Preliminary analysis of LinkedIn user passwords

Discuss

27 Responses to “Preliminary analysis of LinkedIn user passwords”

  1. Jason Baker says:

    I had fun using this tool to guess at some other LinkedIn passwords: https://lastpass.com/linkedin/

    Also in the list: ‘linkedinblows’, ‘mypassword’, ‘harrypotter’, ‘analsex’, ‘buttsex’ (and many other fun variations on sex), ‘thissucks’, and wait for it… ‘boingboing’

    • Glen Able says:

       Good fun, thanks for the link.

      It also appears that “linkedin” followed by a number (for every integer up to 102) is somebody’s password.

  2. Steotch says:

    i knew i should have gone with b1gt1t5

  3. HeartlessMachine says:

    Just going on the first juvenile thing that popped into my head…  “ifarted” was one of the compromised passwords.  Hmmm.  Classy!

    ETA: blue42 and blue41 were on the list. But blue40 was not.

  4. edgore says:

    “Interestingly, there is no ‘romney2012′ or any variant thereof.”

    Plutocrats don’t use LinkedIn, silly!

    • Preston Sturges says:

      I’m pretty sure that if Romney ever meets someone who says they had to  “look for a job” you’d be able to see him physically struggle to not spit on them. 

  5. HeartlessMachine says:

    “barbiegirl” and “gonads” are on the list.  But if you replaced the “o” in “gonads” with a zero, you’re fine.

  6. Making your password aoeuidhtns sounds like a great idea until you’re sitting at a QWERTY keyboard and can’t remember the sequence.

    • GlyphGryph says:

      Eh, it just means you need to toggle it for a minute. And really, if you’re used to another layout, toggling it will probably be the first thing you do. Dvorak (and Colemak) layouts come with every OS I’ve ever seen. Takes all of 10 seconds to switch.

  7. Max says:

    It’s kind of sad not to have heard of the problem AT ALL from LinkedIn themselves.
    A large chunk of blame attaches to them for not having been honest about this at least 24 hours ago.
    What makes that even more sad is that they sent round a mailshot yesterday afternoon saying something about open and honest bosses being best bosses (or some such rubbish).

    Can’t believe they haven’t sent out a mass “reset your password” mail yet.

  8. Graham Fawcett says:

    Shame on them for not salting their hashes.

    • petertrepan says:

      Seriously! I’d expect a better level of security from one good non-specialist web developer working alone. LinkedIn, on the other hand, is a popular and widely known website that stores vast amounts of potentially sensitive user data, and whose business consists largely of finding jobs for the kinds of people who could have implemented a better system in one afternoon. What were they thinking?

  9. LinkMan says:

    They say “tsk, tsk” for ihatejews, and yet they thought to search for it?

    • I would search for it and I “blame it” on recently watching ww2 documentaries and that bbc thing about racism in pre soccer euro cup in Ukraine and Poland.

      Maybe someone did the same. Horrible and shocking things tend to stick for a bit. 

  10. alfanovember says:

    Correct Horse Battery Staple  FTW!

  11. They said “colbert” twice. 

    They must like “colbert”

    /crappy f0nt is crappy.

    • edgore says:

      They did one search for a hard “t” and a second for silent.

      • Ha. Hadn’t thought of that – but before I posted I double-checked to see if it was a subtle thing my brain didn’t see. And it is. One of them contains letter ‘o’ and one contains number ’0′. Hence my snark about crappy fonts being crappy.

  12. SamSam says:

    Wait, the passwords were unsalted?!? Even the most trivial salt in the plain-text of the page’s source code would still mean that the hackers would need to re-generate all their rainbow tables.

    (PS: I love that technical jargon just sounds like nonsense to the non-jargon inclined. “But… I always salt my disabled cookies. And rainbow sprinkles are a must!”)

    • petertrepan says:

      (PS: I love that technical jargon just sounds like nonsense to the non-jargon inclined. “But… I always salt my disabled cookies. And rainbow sprinkles are a must!”)

      :) 

      For the forum:

      A hash is a long string of text that is generated from a password by a process that only works one way, so there’s no equation that will allow you to get the original password from the hash. Then you can store the hash in the database, and even if the database is hacked, it’s still extremely difficult for the attacker to guess the passwords.

      A rainbow table is a database of all possible hashes that can be generated by all possible passwords (with some certain process, below some certain length.) Building one isn’t trivial, but it’s what these attackers apparently did.

      A salt is a random string, different for each user, that is combined with their password to generate a hash. If LinkedIn had used salts, the attackers would have had to build a rainbow table to guess the password of each user instead of one for the entire database.

    • Finnagain says:

       You’re just making these words up now.

    • Roose_Bolton says:

      Funny…I know what all of those words mean ‘separately’……

  13. milkman says:

    Good, my password of “Password1″ is still safe.

  14. Robert says:

    “Interestingly, there is no ‘romney2012′ or any variant thereof.”

    No, but ‘mittens’ is there. And in other cat-related news: ‘feline’, ‘meower’, ‘kittycat’, ‘fuzzycat’, ‘sillycat’, ‘crazycat’, ‘fuzzball’, ‘fuzzfuzz’, ‘kitten’, ‘stupiddog’, and ‘banana’. Look at that. Just look at that.

  15. This needs a rainbow table unicorn chaser.

  16. heng says:

    It was for this reason that I’ve been using passhash for some time… http://wijjo.com/passhash/

  17. TheMadLibrarian says:

    Aaaand the newly spoofed LinkedIn passwords are beginning to be used for spam.  I just got a raft of LinkedIn spam on an address that isn’t generally used for anything public.  I don’t even use LinkedIn.

Leave a Reply