Comments on: Preliminary analysis of LinkedIn user passwords

By: Carlos Sismeiro

Carlos Sismeiro — Fri, 08 Jun 2012 01:36:00 +0000

I would search for it and I “blame it” on recently watching ww2 documentaries and that bbc thing about racism in pre soccer euro cup in Ukraine and Poland.

Maybe someone did the same. Horrible and shocking things tend to stick for a bit.

By: TheMadLibrarian

TheMadLibrarian — Thu, 07 Jun 2012 19:40:00 +0000

Aaaand the newly spoofed LinkedIn passwords are beginning to be used for spam. I just got a raft of LinkedIn spam on an address that isn’t generally used for anything public. I don’t even use LinkedIn.

By: heng

heng — Thu, 07 Jun 2012 19:12:00 +0000

It was for this reason that I’ve been using passhash for some time… http://wijjo.com/passhash/

By: Roose_Bolton

Roose_Bolton — Thu, 07 Jun 2012 18:29:00 +0000

Funny…I know what all of those words mean ‘separately’……

By: mat catastrophe

mat catastrophe — Thu, 07 Jun 2012 18:01:00 +0000

Ha. Hadn’t thought of that – but before I posted I double-checked to see if it was a subtle thing my brain didn’t see. And it is. One of them contains letter ‘o’ and one contains number ’0′. Hence my snark about crappy fonts being crappy.

By: Robert

Robert — Thu, 07 Jun 2012 17:29:00 +0000

“Interestingly, there is no ‘romney2012′ or any variant thereof.”

No, but ‘mittens’ is there. And in other cat-related news: ‘feline’, ‘meower’, ‘kittycat’, ‘fuzzycat’, ‘sillycat’, ‘crazycat’, ‘fuzzball’, ‘fuzzfuzz’, ‘kitten’, ‘stupiddog’, and ‘banana’. Look at that. Just look at that.

By: Christian Buchner

Christian Buchner — Thu, 07 Jun 2012 17:29:00 +0000

This needs a rainbow table unicorn chaser.

By: Finnagain

Finnagain — Thu, 07 Jun 2012 17:14:00 +0000

You’re just making these words up now.

By: petertrepan

petertrepan — Thu, 07 Jun 2012 17:08:00 +0000

(PS: I love that technical jargon just sounds like nonsense to the non-jargon inclined. “But… I always salt my disabled cookies. And rainbow sprinkles are a must!”)

For the forum:

A hash is a long string of text that is generated from a password by a process that only works one way, so there’s no equation that will allow you to get the original password from the hash. Then you can store the hash in the database, and even if the database is hacked, it’s still extremely difficult for the attacker to guess the passwords.

A rainbow table is a database of all possible hashes that can be generated by all possible passwords (with some certain process, below some certain length.) Building one isn’t trivial, but it’s what these attackers apparently did.

A salt is a random string, different for each user, that is combined with their password to generate a hash. If LinkedIn had used salts, the attackers would have had to build a rainbow table to guess the password of each user instead of one for the entire database.

By: milkman

milkman — Thu, 07 Jun 2012 17:03:00 +0000

Good, my password of “Password1″ is still safe.

By: edgore

edgore — Thu, 07 Jun 2012 16:38:00 +0000

They did one search for a hard “t” and a second for silent.

By: SamSam

SamSam — Thu, 07 Jun 2012 16:19:00 +0000

Wait, the passwords were unsalted?!? Even the most trivial salt in the plain-text of the page’s source code would still mean that the hackers would need to re-generate all their rainbow tables.

(PS: I love that technical jargon just sounds like nonsense to the non-jargon inclined. “But… I always salt my disabled cookies. And rainbow sprinkles are a must!”)

By: mat catastrophe

mat catastrophe — Thu, 07 Jun 2012 16:12:00 +0000

They said “colbert” twice.

They must like “colbert”

/crappy f0nt is crappy.

By: alfanovember

alfanovember — Thu, 07 Jun 2012 16:03:00 +0000

Correct Horse Battery Staple FTW!

By: Glen Able

Glen Able — Thu, 07 Jun 2012 15:34:00 +0000

Good fun, thanks for the link.

It also appears that “linkedin” followed by a number (for every integer up to 102) is somebody’s password.

By: GlyphGryph

GlyphGryph — Thu, 07 Jun 2012 15:29:00 +0000

Eh, it just means you need to toggle it for a minute. And really, if you’re used to another layout, toggling it will probably be the first thing you do. Dvorak (and Colemak) layouts come with every OS I’ve ever seen. Takes all of 10 seconds to switch.

By: petertrepan

petertrepan — Thu, 07 Jun 2012 15:19:00 +0000

Seriously! I’d expect a better level of security from one good non-specialist web developer working alone. LinkedIn, on the other hand, is a popular and widely known website that stores vast amounts of potentially sensitive user data, and whose business consists largely of finding jobs for the kinds of people who could have implemented a better system in one afternoon. What were they thinking?

By: Preston Sturges

Preston Sturges — Thu, 07 Jun 2012 14:54:00 +0000

I’m pretty sure that if Romney ever meets someone who says they had to ”look for a job” you’d be able to see him physically struggle to not spit on them.

By: LinkMan

LinkMan — Thu, 07 Jun 2012 14:54:00 +0000

They say “tsk, tsk” for ihatejews, and yet they thought to search for it?

By: Graham Fawcett

Graham Fawcett — Thu, 07 Jun 2012 14:47:00 +0000

Shame on them for not salting their hashes.

By: Max

Max — Thu, 07 Jun 2012 14:36:00 +0000

It’s kind of sad not to have heard of the problem AT ALL from LinkedIn themselves.
A large chunk of blame attaches to them for not having been honest about this at least 24 hours ago.
What makes that even more sad is that they sent round a mailshot yesterday afternoon saying something about open and honest bosses being best bosses (or some such rubbish).

Can’t believe they haven’t sent out a mass “reset your password” mail yet.

By: HeartlessMachine

HeartlessMachine — Thu, 07 Jun 2012 14:31:00 +0000

“barbiegirl” and “gonads” are on the list. But if you replaced the “o” in “gonads” with a zero, you’re fine.

By: แอ็ะปปี้

แอ็ะปปี้ — Thu, 07 Jun 2012 14:31:00 +0000

Making your password aoeuidhtns sounds like a great idea until you’re sitting at a QWERTY keyboard and can’t remember the sequence.

By: edgore

edgore — Thu, 07 Jun 2012 14:29:00 +0000

“Interestingly, there is no ‘romney2012′ or any variant thereof.”

Plutocrats don’t use LinkedIn, silly!

By: HeartlessMachine

HeartlessMachine — Thu, 07 Jun 2012 14:27:00 +0000

Just going on the first juvenile thing that popped into my head… “ifarted” was one of the compromised passwords. Hmmm. Classy!

ETA: blue42 and blue41 were on the list. But blue40 was not.

By: Steotch

Steotch — Thu, 07 Jun 2012 14:21:00 +0000

i knew i should have gone with b1gt1t5

By: Jason Baker

Jason Baker — Thu, 07 Jun 2012 14:17:00 +0000

I had fun using this tool to guess at some other LinkedIn passwords: https://lastpass.com/linkedin/

Also in the list: ‘linkedinblows’, ‘mypassword’, ‘harrypotter’, ‘analsex’, ‘buttsex’ (and many other fun variations on sex), ‘thissucks’, and wait for it… ‘boingboing’