Many vCampus members are active in other social media communities such as LinkedIn. As such today's news about a massive breach of LinkedIn user accounts might affect you. It's time to change your password, right?
Probably right for most of us but surprisingly some security experts say not so fast. How could this be good advice?
One scenario assumes LinkedIn is totally pwned. If true, changing your LinkedIn password is a waste of cycles (or worse if on reset you happen to expose a password that is used by your accounts elsewhere in cyberspace).
That being said, if your normal practice is to use a common password across certain web site genre it is a good idea to change those other passwords. I'll confess, in my case, LinkedIn and Twitter were using the same password. Yes, that practice is past tense as in dead and buried with Twitter sporting the new password.
As for my LinkedIn password, it is reset but not used elsewhere and assumed compromised until more details emerge. Certainly I expect we will learn more about the LinkedIn breach in the coming days.
In fact there is a bit more right now. Unfortunately some poor security hygiene at LinkedIn has been reported. Apparently passwords are stored using a straight unsalted SHA1 hash. Hackers have posted millions of hashes on the web like a trophy.
Out of curiosity, I wanted to check if my password was cracked. The first step was to compute the hash for my password. While there are plenty of utilities like Microsoft Sysinternals Sigcheck that compute hashes for files, I failed to find one for a password. So here is a code snip that computes a hash for a given plaintext string:
Imports System Imports System.Security.Cryptography Imports System.IO Imports System.Text Public Module secaudit Sub Main() Dim data() As Byte Dim sha1() As Byte Dim pass As String = String.Empty Call ReadPlainText(pass) If pass.Length > 0 then 'Console.WriteLine("pass:" & pass) data = Encoding.UTF8.GetBytes(pass) Dim sha As New SHA1CryptoServiceProvider() sha1 = sha.ComputeHash(data) Dim sb As New StringBuilder(sha1.Length * 2) For Each b As Byte In sha1 sb.Append(b.ToString("X02")) Next Console.WriteLine("SHA1:" & sb.tostring()) end if End Sub Sub ReadPlainText(byref pass as string) Dim info As ConsoleKeyInfo 'use ReadKey for computing password hashes Console.Write("Plaintext: ") Do info = Console.ReadKey(True) If info.Key = ConsoleKey.Enter Then Exit Do Else pass &= info.KeyChar Console.Write("*"c) End If Loop Console.WriteLine() End Sub End Module
You really don't need to write code since this function is available on the web but it just didn't feel right to enter my password on a hacking web page. Regardless, the very next place I went is to test the hash at a web site called md5decrypter.
The site has a fairly extensive set of tools. This form will allow you to compute hashes. This one will check to see if the SHA1 hash has been decrypted. Note, not all IT departments allow access to dual use hacking tools, such as those found at http://www.md5decrypter.co.uk.
If the hash is cracked on this site or not is a bit moot. SHA1 is known to be insufficient for today's computing power and all LinkedIn passwords should be assumed compromised until more details are made public. However, this exercise does help illustrate one benefit of choosing a good password!
PS. Curiosity killed the cat. Indeed, my password was cracked.
Update1: (forwarded from Paul Gusciora)
LinkedIn investigating reports that 6.46 million hashed passwords have leaked online (update) http://www.theverge.com/2012/6/6/3067523/linkedin-password-leak-online
Website http://www.leakedin.org/ will check if your password can be found on the list of stolen hashes. Bear in mind if you have a common password a positive result may not mean that your account has been compromised
Slashdot discussion: LinkedIn Password Hashes Leaked Online
Update2: http://www.leakedin.org/ <--- be sure to use an "i" not an "l" ; "i" is a legit site.
Update3: CNET is recommending https://lastpass.com/linkedin/