LinkedIn Password Hack: 60% of Hashed Passwords Cracked

There is quite an uproar over the compromise of sites such as LinkedIn. Users are rightly annoyed but the big issues are:

  • the site was compromised to the extent that the hashed passwords could be copied,
  • obviously, with 60% of those hashed passwords cracked so quickly, many are trivially attacked with dictionary-type attacks so the taking of the hashes only facilitated the compromise of individual accounts, and
  • what the Hell were the operators of the site doing when the intrusion occurred?

Users have a responsibility to choose strong passwords. Sites should enforce that to avoid global melt-downs of important systems. It’s not good enough to say your messages are of little value. An account has value to malware artists and spammers no matter the current content. Users should have very strong passwords kept in an encrypted database so that having to recall/type the passwords is not an issue. Copy and paste can deal with it. Users should learn how to clear the clipboard and avoid using public terminals. If users must type in passwords they should not use common names, dictionary-words and should include punctuation/special symbols as well as upper/lower-case letters and digits. Less than 8 characters takes only minutes to crack by brute force… Take a hint and use much longer passwords.

Web sites require constant attention as does any establishment with unlocked doors. High profile sites need layers of paranoid system administrators. Automation of security functions, and intrusion detection are necessary. Web sites can be quite complex in structure and usage. It is important that compromised sites publish details so everyone can benefit from lessons learned. Too often, breaches are cloaked in secrecy. For example, the compromise of kernel.org which is home to a key piece of IT is still not documented nearly a year after the incident. “We will be writing up a report on the incident in the future.” does nothing to enhance the security of the world’s IT. Security is a shared thing, like FLOSS. You cannot keep it to yourself because compromised systems are a threat to you and everyone else.

“As of this writing, over 60% of the unique hashed passwords obtained by hackers from a LinkedIn password database and subsequently posted online have now been cracked.”

via LinkedIn Password Hack Draws Security Concerns and User Anger | Mobile Marketing Watch.

About Robert Pogson

I am a retired teacher in Canada. I taught in the subject areas where I have worked for almost forty years: maths, physics, chemistry and computers. I love hunting, fishing, picking berries and mushrooms, too.
This entry was posted in technology. Bookmark the permalink.

10 Responses to LinkedIn Password Hack: 60% of Hashed Passwords Cracked

  1. oiaohm says:

    Yonah that is the problem I have given you the base information already opencv is where you start. I have giving you the details about the basic hardware frame. ip kvm switch for computer interface capture.

    What I am not giving you is a video of it in operation. Really Yonah why is most computer games simpler than real world. Most items moving in computer games is hostile or most likely so.

    “How can a KOMPUTER, be like, see da REAL LIFE and do the STUFF? Is it like with, umm, robot eyes or special GPS”

    Nothing special in fact yes real combat systems do it today. Cameras and metalstorm weapons is the simplest because metal storm is electronically controlled but you could use a chain gun or any other self loading weapon with a salvaged solenoid to pull the trigger. Its part of the Australian area defence system basic frame. These can also be tracked and mobile to make neutralising the grid harder. Basically computer games are good place to test out the software for this usage.

    Australian mil does not use mine fields. Australian mil uses mounted guns for mine fields that can operate fully unmanned. The hardest requirement is the turret must be able to shot weapons dropped from aircraft or fired from helicopter. You are talking large contracts for working control software for this stuff. Next the control system has to be based from hardware that can be scavenged. So yes PC meet this requirement. Unlike USA weapon designs who can go and design everything from scratch and custom that does not match Australian mil acquirement requirements. This is why in a iraq the first thing Australian mil setup was means to rebuild armour vechials using locally materials. So your design has to be flexible.

    Basically a rich house would mostly contain all the parts to make at least one gun turret.

    The real world requirements make what you have todo to control a game look simple. In fact if you cannot bend your system to control games your system is most likely not going to be able to pass the what if we had to build the system from savaged parts test.

    Basically you want to see this real life walk onto the australian equal to a mine field and you will see it real life well enough. Lock shot kill on auto is 0.1 of a second and that is spinning the gun from pointing exactly the wrong way to target. Its slower when human is approving shots or its build from savaged parts normally due to slower speed moters.

    USA mil tried doing this with out game trying the software first. Result 6 dead soldiers before weapon could be taken off line. Yes that was 6 rapid shots in under 1 second. Perfect head shots real world so it worked perfectly other than one minor fact. Yes the gun did defend itself from possible hostiles just happened that those were friendly. Yes the friend and foe assessment did not work. Yes it was the 6 people in line of site around the gun.

    Basically cheating at games and design automated weapon systems is one and the same thing.

    Also where to soldiers train. In video games for a percentage. This is all stuff you would know if you had some secuirty clearance. So you want soldiers to handle going head to head with automated weapons correctly. You need to have them operate in the games they use for training. Yes one of the requirements for mil usage of these systems is the fact it can control a computer game so it can be used in training in a way that the game does not need to be modified so soldiers cannot get the idea that the weapon system is cheating by using internal game information. So yes requirement is control game by ip kvm switch.

    So yes Yonah you are talking money here and you are wondering why I am being not nice on giving exactly how.

    The problem here in the time of Buck Rogers it was not reality. Today its the reality of sections of the battle field. Computers are still fairly useless and friend and foe assessments. But completely perfect at killing everyone who crosses their path.

    Reality Yonah you need to spend some time with some force multiplied weapons and then there control software controls games for training with soliders.

