2012-06-06

LinkedIn: Was your password leaked?

By now, you may have heard that a list of 6.5 million hashes have been posted to the Internet, and that they appear to be password hashes from LinkedIn. CNet has some of the deets, but there's a great thread on YCombinator Hacker News where some observations are made. Namely, SHA1 hashes for easily-guessed passwords (such as "linkedin" or "password") do not show up in the list, but if you replace the first five characters of the hash with "00000", then hashes do match for simple passwords. This leads to speculation that the attackers have already cracked some of the easy ones and truncated them in the list. 

I've made a really quick and dirty web page that will help you check if your password is on the list. It features a nifty javascript SHA-1 digest hash generator so that the password you check never gets sent over cleartext. It will check hash and truncated hash against the dump. If it detects the entire hash, then your LinkedIn password hash is now in the wild, and it's likely only a matter of time until it's cracked. If the truncated version is in the password dump, it's almost certain your password is compromised.

blog comments powered by Disqus