
LinkedIn password leak - trumpeter
https://usblog.kaspersky.com/linkedin-password-leak/7160/
======
kazinator
> _If you’re not sure how strong your password is, test sample passwords with
> our password checker here._

That is irrelevant in the face of leaked passwords; what matters most in that
situation is that your password is something other than your leaked one.

If the passwords were leaked due to being stored in plain-text, no amount of
complexity would protect them, obviously.

Don't use the same password on multiple sites. If your LinkedIn password is
leaked, you don't want that same password to grant access to your bank
account. That just as important than how strong the password is, if not more.

If some site has suffered a password leak, and you're a user of that site, you
must change the password on that site, and also on all other sites where you
happened to use the same password. Do it as quickly as possible without
worrying how strong the new passwords are. Then change later to stronger ones.

A password's strength is inversely proportional to how often you change it.
For instance, if you happen to change a password every week (for the sake of
argument---few people likely do), and it takes a month to crack on the best
available hardware cluster, then you're probably okay. If you change only once
a year, you're much less okay; a surreptitious password breach could happen,
and two months of cracking later, the attackers have your password. Meanwhile,
you're still months away from changing it, not knowing there had been a
breach.

By the time users learn about a breach---if ever---they should assume that
their passwords have been cracked, because some unknown amount of time has
passed between the actual break and the discovery. The discovery will likely
stem from the fact that some of the "lower hanging" passwords have been
cracked and accounts start being misused. The site admins can then only guess
from various circumstantial information (logs or whatever other breadcrumbs
left bind) about when the leak might have occurred.

~~~
lazaroclapp
> If the passwords were leaked due to being stored in plain-text, no amount of
> complexity would protect them, obviously.

One assumes LinkedIn does not store plain text passwords anywhere. That would
be against best practice for the average PhpBB online forum from the late 90s.
It would be criminal negligence from a company like LinkedIn. How strong your
password is (and which kind of hashing function the site uses) does influence
how long it takes to obtain a plausible plain text password assuming that the
exfiltrated data is in the form of a list of salted hashes, which is the most
reasonable assumption.

That said, changing passwords everywhere remains the safest course. Since: a)
4 years is a long time to run a password cracker + dictionary, b) there is
always the possibility that the passwords were intercepted on server memory
before hashing.

~~~
Jhsto
The said dump contains unsalted SHA1 encrypted passwords:
[https://www.leakedsource.com/blog/linkedin](https://www.leakedsource.com/blog/linkedin)

~~~
ashitlerferad
s/encrypted/hashed/

~~~
kazinator
Nitpicking. Even the Unix guys, whose line editing language you're using
there, called the password hashing function "crypt"; everyone knows what it
means.

~~~
cyphar
"crypt" = "cryptographic hash" != "encryption".

Not to mention that someone might get the wrong idea and decide that
encryption (or single-round hashing) is good enough.

~~~
kazinator
[https://www.freebsd.org/cgi/man.cgi?crypt%283%29](https://www.freebsd.org/cgi/man.cgi?crypt%283%29)

    
    
       NAME
           crypt -- Trapdoor encryption
    

Linux man page:

    
    
       NAME
    
           crypt, crypt_r - password and data encryption
    

Solaris 10 man page:

    
    
       NAME
    
           crypt - string encoding function
    

Darwin:

    
    
       DESCRIPTION
           The crypt() function performs password encryption ...

~~~
cyphar
To be fair, "trapdoor encryption" == "hash".

------
wglb
_1: Change your password. RIGHT NOW. If you’re not sure how strong your
password is, test sample passwords with our password checker here._ Seriously?

Keep in mind that these estimates are based on some bogus entropy estimation.
If a password hacking guy runs the correct dictionary past the hashes you
password generates, it might be as small, well, as the first one tried. For
example, run the passphrase _Ph 'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl
fhtagn1_ past the kaspersky bruteforce estimator, you get 10,000 centuries.
But this is clearly false, as inicated in
[http://arstechnica.com/security/2013/08/thereisnofatebutwhat...](http://arstechnica.com/security/2013/08/thereisnofatebutwhatwemake-
turbo-charged-cracking-comes-to-long-passwords/). They clearly "cracked" this
in far less time: "in a matter of minutes".

~~~
fnordsensei
So, being one of the people who hovers around laymanship when it comes to
these questions, how hard is it to crack a randomly generated 25 character
string with 5 digits and 5 symbols? This is typically what I would use for a
website.

~~~
chronial
How do you randomly generate these passwords?

~~~
beberlei
you can install a tool "pwgen" on linux machines that will generate you
passwords, configurable with size and types of characters included.

pwgen -y 40 1

Generates one password with 40 chars, including special chars (-y).

~~~
pdw

        head -c 24 /dev/urandom | base64
    

will give you a password with 24 * 8 = 192 random bits.

------
warrenpj
The best security that an individual can get from passwords is clearly
achieved by using a password manager and generating a unique random password
for each site, and changing high-value passwords periodically. (It's arguably
already impossible for a human to generate or remember enough good passwords,
and either way it gets harder as computers get better at guessing human-
generated passwords.)

However, from the point of view of someone implementing an authentication
system, passwords on their own are broken. There will be a significant
fraction of users who re-use their password at a site with minimal-effort
security. If you subscribe to the idea that computer professionals have a
moral duty to safeguard people's private information entrusted to them, then
password-only authentication is just broken.

The solution is to either: spend the money to implement a multiple factor
authentication system (with a secure password database and fraud detection) or
use a federated identity service. (Even just sending a one-time login code via
email is fine). The latter is simple and takes even less effort than
implementing a password system from scratch.

There should be fines (at the very least) for having an unsalted password
database with more than X number of users.

~~~
nyir
Or for an unhashed password database, c.f.
[http://plaintextoffenders.com/](http://plaintextoffenders.com/).

~~~
unlinker
The fact that your password is mailed in plain text to you when you register
does not prove the password is not hashed when it's stored.

In a "lost password" mail, of course, that's another thing.

~~~
crottypeter
But the mail is stored!

~~~
unlinker
By you, right? Or is it common practice to store outgoing mails?

~~~
jonathankoren
You could always not store password reset emails.

------
stephenitis
useful tool to check your emails
[https://haveibeenpwned.com](https://haveibeenpwned.com)

[https://haveibeenpwned.com/PwnedWebsites](https://haveibeenpwned.com/PwnedWebsites)
hasn't been updated yet with this yet because the list hasn't leaked entirely.

Also change your password: [https://www.linkedin.com/psettings/change-
password](https://www.linkedin.com/psettings/change-password)

------
oxguy3
Woo, I created my LinkedIn profile in 2015, so I should be safe since the leak
is supposedly from 2012. If anyone else isn't sure when they made their
LinkedIn, you can see your join date here (ctrl+f "Member since"):
[https://www.linkedin.com/psettings/](https://www.linkedin.com/psettings/)

~~~
cfontes
2009... Awesome.

Linkedin should probably be the one warning me about this, but I never heard
of this before.

Edit: filtered as Spam, nevertheless they should have locked my account.

~~~
semi-extrinsic
I believe it's been proven impossible to write a spam filter to distinguish
useful LinkedIn email from spammy LinkedIn emails, since the spam filter would
then be able to solve the halting problem.

~~~
eru
Can't you just write this?:

    
    
        isUseful :: LinkedInMessage -> Bool
        isUseful _ = False

~~~
sleepychu
Sure, but password leak is pretty useful.

------
benologist
I got an email from them this morning about this, it just smells like all
their other junkmail begging me to +1 their active users.

Why don't they invalidate the passwords all at once instead of letting --
someone -- use the potentially compromised passwords again...

~~~
tomp
Incredible... The email says:

"We've recently noticed a potential risk to your LinkedIn account coming from
outside LinkedIn."

That's almost as bad as saying "we take security very seriously" after a hack!

~~~
optimusclimb
What does that even mean?

How can a risk come from "outside" LinkedIn related to my password? If I
haven't leaked my own password, then there should be nothing to fear, and my
account should be secure.

Unless of course LINKEDIN ITSELF is compromised, and leaked my password. In
that case, the wording about "coming form outside LinkedIn" just smells like
BS/spin to me.

------
Tharkun
I got an e-mail from LinkedIn today saying that I would be forced to reset my
password upon my next login. They didn't say why. I guess this explains it.

~~~
FroshKiller
The email did say why:

"We've recently noticed a potential risk to your LinkedIn account coming from
outside LinkedIn. Just to be safe, you'll need to reset your password the next
time you log in."

