Wall Street Journal reports security breach against LinkedIn passwords
Brian St. Pierre
brian at bstpierre.org
Thu Jun 7 08:36:38 EDT 2012
On 06/07/2012 07:33 AM, Lloyd Kvam wrote:
> Today's WSJ reported in the Digits column that encrypted LinkedIN
> passwords had been leaked. Decryption efforts have been successful
> against some subset of these passwords.
>
> I was disappointed to see no acknowledgement on the LinkIn site. (I
> just found it buried in the clutter. Its a link to CBS news??)
Bottom line: go change your LinkedIn password right now.
This post is all I've seen from LinkedIn:
http://blog.linkedin.com/2012/06/06/updating-your-password-on-linkedin-and-other-account-security-best-practices/
This project on github has what appears to be a list of 6.4M password
hashes and a small bit of code to check if your password hash is in the
list. My (~20 char random string unique to linkedin) password's hash was
in the list, so it appears to be genuine.
https://github.com/hungtruong/LinkedIn-Password-Checker
It's not really surprising that the hashes were leaked, but it is sort
of (ok, not really) surprising to me that a big site like LinkedIn can
be storing passwords so poorly: they were just hashed with SHA-1 and no
salt.
-Brian
More information about the gnhlug-discuss
mailing list