I think in our current world you should expect your hashed password to leak online at some point. How it happens is irrelevant to most people, just expect that it eventually will leak out. Does that mean your account has been compromised? Not necessarily, or more precisely, not immediately.
The current news blurb is that a Russian hacker was able to pull a list of all of LinkedIn's SHA1 hashed passwords out of a magic hat and posted them onto the web. Usernames were not posted, so you can't really match a users credentials to get access to their profile. This might be a part of the leak that the hacker is holding onto, looking for a buyer, but nothing is certain. Examining the list I have identified a lot of the most common passwords such as, "password", "jesus123", "l1nk3d1n", and so forth. There were also a number of other hashes that I did not immediately recognize though.
Interestingly enough, the SHA1 hashing algorithm has been compromised in that with a beefy enough computer setup, you can reverse the hash in a manageable amount of time. Back in 2005, we are talking about 2^69 operations to find a collision, or a brute force match for a hash. With today's hardware and computer resources, this is not an unobtainable amount of computing power for large systems.
So why is LinkedIn using SHA1 for passwords? Ease of use would be my first guess. SHA1s are not too difficult to manage and compute for large systems and if someone did get a hold of a hashed password, they would still need some major computer power and time to get the original. They probably had a lot of trust in their security setup as well and didn't anticipate a leak of this caliber.
Either way, if you have a LinkedIn account, go change your password. Make it unique, and for the best security measure, use an auto generated pass that you can save in a password management program.
Interesting stats,
6_143_150 hashes listed
3_521_180 hashes listed with five prefixed zeros or presumed known passes
2_621_970 hashes listed without the five prefixed zeros or still unknown
No comments:
Post a Comment