Preliminary analysis of LinkedIn user passwords

As you've no doubt heard, a large tranche of hashed LinkedIn passwords has been leaked onto the net. There's no known way to turn the hash of a password back into the password itself, but you can make guesses about passwords, hash the guesses, and see if the hashed guess matches anything in the leaked database. Bunnie Huang has been making some educated guesses about the passwords, and he's reported on his findings.

I thought it’d be fun to try to guess some passwords just based on intuition alone, using LeakedIn to check the guesses. Here’s some of the more entertaining passwords that are in the database: ‘obama2012′, ‘Obama2012′, ‘paladin’, ‘linkedinsucks’, ‘fuckyou’, ‘godsaveus’, ‘ihatemyjob’, ‘ihatejews’ (tsk tsk), ‘manson’, ‘starbucks’, ‘qwer1234′, ‘qwerty’, ‘aoeusnth’ (hello fellow dvorak user!), ‘bigtits’ (really?), ‘colbert’, ‘c0lbert’, ‘bieber’, ‘ilovejustin’, ’50cent’, ‘john316′, ‘john3:16′, ‘John3:16′, ’1cor13′, ‘psalm23′, ‘exodus20′, ‘isiah40′, ‘Matthew6:33′, ‘hebrews11′ (bible verses are quite popular passwords!).

Interestingly, there is no ‘romney2012′ or any variant thereof.

Leaked In


  1. I had fun using this tool to guess at some other LinkedIn passwords:

    Also in the list: ‘linkedinblows’, ‘mypassword’, ‘harrypotter’, ‘analsex’, ‘buttsex’ (and many other fun variations on sex), ‘thissucks’, and wait for it… ‘boingboing’

    1.  Good fun, thanks for the link.

      It also appears that “linkedin” followed by a number (for every integer up to 102) is somebody’s password.

  2. Just going on the first juvenile thing that popped into my head…  “ifarted” was one of the compromised passwords.  Hmmm.  Classy!

    ETA: blue42 and blue41 were on the list. But blue40 was not.

  3. “Interestingly, there is no ‘romney2012′ or any variant thereof.”

    Plutocrats don’t use LinkedIn, silly!

    1. I’m pretty sure that if Romney ever meets someone who says they had to  “look for a job” you’d be able to see him physically struggle to not spit on them. 

  4. “barbiegirl” and “gonads” are on the list.  But if you replaced the “o” in “gonads” with a zero, you’re fine.

    1. Eh, it just means you need to toggle it for a minute. And really, if you’re used to another layout, toggling it will probably be the first thing you do. Dvorak (and Colemak) layouts come with every OS I’ve ever seen. Takes all of 10 seconds to switch.

  5. It’s kind of sad not to have heard of the problem AT ALL from LinkedIn themselves.
    A large chunk of blame attaches to them for not having been honest about this at least 24 hours ago.
    What makes that even more sad is that they sent round a mailshot yesterday afternoon saying something about open and honest bosses being best bosses (or some such rubbish).

    Can’t believe they haven’t sent out a mass “reset your password” mail yet.

    1. Seriously! I’d expect a better level of security from one good non-specialist web developer working alone. LinkedIn, on the other hand, is a popular and widely known website that stores vast amounts of potentially sensitive user data, and whose business consists largely of finding jobs for the kinds of people who could have implemented a better system in one afternoon. What were they thinking?

    1. I would search for it and I “blame it” on recently watching ww2 documentaries and that bbc thing about racism in pre soccer euro cup in Ukraine and Poland.

      Maybe someone did the same. Horrible and shocking things tend to stick for a bit. 

      1. Ha. Hadn’t thought of that – but before I posted I double-checked to see if it was a subtle thing my brain didn’t see. And it is. One of them contains letter ‘o’ and one contains number ‘0’. Hence my snark about crappy fonts being crappy.

  6. Wait, the passwords were unsalted?!? Even the most trivial salt in the plain-text of the page’s source code would still mean that the hackers would need to re-generate all their rainbow tables.

    (PS: I love that technical jargon just sounds like nonsense to the non-jargon inclined. “But… I always salt my disabled cookies. And rainbow sprinkles are a must!”)

    1. (PS: I love that technical jargon just sounds like nonsense to the non-jargon inclined. “But… I always salt my disabled cookies. And rainbow sprinkles are a must!”)


      For the forum:

      A hash is a long string of text that is generated from a password by a process that only works one way, so there’s no equation that will allow you to get the original password from the hash. Then you can store the hash in the database, and even if the database is hacked, it’s still extremely difficult for the attacker to guess the passwords.

      A rainbow table is a database of all possible hashes that can be generated by all possible passwords (with some certain process, below some certain length.) Building one isn’t trivial, but it’s what these attackers apparently did.

      A salt is a random string, different for each user, that is combined with their password to generate a hash. If LinkedIn had used salts, the attackers would have had to build a rainbow table to guess the password of each user instead of one for the entire database.

  7. “Interestingly, there is no ‘romney2012′ or any variant thereof.”

    No, but ‘mittens’ is there. And in other cat-related news: ‘feline’, ‘meower’, ‘kittycat’, ‘fuzzycat’, ‘sillycat’, ‘crazycat’, ‘fuzzball’, ‘fuzzfuzz’, ‘kitten’, ‘stupiddog’, and ‘banana’. Look at that. Just look at that.

  8. Aaaand the newly spoofed LinkedIn passwords are beginning to be used for spam.  I just got a raft of LinkedIn spam on an address that isn’t generally used for anything public.  I don’t even use LinkedIn.

Comments are closed.