(BTW, be sure to type some gibberish into the provided box and hit submit, so you can see why I think this is a very relevant link.)
c. You agree to pay $ 100,000 for your use of the Estatis Free Password Security Checker if we ever ask for it.
> users who have already changed their passwords or created a new account won’t have to worry, as they have recently begun hashing and salting their current password databases.
Just submit your credit card number, CVV2 and expiration date and it'll check if it has been stolen over the internet for you
These people can be very very very evil.
python -c 'import hashlib; print hashlib.sha1("PaSSw0rd").hexdigest()'
printf PaSSw0rd | sha1sum
> echo test
6730 echo test
python -c 'import hashlib; from getpass import getpass; s = hashlib.sha1(); s.update(getpass()); print s.hexdigest()'
python -c 'import hashlib; print hashlib.sha1("reALpassWORD12%12").hexdigest()'
history -d $((HISTCMD-2))
David Sifry (founder of linuxcare) was my consultant on the issue - he was able to recover the password after some effort. I'll never forget what it was: Feet4monkey
Your post reminded me of that.
And it's hosted on S3 so it is faster :)
(easily downloadable == not the rapidshare of russia, something you could wget)
But I submitted the hash of my password and it's there so...
Click download, copy the URL from your browser into wget/axel/download manager. I get a solid 1mb/s from media fire.
(However, could everyone please stop making random websites encouraging people to type in their passwords from third party sites!)
I wonder what kind of bonkers executive at LI decided it would not be a good idea to do a sweeping wipe of all passwords on their systems...
for user in users:
user.pw = rand;
Though I doubt any of the above will happen. Wouldn't want the user to be inconvenienced now would we?
A large forum I post on was hacked recently and - after voluntarily shutting their site down for a month - they required password resets. If users did not have access to the email address they signed up with and couldn't otherwise verify their identity, they were not allowed to get their account back.
Unsurprisingly, post counts are down site-wide and the owners have reported a > 25% decrease in traffic.
Of course all of those things can be used to gain access to the account by attacker, without actually knowing the password. See recent Cloudflare incident. Google will notify you about the recovery attempt, monitor for activity, and delay it for at least a week or so. So the attacker just have to wait till you go on offline vacation ;)
Really though, for something as low key as a forum you’re entirely justified to offer recovery only via email. The email providers already offer all those alternative recovery options. And of course you should prefer OpenID to avoid the issue altogether.
> Unsurprisingly, post counts are down site-wide and the owners have reported a > 25% decrease in traffic.
That’s because they took the site down for a month!
Though, think of how much easier it would be to social-engineer a target were you to have full access to their LI account.
$ cat combo_not.txt | grep `printf linkedintrouble | sha1sum`
$ cat combo_not.txt | grep `printf nathanlinkedin | sha1sum`
$ cat combo_not.txt | grep `printf mypassword | sha1sum`
$ cat combo_not.txt | grep `printf yourpassword | sha1sum`
$ printf linkedintrouble | openssl sha1
Yes, I've read http://partmaps.org/era/unix/award.html#cat . The output of sha1sum already contains a trailing '-' which is something I wanted to feed into 'grep' using command substitution, so that 'grep' can now just accept the input stream from 'stdin'. Now, how do you feed the input to grep via 'stdin' if you don't want to use 'cat'?
$ printf linkedintrouble | openssl sha1 | cut -c10- | grep -f - combo_not.txt
printf linkedintrouble |sha1sum |sed 's/ .*//' |grep -f - combo_not.txt
Amahi (my startup) started experiencing lots of spamming accounts a little while ago. We started using blacklists and some heuristics to detect the spammers. Then we logged the attempts.
Some interesting things emerge.
* The vast majority of them have "super123" as the password
* The vast majority use emails from china (163.com, qq.com, etc.)
* They try twice in a row if the first attempt fails
* They try regularly
The suspicion is that they then sell these accounts in bulk for later action. We have seen them have these accounts sitting idle, with occasional logins to check if they still work. Then later they pounce, posting spam links, etc.
The level of sophistication of all this is rather troublesome ...
openssl dgst -sha1 password
will give you the hash you need. Mine has been leaked but not cracked, according to this site :-(.
echo -n "password" | openssl dgst -sha1
(If we can collect enough data points of whose passwords are on it or not, how old they are, and how complex the password was, we should be able to narrow down a potential date range for the list and the odds that the compromised list is full or partial.)
It's not clear to me how the file was sorted. Anyone have any ideas?
1. "not on the list" means "not in the hacker's possession". In other words, the compromised list is partial.
2. "not on the list" means hacker already has cracked it and didn't post for help.
Learning more about the kinds of passwords not on the list could help us determine which scenario is more likely. (If lots of complex passwords are not on the list, that is evidence the compromised list is partial. If only simple passwords or passwords of a certain pattern are not on the list, that is evidence the compromised list is complete and passwords that were already cracked were not posted.)
According to LI they started salting at some point. Simple hashing obviously won't match in that case but I guess the crackers have the salts so they can do the leg work themselves.
Annoyingly LI say that they've invalidated passwords on compromised accounts but I can see that's not the case. My password hash is in the list (random 20 char pw) but they didn't deactivate my password (I've obviously changed it now).
Well that's lovely. Just changed my LinkedIn password so hopefully no one had a chance to take advantage of that. Luckily I very recently switched to a new password scheme so my other accounts should be secure too.
No seriously, how in the world can we trust this website with our password? They don't even claim to keep your password a secret. For all we know this is a follow-up scam to extend the 6.5mil hacked hashes.
Having a very quick glance at the HTML source, it seems they hash it before it's sent to the site to check, but it easily might have been a scam. Or turn into one with a probability of 1 in 10, that still gets them many passwords while remaining to be trusted.
Also, torrent: http://www.seedpeer.me/download/linkedin_hashes/ad1e93a1aee2...
for example this tool says the word "test" hashes with the last 5 digits of 77136 where as leaked in translates the word "test" to fbbd3. hmmm
'pooppants' is a confirmed hit. "World's Largest Professional Network". I like to imagine some suit with a cigar logging into look for new hires with that one.
I've changed it anyway on linkedin.
Transport layer security is a serious issue, especially for people prone to password reuse.
EDIT: Actually never mind, seems like it's much faster now.
To be safe, you should consider the SHA-1 hash of your LinkedIn password to be public, even if it's not one of these 6.5 million.
No, mine isn't in the list.
old password: ve78d9k6k
"Why don't you just tell me your password..."
"Check if your hash is still private and secure by sending us your hash."
Well, even if the hash was secure, it isn't now!
O get the whole database into the client
O ask the user to:
o reload the URL in PRIVATE browsing mode
o DISCONNECT from the network
o close the whole browser
o reopen the browser
o finally, clear flash cookies (how do I even do that?)
o Only then reconnect to the network
If the only answer to the objection against giving you the hash is that you don't ask for the username, you might as well ask for the password plaintext.
Sorry, the concept is pretty much dead on arrival.
Still, way to ship. (or 'nice shipping.' Should be our secret handshake :). Good luck on the next concept.