~~~
Tharkun
Yeah, that's vague garbage. What it should have said was: "Our password
database was stolen and we fucked when we tried to roll our own password
hashing. Your password is likely compromised and you should change it. If you
use the password on multiple websites, you should change it everywhere."

~~~
Thrymr
Even better, they have you click the "Forgot your password" link, as if it was
your fault.

------
zeveb
Aaaand that's why I use 'pwgen -s 22' to generate a unique password for every
single site I use. I don't care if a salted password database is stolen; heck,
as soon as I change my password I don't even care if a plaintext database is
stolen.

Why -s? Because it means each password is a complete word, and may easily be
double-clicked in a password list (which is nice, because selection is copy in
X).

Why 22 characters? Because 22 mixed-case letters and digits are just over 128
bits of entropy.

Say it with me:

    
    
        pwgen -s 22

~~~
savanaly
How do you track those passwords? I presume not with a password manager
otherwise it would be creating your passwords for you. Do you keep them in a
text file on your computer or write them down and carry them around with you
or something?

~~~
zeveb
I store them in an encrypted file on my computer: the encryption password _is_
memorable, but since I have physical control of my computer (I hope!) I think
the security tradeoff is a win. Rather than many memorable-but-guessable
passwords scattered across numerous services, I have one memorable-but-
guessable password (well, passphrase) securing a file I control.

Writing them down would probably be even better.

------
luso_brazilian
Considering the amount of "growth hacking" LinkedIn use (used?) to so, sending
too many emails to too many people this breach can be much more dangerous than
usual.

People raises eyebrows when they get phishing emails but when it comes
purposely from LinkedIn and vouched for by your social and professional circle
it could get much more credible and easy to fall.

~~~
foota
I got an email from linkedin a couple weeks ago and had the hardest time
deciding if it were real or fake.

------
benzor
Question for the more security-savvy among you: If the leak happened in 2012
and I've changed my password since then (it's listed in your account page
[1]), do I need to change it again?

Logic tells me I've got nothing to worry about, even considering potential
password reuse, if they've all changed since then.

[1]
[https://www.linkedin.com/psettings/account](https://www.linkedin.com/psettings/account)

~~~
Coincoin
I changed it when they first announced the leak in 2012. It didn't ask me to
change it when I logged today and they didn't send me the email today. I guess
they know my new password is secure since I changed it since the leak.

------
koyao
And LinkedIn is now asking me to enter my phone number:

"Add an extra layer of security to your account. Add your phone number."

Leaking my email / password is bad enough; I'm not going to give them my phone
number for more damages!

~~~
eru
Also, access to your phone (or rather anything send to your phone number) is
trivial to get via social engineering the telco.

(The attack is not very scalable, but easy enough to pull off against
individual targets.)

------
jasonpeacock
Also, why is the 2FA option hidden under "Privacy" and not right next to the
Change Password option?

You'd think they would want to advertise 2FA better...

~~~
jimktrains2
Why do people insist on using sms as the second factor? Let me use TOTP (e.g.
Google Authenticator). I don't get reception everywhere!

~~~
bigiain
I get you - but how many places do you not get sms reception but you still
have enough internet connection to be trying to log in to LinkedIn? (Inside a
data center, maybe?)

~~~
aianus
> I get you - but how many places do you not get sms reception but you still
> have enough internet connection to be trying to log in to LinkedIn?

Any time you travel internationally? My phone only has one SIM slot and it's
not going to be the $10/MB roaming one from back home.

SMS 2FA is an awful trend.

~~~
bigiain
I agree about SMS being a bad chice for 2FA, and so do the Telcos here:

[http://www.itnews.com.au/news/telcos-declare-sms-unsafe-
for-...](http://www.itnews.com.au/news/telcos-declare-sms-unsafe-for-bank-
transactions-322194)

"The lobby group for Australian telcos has declared that SMS technology should
no longer be considered a safe means of verifying the identity of an
individual during a banking transaction."

and

"SMS is not designed to be a secure communications channel and should not be
used by banks for electronic funds transfer authentication,"

------
may
You can see how long you've been a LinkedIn member by going to your Privacy &
Setting page, where it displays at the top.

[https://www.linkedin.com/psettings/](https://www.linkedin.com/psettings/)

------
joelthelion
Do we know how strong their hashing scheme was?

Edit: SHA-1... You'd think a site as big as linkedin would have strong
hashing...

~~~
conradk
Just read about it being sha-1 (source:
[http://www.pcworld.com/article/257045/security/6-5m-linkedin...](http://www.pcworld.com/article/257045/security/6-5m-linkedin-
passwords-posted-online-after-apparent-hack.html)).

~~~
vthallam
Sha-1 with the hashes salted.

