Preliminary analysis of LinkedIn user passwords

As you've no doubt heard, a large tranche of hashed LinkedIn passwords has been leaked onto the net. There's no known way to turn the hash of a password back into the password itself, but you can make guesses about passwords, hash the guesses, and see if the hashed guess matches anything in the leaked database. Bunnie Huang has been making some educated guesses about the passwords, and he's reported on his findings.

I thought it’d be fun to try to guess some passwords just based on intuition alone, using LeakedIn to check the guesses. Here’s some of the more entertaining passwords that are in the database: ‘obama2012′, ‘Obama2012′, ‘paladin’, ‘linkedinsucks’, ‘fuckyou’, ‘godsaveus’, ‘ihatemyjob’, ‘ihatejews’ (tsk tsk), ‘manson’, ‘starbucks’, ‘qwer1234′, ‘qwerty’, ‘aoeusnth’ (hello fellow dvorak user!), ‘bigtits’ (really?), ‘colbert’, ‘c0lbert’, ‘bieber’, ‘ilovejustin’, ’50cent’, ‘john316′, ‘john3:16′, ‘John3:16′, ’1cor13′, ‘psalm23′, ‘exodus20′, ‘isiah40′, ‘Matthew6:33′, ‘hebrews11′ (bible verses are quite popular passwords!).
Interestingly, there is no ‘romney2012′ or any variant thereof.

Leaked In

I write books. My latest is a YA science fiction novel called Homeland (it's the sequel to Little Brother). More books: Rapture of the Nerds (a novel, with Charlie Stross); With a Little Help (short stories); and The Great Big Beautiful Tomorrow (novella and nonfic). I speak all over the place and I tweet and tumble, too.

MORE: language • security • web theory • yasns

More at Boing Boing

Eurovision 2013: An American in London

The technology that links taxonomy and Star Trek

Jason Baker

I had fun using this tool to guess at some other LinkedIn passwords: https://lastpass.com/linkedin/

Also in the list: ‘linkedinblows’, ‘mypassword’, ‘harrypotter’, ‘analsex’, ‘buttsex’ (and many other fun variations on sex), ‘thissucks’, and wait for it… ‘boingboing’
- Glen Able
  
  Good fun, thanks for the link.
  
  It also appears that “linkedin” followed by a number (for every integer up to 102) is somebody’s password.
http://twitter.com/steotch Steotch

i knew i should have gone with b1gt1t5
HeartlessMachine

Just going on the first juvenile thing that popped into my head… “ifarted” was one of the compromised passwords. Hmmm. Classy!

ETA: blue42 and blue41 were on the list. But blue40 was not.
edgore

“Interestingly, there is no ‘romney2012′ or any variant thereof.”

Plutocrats don’t use LinkedIn, silly!
- Preston Sturges
  
  I’m pretty sure that if Romney ever meets someone who says they had to ”look for a job” you’d be able to see him physically struggle to not spit on them.
HeartlessMachine

“barbiegirl” and “gonads” are on the list. But if you replaced the “o” in “gonads” with a zero, you’re fine.
http://twitter.com/zeroanaphora แอ็ะปปี้

Making your password aoeuidhtns sounds like a great idea until you’re sitting at a QWERTY keyboard and can’t remember the sequence.
- GlyphGryph
  
  Eh, it just means you need to toggle it for a minute. And really, if you’re used to another layout, toggling it will probably be the first thing you do. Dvorak (and Colemak) layouts come with every OS I’ve ever seen. Takes all of 10 seconds to switch.
Max

It’s kind of sad not to have heard of the problem AT ALL from LinkedIn themselves.
A large chunk of blame attaches to them for not having been honest about this at least 24 hours ago.
What makes that even more sad is that they sent round a mailshot yesterday afternoon saying something about open and honest bosses being best bosses (or some such rubbish).

Can’t believe they haven’t sent out a mass “reset your password” mail yet.
Graham Fawcett

Shame on them for not salting their hashes.
- petertrepan
  
  Seriously! I’d expect a better level of security from one good non-specialist web developer working alone. LinkedIn, on the other hand, is a popular and widely known website that stores vast amounts of potentially sensitive user data, and whose business consists largely of finding jobs for the kinds of people who could have implemented a better system in one afternoon. What were they thinking?
LinkMan

They say “tsk, tsk” for ihatejews, and yet they thought to search for it?
- http://www.facebook.com/csismeiro Carlos Sismeiro
  
  I would search for it and I “blame it” on recently watching ww2 documentaries and that bbc thing about racism in pre soccer euro cup in Ukraine and Poland.
  
  Maybe someone did the same. Horrible and shocking things tend to stick for a bit.
alfanovember

Correct Horse Battery Staple FTW!
http://twitter.com/matcatastrophe mat catastrophe

They said “colbert” twice.

They must like “colbert”

/crappy f0nt is crappy.
- edgore
  
  They did one search for a hard “t” and a second for silent.
  - http://twitter.com/matcatastrophe mat catastrophe
    
    Ha. Hadn’t thought of that – but before I posted I double-checked to see if it was a subtle thing my brain didn’t see. And it is. One of them contains letter ‘o’ and one contains number ’0′. Hence my snark about crappy fonts being crappy.
SamSam

Wait, the passwords were unsalted?!? Even the most trivial salt in the plain-text of the page’s source code would still mean that the hackers would need to re-generate all their rainbow tables.

(PS: I love that technical jargon just sounds like nonsense to the non-jargon inclined. “But… I always salt my disabled cookies. And rainbow sprinkles are a must!”)
- petertrepan
  
  (PS: I love that technical jargon just sounds like nonsense to the non-jargon inclined. “But… I always salt my disabled cookies. And rainbow sprinkles are a must!”)
  
  :)
  
  For the forum:
  
  A hash is a long string of text that is generated from a password by a process that only works one way, so there’s no equation that will allow you to get the original password from the hash. Then you can store the hash in the database, and even if the database is hacked, it’s still extremely difficult for the attacker to guess the passwords.
  
  A rainbow table is a database of all possible hashes that can be generated by all possible passwords (with some certain process, below some certain length.) Building one isn’t trivial, but it’s what these attackers apparently did.
  
  A salt is a random string, different for each user, that is combined with their password to generate a hash. If LinkedIn had used salts, the attackers would have had to build a rainbow table to guess the password of each user instead of one for the entire database.
- Finnagain
  
  You’re just making these words up now.
- Roose_Bolton
  
  Funny…I know what all of those words mean ‘separately’……
milkman

Good, my password of “Password1″ is still safe.
Robert

“Interestingly, there is no ‘romney2012′ or any variant thereof.”

No, but ‘mittens’ is there. And in other cat-related news: ‘feline’, ‘meower’, ‘kittycat’, ‘fuzzycat’, ‘sillycat’, ‘crazycat’, ‘fuzzball’, ‘fuzzfuzz’, ‘kitten’, ‘stupiddog’, and ‘banana’. Look at that. Just look at that.
http://twitter.com/cbuchner1 Christian Buchner

This needs a rainbow table unicorn chaser.
http://hgomersall.wordpress.com/ heng

It was for this reason that I’ve been using passhash for some time… http://wijjo.com/passhash/
TheMadLibrarian

Aaaand the newly spoofed LinkedIn passwords are beginning to be used for spam. I just got a raft of LinkedIn spam on an address that isn’t generally used for anything public. I don’t even use LinkedIn.