Wednesday, June 06, 2012

LinkedIn Password Hash Redux

This LinkedIn password hash leak has become a real storm of activity today. This post might not have much longevity, but I hope to quickly recap and summarize what we know, what we don't, what we guess and what we recommend. Everything here comes from correspondance on Twitter, blogs and what have you, so it should all be taken with a grain of salt (pun not intended).

What we know:
  • 6.5 Million password hashes were posted on a password cracking website. The author said they were from LinkedIn and that they were unsalted SHA-1 format. Some of the hashes had several digits zeroed out. 
  • No account names were included with the post, meaning it's not possible to link the passwords to accounts with the data found.
  • LinkedIn has been investigating whether there was an internal breach, but has not yet publicly acknowledged anything they have found.
  • LinkedIn has said that "some of the passwords that were compromised correspond to LinkedIn accounts." However, this statement is sufficiently vague that it could mean nothing more than common passwords are used for LinkedIn and found in the compromised data.
  • Many security researchers who use unique passwords for LinkedIn and no other site have found those passwords in the leaked data. These passwords are said to be highly unlikely to be used by anyone else.
  • An Android app update occurred shortly after the breach was discovered. However, it's unclear if the two events are related.
  • A security vulnerability in the LinkedIn iOS app reported today does not call out password security as an issue.
What we don't:
  • We don't know whether there was a breach at LinkedIn or not. Likely they haven't yet completed their internal investigation.
  • We don't yet know if more information was leaked, such as account names, credit card numbers or other private information.
  • We don't know if more accounts have been exposed than those found in the original source.
  • We don't know if there is an active vulnerability that could be exploited again to gain access to more password hashes.
What we guess:
  • Mikko Hypponen has suggested that the list may have come from a LinkedIn web interface vulnerability, but was simply speculation based on past breaches.
  • Researchers have speculated that passwords that have digits zeroed out have already been compromised, or that they are used for banned passwords.
  • There has been speculation that some password hashes are not from LinkedIn, though it's hard to find evidence either way.
  • There has been speculation that the 6.5 Million passwords may cover all accounts on LinkedIn, due to some passwords being used by many different people. However, a number of people have reported that their password was not found among those leaked.
  • Some reports suggest the leaked passwords may be 6 months old.
What we recommend:
  • If you have a LinkedIn account, change your password soon. Make it something strong. LinkedIn published some very generic account and password security suggestions, but I prefer the excellent xkcd panel on passwords.
  • Many security professionals have called for LinkedIn to begin adding a salt value in their password hashing process, in order to strengthen security. 
  • Other security professionals have mentioned specific password storage mechanisms built into programming languages which represent the latest techniques in thwarting password cracking, such as bcrypt, scrypt and PBKDF2. This has the added benefit of reducing the risk of an improper implementation which could itself lead to security issues.
  • Two sites have been set up to check your password against the list. The sites appear to be safe, in that they won't steal your password, but for the paranoid you can also submit the password hash. I don't personally recommend that anyone do this, unless you have already changed your LinkedIn password and it was unique. But it's fun to look for possible passwords!  

No comments: