woensdag 6 juni 2012

Why I think the Linkedin password file is fake

Well first of all, there is no connection to LinkedIn other then the suspected 'hacker' saying it is from LinkedIn.

There are 6.5 Million unique passwords in the file! LinkedIn has approx 160 Million registrated members, this means approx 25 people share the same password on average. This could indeed be true.
But then it means the 'hacker' has posted the password list of -all- LinkedIn members. And still many people confirm their password is -not- on the list.
For 6.5 million unique LinkedIn password just to many people are denying their password is on the list.

What people at this stage are doing is identifying themselves with a hashed sha1 password file. But identifying yourself with a password is of no means reliable. Verifying yourself with a password is. But this means you would first have to tell your name, and afterwards a password comparison is done.

So whenever a match with your password is found on the list, this doesn't mean it's YOUR password. It just means someone or some bot ever printed out that same password. Maybe you should try googling your password. Chances are pretty big it will bring you at least one hit.

At this stage I don't know in what way the file is compiled. The only confirmation we can make at this point is that the file contains words that match a 'strong' password policy.

And let's not forget, the chances your 'strong' password is in a 6.5 Million unique password file are pretty big. And yet so many people confirm they are -not- on the list...

Please remember, you are NOT your password.

ps.
Do we really think LinkedIn uses SHA1? Haven't their security specialists heared of the HBGary and Rootkit.com hack? SHA1 + salt is even considered weak.

The passwords "WelcomeToLinkedIn" and "LeakedIn" are not on the list. Was there really nobody able to make up one of those?


/edit
Ok, seems like I'm wrong. LinkedIn just confired that at least a part of the hashes corresponds. It isn't a full confirm, but suggests one will come soon.

Those tweets confessed me:
https://twitter.com/mrkoot/status/210352495602581505
https://twitter.com/spruceNL/status/210418946770337792
https://twitter.com/mrkoot/status/210416085483266048



4 opmerkingen:

  1. The Linkedin statement says "We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts."

    Isn't that always true? As the leaked list only contains hashed password and no account names, the statement above is true for any system with passswords: for Google, Live, Yahoo, ISP and Windows / Mac / Linux passwords.

    So I'm still not convinced the hacker 1) has hacked Linkedin and 2) knows the relation between password and account.

    The only *proof* would be an extremely rare password like jJd8*&kdjJ838KJH that is only used on Linkedin, would appear in the hashed list.

    So far I've not seen that proof.

    BeantwoordenVerwijderen
  2. I can confirm that my unique 25 character password created by KeepAss is in the database.

    BeantwoordenVerwijderen
  3. I just wrote an article (http://goo.gl/EbSiu in Dutch).

    LinkedIn has made a very big mistake and I almost can't believe this really happened. So they used weak encryption (but are able to "fix" this in 24 hrs, why the hell have they waited for this to happen).

    And what's worse, they even didn't know it happened.

    Someone just had access to the database...

    I played with the thought that this was made up, however, finding my strong password back (I had to replace the first five characters with zeros) was a wakeup call...

    BeantwoordenVerwijderen
  4. How the hell can someone get acces to such a database is my quistion. Or worse have control on the server the site is hosted on.

    What sort of weak protection is that for your own pc?

    BeantwoordenVerwijderen