Sophos Cloud Optix
Although not yet confirmed by the business-networking website, it is being widely speculated that over six million passwords belonging to LinkedIn users have been compromised.
A file containing 6,458,020 SHA-1 unsalted password hashes has been posted on the internet, and hackers are working together to crack them.
Although the data which has been released so far does not include associated email addresses, it is reasonable to assume that such information may be in the hands of the criminals.
Investigations by Sophos researchers have confirmed that the file does contain, at least in part, LinkedIn passwords.
As such, it would seem sensible to suggest to all LinkedIn users that they change their passwords as soon as possible as a precautionary step. Of course, make sure that the password you use is unique (in other words, not used on any other websites), and hard to crack.
If you were using the same passwords on other websites – make sure to change them too. And never again use the same password on multiple websites.
How to change your LinkedIn password
-
1. Log into LinkedIn.
-
2. You should see your name in the top right hand corner of the webpage. Click on it, and you will open a drop-down menu. Choose “Settings”.
-
3. Choose the option to change your password.
-
4. After entering your old password, you will have to enter your new (hopefully unique and hard-to-crack password) twice.
Don’t delay. Do it now. And if there are any more updates from LinkedIn we will let you know.
Update: LinkedIn has now confirmed that users’ passwords have been exposed.
(By the way, if you use LinkedIn and want to keep up-to-date and discuss the latest security news – make sure to join the Naked Security LinkedIn group).
Yup, and they have passwords on the list of already closed accounts, couple that with the fact that they have a ton of calendar stuff stored on some server and you’re possibly looking at a monumental leak…
Many sites are reporting this, but none have provided the links to the source. The LinkedIn blog hasn't mentioned it either. Change the passwords, but be wary of any emails appearing to be from LinkedIn, as this could be part of a scam.
I thought the same thing – tried searching and not one single news source, twitter source or discussion reveals the true source: the so called russian forum or russian hacker. Why such emphasis on the "russian' bit. "Oh no it was the russians!' Gimme a break.
I ended up actually finding it on thepiratebay.se – just search for it (there are a few fakes but read the comments and you'll find the real one).
Two questions that are in my mind are:
1) How did they get this password data and has that weakness been fixed? A formal response from LinkedIn may be needed before we find out.
2) For users who have long random passwords (say 10 chars+), is parallel computing or rainbow tables at an advanced enough state today to mean that the hacking community will likely crack the complex passwords that they’ve captured in addition to the easy ones?
I remember reading a test done by a guy who wanted to see how fast a modern GPU could crack a password. He downloaded a free cracker and did a test against windows password hashes. In the end his rig with a single GPU could crack a 8 character complex password in a little under a month.
Now you have to consider this was one computer with a single GPU that was not top of the line. It is possible in many computers now to run 2-5 GPUs in parallel. So even with 10+ characters do you really want to make a bet that someone will not be able to crack it?
You are advocating the incorrect response to this. Everyone should do as I did and close their Linked-In account. Companies should be punished for incompetence, and the only way to punish a company that provides a free service is to not use their service anymore.
You will soon be closing every account you maintain as, eventually, every one of them will suffer a breach of some sort. Welcome to the age of cyber-warfare…
So…Cut off nose, spite face…?
Agreed. i closed mine about 10 minutes ago. Fortunately, all my passwords on other sites are Mutually exclusive. It appears LinkedIn was very wreckless.
Absolutely correct. Any company that doesn't do at least the minimal standard software engineering practice of hashing and salt passwords is to incompetent to interact with.
No, we won't be closing every account we maintain, TMG. This is criminal incompetence, not widespread, common incompetence. None of the companies I have worked at stored cleartext passwords. Standard operating procedure is that customer support cannot see your password. This is not some exotic technology that only security personnel know about.
No, Barney, this is not cutting off your nose to spite your face. This is cutting off your nose because it is cancerous and going to kill you if you don't cut it off. Linked-in has proven that they are so incompetent that you cannot trust any of there software to do anything at all remotely resembling what it should do. You are in serious danger if you continue to use linked in.
whats your recommendation for remembering 300 unique passwords?
