LinkedIn has had a password leak. How to repair it.

Change your LinkedIn password.

News emerged on Wednesday, June 6, 2012 that LinkedIn had a leak of its password database. This was confirmed as a number of security researchers identified their own password hashes in the file, as well as a number of cracked passwords from that file that had the string "LinkedIn" or some variant in the text. You can protect yourself by changing your LinkedIn password, and by also changing any other passwords that you use which are the same. LinkedIn, for its part, has promised to strengthen its internal controls and introduce a "salt" into its password storage system. 

An update from LinkedIn acknowledges the leak. The reporting from CNN is unusually detailed:

Countless passwords on the list contain the word "linkedin." On a popular hacker forum, many reported finding passwords such as "linkedout," "recruiter," "googlerecruiter," "toprecruiter," "superrecruiter," "humanresources" and "hiring."

The leak was complicated by LinkedIn's use of SHA-1 as its encryption scheme for passwords without using a "salt" to improve password security. AgileBits has a good discussion of how salting works, and why you should use it; in short, it adds a little more randomness to even bad passwords so that an attacker can't pre-compute the hashed stored passwords directly.

Even if Bot and Alice use the same password (and so have the same hash of their passwords) they don’t have to worry about each other. Who they need to worry about is Charlie the Cracker. Charlie may have spent months running software that picks passwords and generates the hashes of those passwords. He will store those millions of passwords and their hashes in a database called a “Rainbow Table.”

Even without a rainbow table, modern password cracking hardware is mighty fast. How fast? Robert Graham from Errata Security lays it out:

Update: How fast can hackers crack passwords? The answer "2 billion per second" using the Radeon HD 7970 (the latest top-of-the-line graphics processor). Each letter of a password has 100 combinations (UPPER, lower, d1g1ts, $ymbols). A 5 letter password therefore has 100 x 100 x 100 x 100 x 100 or 10 billion combinations, meaning it can be cracked in 5 seconds. A 6 letter password has 100 times that, or 500 seconds. A 7 letter password has 100 times that, or 50,000 seconds, or 13 hours. An 8 character password is roughly 57 days. A 9 character password is 100 times that, about 15 years. In other words, if your password was 7 letters, the hacker has already cracked it, but if it's 9 letters, it's too difficult to crack with brute force.

Of course, "too difficult" for one computer is not the same as "too difficult" for a network of computing resources. Thomas Roth in 2010 on Cracking Passwords in the Cloud on Amazon's EC2:

Using the CUDA-Multiforce, I was able to crack all hashes from this file with a password length from 1-6 in only 49 Minutes (1 hour costs 2.10$ by the way.):

Compute done: Reference time 2950.1 seconds
Stepping rate: 249.2M MD4/s
Search rate: 3488.4M NTLM/s

This just shows one more time that SHA1 for password hashing is deprecated – You really don’t want to use it anymore! Instead, use something like scrypt or PBKDF2! Just imagine a whole cluster of these machines (which is now easily available to anybody thanks to Amazon) cracking passwords for you. Pretty comfortable, large-scale password cracking for everybody!

So 6 character SHA-1 hashes would cost about $2 to crack in 2010 computer-dollars; 7 characters, $200; 8 characters, $20,000; and 9 characters, "only" $2 million. Roth further concludes:

The thing that was new is that, due to the new Amazon offering, everyone is able to spawn a 100-or-more node cluster in the cloud and distribute the task of cracking passwords onto these nodes. The task of cracking hashes is especially suitable for massive parallelization! An attacker could easily spawn a gigantic cluster of nodes using stolen credit card information, and it would be no problem for him to crack 8-character passwords in a nice timeframe.

So, "recruiter", step up your game (and change your password, and your password algorithm).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s