    Sad part here is you think is corny idea. Mil sure don’t. Its shows how deep your head in sand over automated weapon techs you are.

  2. Yonah says:

    Umm… yeah… I didn’t ask for details about “Automated Assault Systems” in general or what hardware/software was required. Gee…. robots programmed to navigate through an environment and track targets? That’s been conceivable since before I watched my first episode of Buck Rogers! Twiki was cooler than you’ll ever be.

    I want details on YOUR system. Because, I think the whole corny idea of using a robot to cheat at videogames is something you whipped up while taking a lengthy crap. You needed something to best those damn trolls on the Internet. You’ve got a nerds imagination. Shocking. -_-

    “Yonah really your questions about it shows lack of secuirty clearance to fully understand how fully auto targeting devices work.”

    Ha ha ha, nice one. Yeah, dude. I totally like don’t get it and stuff. How can a KOMPUTER, be like, see da REAL LIFE and do the STUFF? Is it like with, umm, robot eyes or special GPS telemetry with blast processing like, OMG! my Sega Genesis? WOAH, IS IT MADE BY SEGA??? I can’t like know about deez things cause I ain’t a secret agent job with a license to BS and stuff.

    Arm the AUTOMATED LINUX DEFENSE SYSTEM. Set posting power to… “STUPIFY!”

  3. oiaohm says:

    Yonah “Well, you seem to have no problem making statements without facts. Why the double standard, my friend?

    P.S. Still awaiting details on the Automated Assault System you are developing.”

    Really I have answered what frameworks you need to solve and build one yourself.

    You will find I don’t operate from double standards. The name of it should tell you want is objective long term is. What I have said is possible is possible.

    http://www.ce.rit.edu/research/projects/2009_spring/Autonomous_Weapon_Turret/docs/independent_investigation_opencv.pdf

    http://www.cs.rochester.edu/research/quagents/tr.pdf Games are using in robot and weapon system control development all the time. Its not like new anti-cheating code was going to stop this.

    Yonah really your questions about it shows lack of secuirty clearance to fully understand how fully auto targeting devices work.

    This is more than enough detail to see that what I am talking about is possible. Without giving away exactly how I pull it off. Swaping a camera for a ip kvm screen capture device and Swaping servo controls for fake mouse and keyboard controls is not hard. If a control system stuffs up in a game at least it does not kill humans.

    Of course most game players don’t think that computer vision systems are to the point they can out play players. Yet even that they work in game due to the massive variation in the real world compared to games still they don’t work as well as a human in the real world yet.

  4. Yonah says:

    Oiaohm: “Clarence Moon simple fact of the matter Viktor made a statement without any facts of what OS was in use.”

    Well, you seem to have no problem making statements without facts. Why the double standard, my friend?

    P.S. Still awaiting details on the Automated Assault System you are developing.

  5. oiaohm says:

    Clarence Moon simple fact of the matter Viktor made a statement without any facts of what OS was in use.

    Lot of sites run front end filters that hide what OS is behind including windows. Its part of secuirty you twit. If you advertise what OS you are using on a web-service you make attackers job simpler. With linkedin we have no information either way.

    The only site of there that displays is a Linux caching service. Microsoft servers use the same service and sometime also display as it.

    akamai technologies netblook is not inside linkedin server farm. But inside the third party caching service akamai that is used to cache lots of major sites including lots of Microsofts you would call that a false detection.

    “Plus, a number of their sites are not being so careful, eh? Surely they all use the same code.”
    Mostly you are saying this because you are a idiot who cannot read the data.

    You can go to linkedin netblook list as well.

    http://toolbar.netcraft.com/netblock?q=inap-lax-linkedin-38682,216.52.242.0,216.52.242.255

    The only thing we do know for sure about linkedin is that use http://trafficserver.apache.org/ and lighthttpd.

    Both of these operate on all Unix, Linux and BSD servers. lighthttpd can be running on windows also traffic-server and lighthttpd can be placed in front of windows servers so hiding there existence.

    Lighthttpd can also run on windows.

    So the information at hand does not disprove the usage of Windows.

    Clarence Moon also a large percentage of Linux driven sites don’t bother hiding it.

    http://uptime.netcraft.com/perf/reports/performance/Hosters?orderby=epercent&tn=may_2012

    Sorry Clarence Moon you are speaking out your ass again. All the evidence shows that your claims and victors claims are bogus or baseless.

    Conventional OS. Linux is a conventional OS for providing web service. There is no shame about using it for that.

  6. Clarence Moon says:

    if it turns out to be a Windows …

    Tut, tut, Mr. Oiaohm. Users of Windows or other conventional OS are not so ashamed about it. It must be Linux, else why hide the fact? Plus, a number of their sites are not being so careful, eh? Surely they all use the same code.

  7. Viktor wrote, “GNU/Linux was hacked once again.”

    It’s not clear that GNU/Linux was hacked. No details are public, but one article suggest SHA-1 unsalted hashed passwords were used. LinkedIn is upping security. It could well be that some vulnerability outside GNU/Linux was the cause, like a web application.

  8. oiaohm says:

    http://searchdns.netcraft.com/?host=linkedin.com&x=7&y=10
    Viktor sorry linkedin might or might not be running Linux.

    So please stick to facts could be real egg on face if it turns out to be a Windows or AIX or some other OS problem.

  9. Viktor says:

    The big issue is:

    GNU/Linux was hacked once again.

    It’s as secure as the German pensions were according to former Secretary of Labor Norbert Blüm.

Leave a Reply