You could consider using a reputable cloud-based password manager, such as LastPass, 1Password, KeePass, etc
define 'reputable', is linked in not a 'reputable' web service already? …… or is storing your passwords in one system an even worse idea?
and how do you assure they are indeed reputable? And before someone pipes up we're xyz certified, thats usually on a point in time assessment.
Yeah right, like I haven’t learned any lessons from this. Make one password root for high security sites (like your online banking), another for low security sites (like online news subscriptions). Use this root PLUS additional characters unique to that site.
For instance: root password = g00dy#$)
mybank.com = g00dy#$)XYBk$$%
mynews.com = g00dy#$)MyNews
Use your imagination, and be sure to include CAPS and special characters like !@#$%^&*(()_
You can use the mynews password for all your low security sites (where you don’t care if someone hacks your password). It’s best
if your high security passwords are all different, but if you remember
the scheme you used to create it, you can remember it.
Then check your password to see how easy it is to hack it: DON’T put in your real password, but something similar.
http://howsecureismypassword.net/
This method works for me. If you’re worried you’ll forget it, write down part of it to help you remember. Also, make your security questions something not easily guessed, substituting special characters. For example: First Pet = boogie -> password = b00g!3
and wait until they are hacked and someone gets all of your passwords at the same time?
And what happens when you "reputable" password manager gets compromised? Who controls the cloud?
A cloud-based password manager? I think this is even worst… If you do this and in the future there is a security breach in the cloud-based passwords firm, then the bad guys will have access to ALL your passwords at the same time.
I think it´s better the use of local (in your PC) password managers (like KeePass) or the Master Password function of browsers like Firefox
Personally, I will never put my life (e-mail, paypal, amazon, etc..) at third parties´ hands
Carole, I think you´re wrong.
KeePass stores the passwords in your machine. LastPass stores them in a private server at some part of the world.
They are completely different tools.
Thanks for the references Carole….are there any guarantees those sites/services are more secure?
1Password with Dropbox works nice
Are you serious when you say "using a reputable cloud-based…"?
Yes, a properly designed cloud system works well. LastPass is one of them. Your passwords are always encrypted before they go to lastpass.com. And you can set up 2 factor authentication (I have a YubiKey) that requires a hardware token at any computer you have not authorized.
LastPass (and other companies) are in the business of security. LinkedIn is in the business of social apps.
Would you get an car engine repaired at the dollar store? …because, you know, they sell $1 quarts of oil there…
so they only have to hack one site to get all my passwords?
KeePass is good. I use it.
Really thats the most stupid piece of advice I've seen all day – congratulations just move the problem around
and when they get hacked in the cloud…
Yellow sticky notes on computer screen – only you and the janitor know.
I recommend having partially unique passwords, using a combination of a key word or phrase you will easily remember (but kept to yourself) and a second part that varies with each service/website.
Get an IronKey and store your passwords in a text file on that disk. You can also use two IronKeys — One in a safe-deposit box and one in your pocket.
I use KeePassX, which is a port of the Windows KeePass app to Mac OS X. It is NOT a cloud-based password manager, which is all to the good as far as I'm concerned. This LinkedIn fiasco is just another example of the downside associated with entrusting your security to others.
You should start with a base password of 8 characters, for instance, cv78df34. if you look closely you will see those are 4 keyboard pairs, meaning each 2 characters are next to each other.
Now make some leter caps: cV78Df34.
Change numbers to special characters: cV&8Df#4 .
Now add 4 extra characters that change per site. For Linkedin you could add the letters link or edin in the middle, you would endup with this: cV&8edinDf#4 or do something like this cVe&8dDfi#4n
For each website you would be having a different 12 char password, for which you only have to remember 8 characters, which are just 4 keyboard pairs you need to remember.
It takes a bit of effort to start with but it's easier to learn than it seems, it helps if you don't check the stay logged in boxes on login pages for a while, so you are forced to login to your websites everyday and have to remember your password.
