LinkedIn has confirmed that some of the password hashes that were posted online do match users of its service. They have also stated that passwords that are reset will now be stored in salted hashed format.
What is a salt? It is a string that is added to your password before it is cryptographically hashed. What does this accomplish? It means that password lists cannot be pre-computed based on dictionary attacks or similar techniques.
This is an important factor in slowing down people trying to brute force passwords. It buys time and unfortunately the hashes published from LinkedIn did not contain a salt.
After removing duplicate hashes, SophosLabs has determined there are 5.8 million unique password hashes in the dump, of which 3.5 million have already been brute forced. That means over 60% of the stolen hashes are now publicly known.
We also did some additional testing of commonly used passwords that should never be used. We started with the list of passwords that the Conficker worm used to spread through Windows networks.
All but two of the Conficker passwords were used by someone in the 6.5 million user password dump. The two passwords that weren’t found were ‘mypc123’ and ‘ihavenopass’.
Other passwords that we found in the dump include ‘linkedin’, ‘linkedinpassword’, ‘p455w0rd’ and ‘redsox’. We even found passwords that suggest people should know better like ‘sophos’, ‘mcafee’, ‘symantec’, ‘kaspersky’, ‘microsoft’ and ‘f-secure’.
We will continue to keep Naked Security readers up to date with what is known as we learn more.
It is critical that LinkedIn investigate this to determine if email addresses and other information was also taken by the thieves which could put the victims at additional risk from this attack.
Special thanks to Beth Jones and Richard Wang from SophosLabs for their hard work and assistance with this post.