Edit: "Motherboard conversed with someone at LeakedSource who claimed that
they managed to crack 90 percent of the LinkedIn passwords within three days.
Though LinkedIn says it has hashed and salted its stored passwords for several
years now"

[http://venturebeat.com/2016/05/18/linkedin-resets-
passwords-...](http://venturebeat.com/2016/05/18/linkedin-resets-passwords-on-
millions-of-accounts-as-new-data-leak-reports-surface/)

~~~
zaroth
Unsalted

------
ryanlol
My theory is that this data leaked via custhelp.com, the filename of the data
dump I have (linkedin.cfg) seems to support that.

This would also explain linkedins initial "confusion" regarding the hack.

~~~
danso
Could you elaborate? Also, when you say _' "confusion"'_, do you mean it was
feigned?

~~~
ryanlol
Linkedins support site URLs (hosted by custhelp.com) used to look something
like this [http://linkedin.custhelp.com/cgi-
bin/*linkedin.cfg*/php/endu...](http://linkedin.custhelp.com/cgi-
bin/*linkedin.cfg*/php/enduser/std_alp.php)

I know custhelp used to be particularly insecure right around when this hack
happened, as I myself discovered several vulnerabilities back then.

>Also, when you say '"confusion"', do you mean it was feigned?

Partly. From what I recall it took them quite a while to own up to this very
easily verifiable hack, which could very well have been because they couldn't
figure out why it happened because it didn't actually happen on their systems.

~~~
danso
Ah...I assumed that a leak happening via third-party would be an excuse for a
company to be legit confused at first and then breathe a sigh of relief
because that means they can blame someone else in the press release. Though I
guess that's tricky when people start asking about why their data is being
given in bulk to a third party in the first place...

~~~
h1srf
Doesn't matter. If your logo is on the product, it's your fault. Full stop.

~~~
travoc
That's why I put the Google Maps logo on my surveillance van.

------
jedmeyers
> test sample passwords with our password checker here.

Do NOT do that with your exact password though :)

~~~
pdq
Link: [https://password.kaspersky.com/](https://password.kaspersky.com/)

I'm impressed by the password cracking estimation with the Tianhe-2
Supercomputer. A 10-character password containing uppercase letters, lowercase
letters, and numbers, which is estimated at a 4 year crack with a Macbook Pro,
takes 31 seconds on the supercomputer.

~~~
zaroth
The timing are meaningless since it depends entirely on the hashing algorithm
and how much key stretching was in place.

Is even the basic ratio/multiplier correct? Supercomputer is 1,000,000x faster
than a 2012 MacBook Pro? I tried a few random strings and saw ratios as high
as 3,000,000 - why would the ratio change based on the password? Probably
because the number is nonsense.

~~~
1024core
> why would the ratio change based on the password?

Probably because they may assume a dictionary order of cracking attempts?

~~~
zaroth
I mean, why would the supercomputer sometimes be 1,000,000 times faster and
then for a different password be 3,000,000 times faster?

------
heartsucker
I'm going to use this to recommend a CLI for strong, memorialize passwords (if
you're not using something like KeePass).

[https://github.com/ulif/diceware/](https://github.com/ulif/diceware/)

    
    
        $ pip install diceware
        $ diceware -n 8 -d ' ' --no-caps
        proton hunts blake 31 pope pivot taped plain

------
vermooten
Who cares if their LinkedIn account gets hacked? In my case they'll be able to
see 500+ recruitment agents I've never heard of as my 'contacts'.

~~~
cschmidt
I think password reuse is the big deal. Lots of people use the same passwords
on more important accounts, which they would mind losing.

~~~
ryan-c
I know of a company that experienced a data breach (one that was reported in
the news) due to an employee using the same password on linkedin as on their
company account.

~~~
ryanlol
Was linkedin verified to be the source of the password or is this just
speculation?

~~~
ryan-c
The person at that company who I heard about if from claimed they were able to
verify it.

------
electic
Folks, this is becoming a common occurrence. Use a password generator and
password vault to protect against this type of scenario.

~~~
copperx
A password vault ties you to a particular computer or mobile device. It's
terribly inconvenient. But it's the best thing that we have today.

~~~
dangerlibrary
keepass + dropbox works ok.

~~~
exodust
keepass + dropbox is also my choice. There's (unofficial) keepass ports for
both android and iOS too which can connect to the dropbox app. I use both and
they work fine.

------
open-source-ux
As someone who isn't versed in security issues, can anyone explain how
security breaches like this one (and Adobe etc.) occur?

I'm assuming (and I may be completely wrong) that some kind of software
monitors if the database of customer details is being downloaded. If a
download is detected, an alert is issued. Does software like this exist? Or
there other measure that guard against these data breaches?

