Though “unsalted hash” sounds more like a menu item for the sodium-conscious, it’s actually a reason to change your LinkedIn password.
Linkedin may help around five or six people a year get a new job, but mostly it’s a breeding ground for slimy recruiters and pointless networking groups. Well now it’s become even more irritating as an estimated 6.5 million of our passwords have been leaked online, according to The Independent.
Reports are suggesting that a Russian hacker published a list of the passwords online and is reportedly “crowd-sourcing help in breaking the encryption.” Linkedin has responded to the allegations with a number of tweets stating that the breach hasn’t been confirmed, but the team’s looking into the problems right away.
There is a possibility that this could be a hoax, but several people have said on Twitter that they found their real LinkedIn passwords as hashes on the list. Many of the hashes include “linkedin,” which seems to add credence to the claims.
Graham Cluley, a consultant with U.K. web security company Sophos, said in a blog post that investigations by Sophos researchers have confirmed that the file does contain, in part, LinkedIn passwords. It’s worth noting that the passwords are stored as unsalted SHA-1 hashes. SHA-1 is a secure algorithm, but is not foolproof. LinkedIn could have made the passwords more secure by ‘salting’ the hashes, which involves merging the hashed password with another combination and then hashing for a second time. Even so, unless your password is a dictionary word, or very simple, it will take some time to crack.
According to ZDNet, Finnish security firm CERT-FI is warning that the hackers may have access to user email addresses, too, “though they appear encrypted and unreadable.”
Robert Graham has posted a web form that converts your password to an SHA-1 password for lookup and provides a link to the file of LinkedIn passwords that were dumped on the Internet so you can download and see if yours is in there.
I’ve also written a Python script that does the same, but you need the password file to be in the same folder. You can get it from here.
If you haven’t already, you should change your LinkedIn password and email login, certainly before you use this tool.
RT @_logik I don’t think I’ll change my LinkedIn password.If somebody’s hacked into it, please work on my resume. I’m too lazy to update it.
— lavanya (@lavsmohan) June 6, 2012
There are a few lessons from this:
- Never ask users to have their email ID as a user ID. This would lead to a user email getting known and the user becoming a victim of spam later on.
- A single password for multiple sites and and email ID as the User ID is a disaster for those who have the same password everywhere.
- Do not put up too much personal information on social networking sites. The problem here is, taking social network sites too seriously could lead to issues in case of hacks like these.
And it is true…. only the paranoid survive.