Now think of your own unique password system
Jinx! Looks like you and I posted our own solutions (which are pretty similar) at the exact time (down to the minute). Kudos. Great minds think alike. 🙂
I think this is actually a gorilla marketing tactic created by linkedIn to get people to log back into and use their system. I bet they get slammed with record breaking traffic this week. Worked on me. I haven't been in there in over a year….. Probably wont for another year.
This is actually an amazing gorilla marketing tactic created by linkedIN to get people to log back into and use their system. They will get slammed with record breaking traffic. Worked on me. I haven't been in there in over a year….. Probably wont for another year.
Think about it. Fear is a awesome motivator for viral marketing. Unconfirmed and still encrypted. Unscramble a possible hashed file. Time is ticking.. OMG… Genius! they couldn't buy this kind of publicity. They deserve a marketing award.
Still encrypted? Possible file? A real leak has been confirmed and Sophos say that 60% of the (unsalted) hashes have already been cracked. Check the related articles box on this page for the article.
Fantastic. I go to change my password, hit the 'Change password' button, and it just pops up a spinner that doesn't go away.
What does "SHA-1 unsalted password hashes" mean exactly?
To Lee's comment, I agree we should punish incompetence by taking our business elsewhere.
Who would you recommend as an alternative to LinkedIn?
Also, a shame that many of us feel compelled to "particpate" in so many privacy-compromising venues, namely social media, to succeed in this ever-changing economy.
Thank you.
Okay, so let's get this right. LinkedIn has yet to confirm a breach. The posted list contains only about 25% of the hashed passwords for their user base (without associated email addresses, or identifiers). It *could* be a hoax (just because a list contains hashes of linkedin, or indeed linkedinsucks does not mean it's from that source). The site may be also be breached and still accessible to the attacker(s). And the advice is to *immediately* change your password? Er, why? If it is a hoax, that would be a redundant exercise. If it isn't, then the attacker may be using blind panic to scoop up your newly entered credentials. If your hash is not on the list (which is available online as are instructions as to how to check locally) then again changing your credentials is somewhat redundant. It seems to me that a more sensible response would be to change any password instances associated with other sites which may be using the same as any that are in use with LinkedIn (although sharing credentials is a slight faux pas) and wait to see if this is a real breach prior to freaking out. A speculation is not proof, and I would argue that as a "senior technology consultant" there is a responsibility to assess the full threat landscape, rather than spreading FUD like manure.
I agree totally.
A carefully worded apparent confirmation by LinkedIn: http://blog.linkedin.com/2012/06/06/linkedin-memb…
Perhaps I may suggest an easy way to remember multiple passwords without using a password manager. First come up with a single, very complex password (no dictionary words, no 733T speak, etc). For example:
Nbi92#(utgq;
That's 12 characters long, fairly decent length and no patterns. Tough, but its the only one you're memorizing. Now pick a letter in the password (for this example, lets make it the "q" near the end). For every website you visit, change that letter to the first letter of that website. So for example, if you visited yahoo.com, your password for it would be: Nbi92#(utgy;. In this manner it's very easy to memorize one brute-force impossible password (this would take 3054894 centuries to crack based on the passfault.com website), and have it differ for every website you visit.
Ta da. 🙂
Thanks! I'll remember that!
I also work with people about creating passwords and will pass this on.
Great idea!
The downside is that if someone happens to get into your password and are familiar with such a strategy it suddenly narrows down the list of possibilities considerably.
(Of course the strategy for choosing which letter or when, etc. needn't be what you have suggested.)
You're welcome. 🙂
And like you said, no one has to know what letter (or number) you're changing. And of course you could capitalize it, or even go a step further and make it the previous letter in the alphabet (e.g. Yahoo's y instead becomes an x since x precedes y).
I am a retired pharmacist and I always use generic drug names.
Keep in mind…if your LinkedIn password was the same as any other passwords you have to update and change all those also. And in the future don't be stupid about using the same password on multiple sites.
Sorry password re-use will always happen in some limited form as the human brain can only retain so many of them when we have hundreds of sites.