~~~
icebraining
I'm not a security expert either, but I doubt most companies have anything
like that running. Many leaks happened through the site itself, which is
expected to be able to access and present that data, and even if the attacker
transfers an actual file, it's fairly easy to encrypt it beforehand.

There is some software that can detect an anomaly in the regular pattern of
network usage, and possibly even cut the connection, but again, I'm not sure
how effective they would be here.

In any case, considering they were using unsalted SHA-1 hashes of the
passwords, which was well known to be a poor practice, you should probably
assume they had very little protections.

------
sleepychu
I'm pretty sure the right move for me is going to be to just delete my
account. I mainly just receive recruiter spam from it.

------
awinter-py
beyond linkedin logins, they also have a zillion email passwords from the bad
old days before oauth.

------
JumpCrisscross
A useful HaveIBeenPwned feature would be a list of pwned passwords connected
to my email address.

Yes, I know - don't reuse and use a password manager. But not everyone follows
best practice. Knowing which password motifs to absolutely not reuse would be
helpful.

------
tudorw
I've read zero reports of people breaking into houses, finding a piece of
paper down the back of the cabinet with lots of passwords on and no site
names, then using those passwords randomly to gain access to an unknown
system... A 'software' or 'online' password manager seems like a terrible
idea, all your eggs in one convenient basket, if Sony and VISA and the NSA are
unable to secure their systems 100% of the time I doubt the maker of your
software will fare much better over the long term.

~~~
tudorw
Maybe using a password manager is better than using the password "wizard007"
everywhere, including your HN account.

:P

//not-tudorw

~~~
tudorw
fair point :)

~~~
tudorw
while obviously fairly painful, am assuming that came from the Stratfor list ?
While I concede a piece of paper is far from secure, I'm human and what I do
others do too, I would have faired better had I followed my own advice.
Conveniently your point does re-inforce they key aspect of my comment, that if
Stratfor, a global intelligence company, can fall foul of security then there
really are very few safe ports to rely on harbouring your secrets ;) Btw,
thanks for not locking me out, gentlemanly of you.

------
mkhpalm
Whats interesting to me is that their spams to change your password showed up
on a whole bunch of group email addresses I am a member of. So at some point
linkedin went and harvested email addresses that got to my inbox and made a
bunch of bad assumptions to include those as secondary addresses for me. I can
only assume it was their mobile app, which is now forever uninstalled on all
my devices. I simply cannot have them doing that.

------
jjm
For those that have forgotten,
[https://news.ycombinator.com/item?id=4073309](https://news.ycombinator.com/item?id=4073309)

Back then there were issues. If I remember correctly, there was some nodejs
even after this with no bcrypt.

------
gggggggg
anyone know how I can get a copy of the list. I want to see if the
email/password combination I used back then is still in my regular circulation
on other sites.

------
DyslexicAtheist
is it even verified that the data isn't again the warmed up stuff that
surfaced from LinkedIn's 2012 breach? This is quite common these days.

------
misiti3780
this might be a dumb question - but if the password was unique to that account
AND you have 2 factor auth enabled, is there any reason you need to change the
password ?

so if some hacker somehow manages to backward engineer a salted-bcrypted-hash
of my unique password, he still cant get in without my cell phone

~~~
nighthawk454
Perhaps they won't get into your account without your password _and_ phone.
However, you've reduced your 2-Factor to 1-Factor since the password is now
known. You're still relatively safe - at least safer than not having 2-Factor
auth - but changing passwords is cheaper than the risk of relying on 1-Factor
auth.

------
20andup
Just points out the fact that we should use password generators for all web
sites that requires one.

------
noja
> test sample passwords with our password checker here.

And you just lost my trust Kaspersky, congratulations.

------
adamredwoods
2-step authentication?

------
ILoveMonads
I'm amazed LinkedIn is as big as it is. They have a big, new, building in
Sunnyvale and lots of employees--too many it seems for a simple social
network. I drive past their HQ a few times a week when I'm in Sunnyvale and
see their employees, who don't look like other tech employees, waddling down
the street to the McDonalds on the corner of Mathilda and Delray.

------
MikeJougrty
So basically, if I get interviewed by a company and I get asked why I don't
have a Linkedin account, am I legitimate to respond to them by saying that
Linkedin sucks in many different ways including password breach?

~~~
INTPenis
First off I'd be skeptical about working where they take your linkedin account
seriously. Secondly, no. Because everyone sucks, everyone can get hacked, why
don't you have a Facebook account, a Google account, it's only a matter of
time. No one is invincible.

