Hackers crack more than 60% of breached LinkedIn passwords
Speed of hackers to crack passwords shows weakness of security scheme used by LinkedIn, researchers say
More than 60% of the unique hashed passwords that were accessed by hackers from a LinkedIn password database and posted online this week have already been cracked, according to security firm Sophos.
It's very likely the remaining passwords have also been cracked, said security researcher Chester Wisniewski late Wednesday.
In all, a total of 6.5 million hashed password believed to belong to LinkedIn members was posted on a Russian hacker forum earlier this week. The crooks posted the data in an effort to get help in cracking the passwords.
Sophos said it identified about 5.8 million hashed passwords as unique.
Based on an analysis of the 118MB password dump, Wisniewski said close to 3.5 million of the unique passwords had been cracked and made available in plain text by late last night. It's only a matter of time before the remaining passwords are similarly cracked using automated password guessing tools, he added.
The speed at which so many hashed passwords were cracked underscores the weakness of the passwords protection scheme used by LinkedIn, Wisniewski said.
The breached LinkedIn member passwords were all hashed, or masked, using a hashing protocol known as SHA-1.
Though SHA-1 offers a degree of protection against password cracking attempts, the protocol is by no means foolproof.
Therefore, many organizations theses day use a process known as salting -- where a random string of characters are appended to a password before it is hashed-- to make password cracking much harder. The process ensures that even if two passwords are identical, their hashes will be unique.
Salting is considered something of a best practice for protecting passwords, especially those used by employees of large companies.
That LinkedIn apparently chose to protect passwords using just SHA-1 is disappointing, Wisniewski said. "They chose a moderate security method. For an organization as large as LinkedIn, I would expect better," he said.
The worst policy for companies is to store passwords in clear text, experts say.
Storing them in hashed form with no salting is nearly as bad, considering the availability of SHA-1 hash cracking tools, Wisniewski said. Tables that contain pre-computed hashes for billions of passwords are easily available. Almost anyone can use these tables to decrypt almost any SHA-1 hash and recover it in plain text in in a matter of minutes.
In response to widespread reports about the breach, LinkedIn yesterday admitted that "some" of its passwords might have been compromised. So far, the company has not indicated how the breach occurred or how many passwords may have been compromised.
In a carefully worded blog post LinkedIn director Wednesday Vicente Silveira said that the company had disabled all the compromised passwords and was instructing affected members how to access their accounts to reset their passwords.
- NSA used 'European bazaar' to spy on EU citizens
- Target CIO resigns following breach
- Evan Schuman: Mobile IT Roach Motel: Data checks in, but it won't check out
- Sears finds no evidence of data breach -- yet
- Gameover malware is tougher to kill with new rootkit component
- Mobile app for RSA Conference exposes personal data
- UK man charged with hacking Federal Reserve
- Bloomberg clamps down with data-access policies after scandal
- Amazon.com security slip allowed unlimited password guesses on mobile apps
- Huge turnout at RSA shows hackers are winning
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Mobile Applications Case Study: 8 Billion Transactions a Day The story documents how the online brokerage company tradeMONSTER created a custom mobile app and the success gleaned from this initiative. Also covered...
- Who's afraid of the big (data) bad wolf? Survive the big data storm by getting ahead of integration and governance functional requirements This paper provides a detailed review of the best practices clients should consider before embarking on their big data integration projects.
- Mobile Apps and Devices Slash Customer Cycle Time Consolidated Engineering Laboratories' field employees used to collect data on triplicate forms that were sometimes hard to read and difficult to manage. After...
- Cloud Knowledge Vault Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources... All Cybercrime and Hacking White Papers | Webcasts