LinkedIn® Password Hash Leak

Robert (RJ) Jeffries

June 07, 2012 - Posted by Robert (RJ) Jeffries to Security Insight

LinkedIn, the popular social networking site for professionals, has confirmed reports that it suffered a breach, and that a significant number of password hashes may have been leaked. Bottom-line, upfront, it is estimated that 6.5 million hashes, etc., may have been stolen. This means, that if you have a LinkedIn account, it is advisable for you to change your password immediately, or as soon as possible.

According to some estimates, this is a small portion of their user base, and one could argue that a password hash leak is technically not the same thing as a password leak. Unfortunately, however, such arguments are moot in this case. Why?

Although the hashes in this case are arbitrary blocks of data that are extremely difficult to crack themselves, having a list of words/word-combinations that have the same exact value is pretty much the same thing. One very common form of password attack is called a ’dictionary’ attack, and it is increasingly common for these unique hashes to be used as an index to look-up their equivalent non-hashed values (i.e., passwords). If that was not enough, it is feasible for an attacker to take this list of hashes and sift through it, looking for the passwords that show up most often. This, in-turn, could increase the likelihood of an account being compromised, simply because of how common its password is.

LinkedIn has taken some commendable steps in their response to this matter, and they have published some strong recommendations on how to best select and manage passwords. Such best practices include:

  • Do not reuse passwords from site to site, network to network, etc.Never change your password on a page that you arrived to by clicking on a link in an email.
  • Change your password often (every few months or so).
  • Do not use common words or phrases, or ones that could be easily looked up. (Please note that with the advent of social networking, it’s pretty common to see information about pets, birthdates, family names etc., being posted on other sites, so it’s not advisable to use these ‘words’ either.)
  • Use random symbols, numbers and case in your passwords.
  • If you can, use somewhere around 12 characters or more in your password.
  • If you choose to use a password manager, don’t forget to use a very strong password and encrypt the file (These can be stolen too if you’re not careful!).

On a final note, you might notice some recommendations out there to ‘click here to see if your password was stolen’. Please… just… don’t. While the intent here may be commendable, from a best practice perspective, this is the equivalent of breaking the most important rule on passwords:

Never, ever share your password with anyone! Ever!

Read more on Solutionary Minds about:

POST A COMMENT

Name
Email
Comment

Voted Best Corporate Security Blog 2014
Solutionary is a leading managed security services provider. The Solutionary Minds blog is a place to learn about and discuss IT security and compliance topics.

Get the Solutionary Minds blog delivered to your inbox!

Enter your Email:

(We will not share your email or use it for anything else.)

LATEST TWEETS