PhpRiot
News Archive
PhpRiot Newsletter
Your Email Address:

More information

LeakedIn

Note: This article was originally published at Planet PHP on 7 June 2012.
Planet PHP

When I read that LinkedIn leaked 6.5 million passwords, I thought it was newsworthy, so I shared it. Bummer for them, I thought, especially given a few particularly bad practices:

  • The hashes were unsalted SHA-1 hashes. SHA-1 was proven weak back in 2005, and unsalted hashes are especially weak.
  • Those who visited the LinkedIn home page were shown a fake log in form that attempts to trick users into giving away their email password. Shame, shame.

I shamed LinkedIn on Twitter and thought that was the end of my interest in the story until Phil pointed me to the dump of the passwords, which is no longer available. Minutes later, I discovered that my password was not only one of the 6.5 million that had been leaked, it was also among those that had been cracked. I was a victim.

Unfortunately, I signed up for LinkedIn before I was using 1Password, so the cracked password was used on a handful of other sites. Now, I can never use that password again, and I have to change my password on every site where I used it. In case you're wondering, my password was a concatenation of several words. It was my weak password, but it wasn't that weak.

One of many implications of this is that there is now a (growing) list of hundreds of thousands of cracked passwords. You can be sure that these will be used to seed rainbow tables and will be an obvious choice for seeding a dictionary used to try to crack passwords the next time a leak happens. Even if the next leak is a bunch of salted passwords using a better algorithm, these cracked passwords will never be safe again.

If you want to see if you're also a victim, start by finding the hash of your password. PHP has a sha1() function, so if you're on a Mac, that means you can type this into Terminal (replace password with your password):

php -r 'echo sha1("password") . "\n";'

If you're not already familiar with hashes, just know that the string of characters this command outputs is the SHA-1 hash of your password. You'll need this to check to see whether your password was leaked.

Then, check to see if your hash is in the dump. If it is, it means they have not cracked it yet (not before the time the dump was uploaded). If you don't find it, then replace the first five characters of your hash with a 0, and check to see if that is in the dump. If that is, it means they have cracked it. If neither are there, it means you're safe.

Since this isn't very straightforward, a few friends and I thought it would be good idea to make a simple app that lets you check to see if you're a victim. In fact, while we were talking about what a good idea it would be, Sean made a quick prototype, and Bedrich provided some visual love. Cleverly, we are calling it LeakedIn. The app hashes your password using JavaScript, so your password never leaves your computer. You can verify this by viewing source, but if you prefer, you can also just provide your hash. We'll let you know if your password is one of the 6.5 million that were leaked as well as if it has already been cracked.

http://leakedin.org/

Please let me know if you're one of the lucky ones or a fellow victim. Maybe we can form a support group.

If you're building a web app and want to know how to hash passwords, let me suggest bcrypt, because, "over time it can be made slower and slower, so it remains resistant to specific brute-force search attacks against the hash and the salt."