linkedin password hack - A different spin on the story

**Greenborn** · June 9th, 2012

Originally Posted by fatality_uk

BEFORE USING THIS TOOL, CHANGE YOUR PASSWORD!

So anyway, I was looking at the coverage and got this link to allow you to check if your password has been hacked.

https://lastpass.com/linkedin/

Now thinking, what do people use as passwords? So I tried "ubuntu", that came up as hacked. Then tried "linkedin", also came up. Tried a few more raunchy combinations and some general things like "iwantanewjob", "sunglasses" and "imahacker".

Amazing what people will use to store thier personal data!

My Linkedin password was hacked and it was not an easy one to hack (capital letters, lowercase letters, numbers, special signs, etc.). Changed now but, wtf Linkedin? Got security? Not.

**catlover2** · June 9th, 2012

Originally Posted by Greenborn

My Linkedin password was hacked and it was not an easy one to hack (capital letters, lowercase letters, numbers, special signs, etc.). Changed now but, wtf Linkedin? Got security? Not.

When someone acquires a list of usernames with password hashes like this, it makes no difference how good your password is. The password "a" is just as likely to be among the millons of hacked passwords as the password "jjaSSH455éèíıi$@/!ffjH^3#dHHDd."

**MadCow108** · June 10th, 2012

Originally Posted by catlover2

When someone acquires a list of usernames with password hashes like this, it makes no difference how good your password is. The password "a" is just as likely to be among the millons of hacked passwords as the password "jjaSSH455éèíıi$@/!ffjH^3#dHHDd."

no, a long password is still saver.
that site does not really tell you if the password has been cracked, it only compares the hashes using the password you give them.
So it only tells you if your password is in the list, and nothing more.

it takes considerably longer to crack longer passwords even if you have the hash. Even if they are not salted you need huge rainbow tables.
linkedin used sha1 hashes (not md5 like last.fm) so people also have a hard time using collision attacks as sha1 is vulnerable but still not cheap to break.

**roelforg** · June 10th, 2012

I'm telling ya, we should switch to hardware keys!

**CharlesA** · June 10th, 2012

Originally Posted by roelforg

I'm telling ya, we should switch to hardware keys!

RSA tokens you mean? Too expensive.

**Erik1984** · June 10th, 2012

Originally Posted by roelforg

I'm telling ya, we should switch to hardware keys!

Google already has two step authentication (so you need login credentials + mobile phone) I expect more big online services to provide such a login mechanism in the future.