The way i see it using a password manager is no different to commiting the other cardinal sin of writing down your passwords. (or worse using these cloud based services that are just dying to be hacked by the criminals)
Personally I use about 6 unique passwords and of those two of them are used for insecure things like forums and blogs you don't really care about. Sensitive data like online banking, email, social networking accounts, all have their own passwords.
Works for me.
Theoretically, a great idea except that I am already supposed to remember over 100 unique passwords and regularly change them.
Industry needs to move beyond passwords….without becoming Big Brother.
How would they know where to use this password and with what account name? The LinkedIN (linkedout) problem now is bad, but dont make it more then it actually is.
The hackers have both the logon ID’s and passwords. I reported a phishing attempt using my valid LinkedIn ID and password to LinkedIn on June 2nd and received a reply that they knew that their systems had been compromised.
@Kramer,
can you tell us more about this? If true, LinkedIn would be in some deep dog-doo! The email you received from them would be quite delicious to see!
Hi Kramer, Would it be fair to ask you to post a screenshot of that email in question?
I use 2-factor authentication on Gmail now. Every new machine I use to access my account requires I enter a one-time password sent to my by SMS. Authorised machines can use the account for 30 days before requiring another SMS. So my credentials are no longer enough to access this account at least.
Searchable DB is available at http://dazzlepod.com/linkedin/
A major problem is the number of sites that want you to register for services. I have to admit I use a common password for everything that does not involve money (I include my main email account as a financial risk because it could be used to reset the others).
My policy for financial sites is to use a word (faster to type), some funny characters (&D56£ for example) and something I don't need to write down like the four digit PIN of my first ever bank card. Hopefully that is good enough, and they are all different.
In this case they have got my common password and I have changed it at Linkedin. I cannot even remember all the other places I have used it and I wish them the best of luck in accessing land registry data or best buy deals on any web sites they manage to get into using it. (Unless someone can think of a way I can be harmed by these sites.)
Why use linkedin? Just get out of it.
I've changed my password via a browser, but I've been able to connect via the iPhone app without a prompt to change my credentials. Makes me wonder how their authentication is working across different platforms…
I checked my hash on tools available online, 2 said hacked & cracked the other said safe. Worryingly my profile was removed 4+ months ago! I searched the profile name which isnt there but links to contacts, family members etc are… Ex linkedin members might want to think about pswd security?
I am NOT going to be typing my password into a tool like this to see if it was hacked. That would be the definition of gullible. Much easier to just change my password; however, I'm having trouble swallowing this story to start with.
I just downloaded the file according to instructions as mentioned in comments on the FT (of all places) although then comment seems to have disappeared.
I ran the Python script (16ish lines simple python code calling standard python hash) and got a match of my password AND my surname.
Of course the code only tests guesses so I cant (AND DONT WANT to) see anyone elses stuff
So it seems the file probably contains both password and user names.
Comments?
This is not about passwords but about LinkedIn spamming, close but no cigar. I was spammed several times by LinkedIn (or so the e-mail said) to join up with many "friends" in the town where I live. Not only did I not know many of them but not one said he or she was the author of the request. Whether or not LinkedIn or someone else got all my data including my password will remain a mystery. I tried to eliminate myself from LinkedIn but that was easier said than done. There was no simple "get me out of here" switch provided by LinkedIn. I ended up deleting the data in each field and then struggled to delete my login name and password. Of course my personality and everything about me still exists somewhere in LinkedIn ready to be spammed to others. My personal advice is to just keep away from any and all "social networking" sites. Or do so with the knowledge that nothing you ever say or do on those sites is private. Am I getting paranoid? Probably, but not without good reason, having just been the victim of a 5 figure credit card fraud which was (hello, hello) just shy of my available credit limit. The downside is that I have children who have forgotten how to communicate except by Facebook. If I didn't have my basic read-only Facebook account I would never see pictures of my grandchild growing up.
It’s fantastic that you are getting thoughts from this article as well as from our argument made here.