Bryan Owen

6-Jun-2012 Password Purgatory

Blog Post created by Bryan Owen Employee on Jun 6, 2012

Many vCampus members are active in other social media communities such as LinkedIn.  As such today's news about a massive breach of LinkedIn user accounts might affect you. It's time to change your password, right?

 

Probably right for most of us but surprisingly some security experts say not so fast.  How could this be good advice? 

 

One scenario assumes LinkedIn is totally pwned.  If true, changing your LinkedIn password is a waste of cycles (or worse if on reset you happen to expose a password that is used by your accounts elsewhere in cyberspace).

 

That being said, if your normal practice is to use a common password across certain web site genre it is a good idea to change those other passwords.  I'll confess, in my case, LinkedIn and Twitter were using the same password.  Yes, that practice is past tense as in dead and buried with Twitter sporting the new password.

 

As for my LinkedIn password, it is reset but not used elsewhere and assumed compromised until more details emerge. Certainly I expect we will learn more about the LinkedIn breach in the coming days.

 

In fact there is a bit more right now.  Unfortunately some poor security hygiene at LinkedIn has been reported. Apparently passwords are stored using a straight unsalted SHA1 hash. Hackers have posted millions of hashes on the web like a trophy.

 

Out of curiosity, I wanted to check if my password was cracked.  The first step was to compute the hash for my password.  While there are plenty of utilities like Microsoft Sysinternals Sigcheck that compute hashes for files, I failed to find one for a password. So here is a code snip that computes a hash for a given plaintext string:

 
Imports System
Imports System.Security.Cryptography
Imports System.IO
Imports System.Text

Public Module secaudit

Sub Main()

Dim data() As Byte
Dim sha1() As Byte
Dim pass As String = String.Empty

Call ReadPlainText(pass)
If pass.Length > 0 then

'Console.WriteLine("pass:" & pass)
data = Encoding.UTF8.GetBytes(pass)

Dim sha As New SHA1CryptoServiceProvider()
sha1 = sha.ComputeHash(data)

Dim sb As New StringBuilder(sha1.Length * 2) 
For Each b As Byte In sha1 
sb.Append(b.ToString("X02")) 
Next 

Console.WriteLine("SHA1:" & sb.tostring())
end if

End Sub

Sub ReadPlainText(byref pass as string)
Dim info As ConsoleKeyInfo

'use ReadKey for computing password hashes
Console.Write("Plaintext: ")
Do
    info = Console.ReadKey(True)
    If info.Key = ConsoleKey.Enter Then
        Exit Do
    Else
        pass &= info.KeyChar
        Console.Write("*"c)
    End If
Loop
Console.WriteLine()
End Sub
End Module

You really don't need to write code since this function is available on the web but it just didn't feel right to enter my password on a hacking web page.  Regardless, the very next place I went is to test the hash at a web site called md5decrypter.

 

The site has a fairly extensive set of tools. This form will allow you to compute hashes.  This one will check to see if the SHA1 hash has been decrypted.  Note, not all IT departments allow access to dual use hacking tools, such as those found at http://www.md5decrypter.co.uk.

 

If the hash is cracked on this site or not is a bit moot.  SHA1 is known to be insufficient for today's computing power and all LinkedIn passwords should be assumed compromised until more details are made public.  However, this exercise does help illustrate one benefit of choosing a good password!

 

PS. Curiosity killed the cat.  Indeed, my password was cracked.

 

Update1:  (forwarded from Paul Gusciora)

 

LinkedIn investigating reports that 6.46 million hashed passwords have leaked online (update) http://www.theverge.com/2012/6/6/3067523/linkedin-password-leak-online

 

 

 

Website http://www.leakedin.org/  will check if your password can be found on the list of stolen hashes. Bear in mind if you have a common password a positive result may not mean that your account has been compromised

 

 

 

Slashdot discussion:        LinkedIn Password Hashes Leaked Online

 

http://it.slashdot.org/story/12/06/06/1335228/linkedin-password-hashes-leaked-online

 

 Update2: http://www.leakedin.org/   <--- be sure to use an "i" not an "l" ; "i" is a legit site.

 

Update3: CNET is recommending https://lastpass.com/linkedin/
http://news.cnet.com/8301-1009_3-57449325-83/what-the-password-leaks-mean-to-you-faq/

 

 

Outcomes