Sessão / Alterar )

Google+ photo

Está a comentar usando a sua conta Google+ Terminar Sessão / Alterar )

Connecting to %s

%d bloggers like this: