Bitcoin Forum
December 04, 2016, 04:14:19 AM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 3 4 5 »  All
  Print  
Author Topic: [Password Leak] LinkedIn database hacked  (Read 10306 times)
i_rape_bitcoins
Member
**
Offline Offline

Activity: 70



View Profile
June 06, 2012, 07:13:12 PM
 #1

This morning, a dump of unique passwords from LinkedIn databases had been posted. From the dump, it is revealed that password hashes did not include a salt. This allows the attacker to generate a rainbow table that is valid with all the hashes. So expect your password compromised. (feel the same as if your password were leaked plain-text)

If you have a LinkedIn account and use the same password for other services (such as mtgox), please change your password. If you are unsure, visit LeakedIn to check.

More news here: https://news.ycombinator.com/item?id=4073309

~I_RAPE_BITCOINS~
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
gweedo
Legendary
*
Offline Offline

Activity: 1246


Java, PHP, HTML/CSS Programmer for Hire!


View Profile WWW
June 06, 2012, 07:15:32 PM
 #2

And remember to always salt your passwords  Wink

Want to earn 2500 SATOSHIS per hour? Come Chat and Chill in https://goseemybits.com/lobby
kjlimo
Legendary
*
Offline Offline

Activity: 1498


View Profile WWW
June 06, 2012, 07:29:22 PM
 #3

And remember to always salt your passwords  Wink

Who salts a password?  Is that something I have to do when creating a password, or is that directed at the password manager to make sure to salt the passwords?

CampBX for buying BTCs, Coinbase for selling BTCs or Vircurex or Cryptsy for trading alternate cryptocurrencies like DOGEs

PM me with any questions on these sites!  Happy to help!

Bitcoin Poker at Seals                  Strike Sapphire Casino  Free games every hour & day!
  Get Free Bitcoins here.

Spondoolies-Tech or KnC Miner for the fastest mining hardware available!

Bitpay to help your business accept bitcoin payments!
mcorlett
Donator
Sr. Member
*
Offline Offline

Activity: 308



View Profile
June 06, 2012, 07:30:12 PM
 #4

Is that something I have to do when creating a password, or is that directed at the password manager to make sure to salt the passwords?
The latter.

ErebusBat
Hero Member
*****
Offline Offline

Activity: 560

I am the one who knocks


View Profile
June 06, 2012, 07:31:56 PM
 #5

Who salts a password?  Is that something I have to do when creating a password, or is that directed at the password manager to make sure to salt the passwords?

kjlimo,

It is, unfortunately, up to the website operator to do.  The safest thing you can do as a consumer is user a random password at each site.

░▒▓█ Coinroll.it - 1% House Edge Dice Game █▓▒░ • Coinroll Thread • *FREE* 100 BTC Raffle

Signup for CEX.io BitFury exchange and get GHS Instantly!  Don't wait for shipping, mine NOW!
TangibleCryptography
Sr. Member
****
Offline Offline

Activity: 476


Tangible Cryptography LLC


View Profile WWW
June 06, 2012, 07:37:38 PM
 #6

Honestly I feel it is going to take companies being force to publicly disclose their exact mechanism for storing passwords and face civil penalties for inaccurate disclosures.   I mean it is 2012 not 1971.  There is absolutely no possible excuse for not using bcypt (or similar) much less not even salting the passwords.     Security through obscurity is no security at all.

Maybe we can get such information from Bitcoin websites via public pressure.

So major Bitcoin businesses and exchanges how are you storing your passwords?
MtGox?
CampBX?
Bitcointalk?
Bitmit?
Deepbit?
Bitcoinica?

Any volunteers?
nimda
Hero Member
*****
Offline Offline

Activity: 784


0xFB0D8D1534241423


View Profile
June 06, 2012, 07:47:34 PM
 #7

Goddammit, I can't find a mirror of the leak.
Oh, found it. This is fun.

I recommend asking me for a signature from my GPG key before doing a trade. I will NEVER deny such a request.
gweedo
Legendary
*
Offline Offline

Activity: 1246


Java, PHP, HTML/CSS Programmer for Hire!


View Profile WWW
June 06, 2012, 07:48:40 PM
 #8

Bitcointalk?

bitcointalk salts their passwords since I saw a thread talking about it

Want to earn 2500 SATOSHIS per hour? Come Chat and Chill in https://goseemybits.com/lobby
weex
Legendary
*
Offline Offline

Activity: 1063


Give me your tired, your poor, your huddled...


View Profile
June 06, 2012, 07:52:31 PM
 #9

CoinDL and ExchB both use salt and multiple rounds of hashing.

realnowhereman
Hero Member
*****
Offline Offline

Activity: 504



View Profile
June 06, 2012, 07:55:28 PM
 #10

If you have a LinkedIn account and use the same password for other services (such as mtgox), please change your password. If you are unsure, visit LeakedIn to check.

Seriously people: don't go to LEAKEDin and type your password.  Whether it's honest or not, you gain nothing from potentially handing your password over to some random site on the Internet.

1AAZ4xBHbiCr96nsZJ8jtPkSzsg1CqhwDa
i_rape_bitcoins
Member
**
Offline Offline

Activity: 70



View Profile
June 06, 2012, 08:07:39 PM
 #11

If you have a LinkedIn account and use the same password for other services (such as mtgox), please change your password. If you are unsure, visit LeakedIn to check.

Seriously people: don't go to LEAKEDin and type your password.  Whether it's honest or not, you gain nothing from potentially handing your password over to some random site on the Internet.


"Just provide your password (which we hash with JavaScript; view source to verify) or a SHA-1 hash of your password below, and we'll check."

browser hashes password -----sends to server-----> server replies if hash matches.


~I_RAPE_BITCOINS~
theymos
Administrator
Legendary
*
Offline Offline

Activity: 2492


View Profile
June 06, 2012, 08:08:27 PM
 #12

Bitcointalk?

SMF uses SHA-1 hashes salted with the username. Not the greatest, though better than LinkedIn. (I'm trying to improve our password security.)

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
realnowhereman
Hero Member
*****
Offline Offline

Activity: 504



View Profile
June 06, 2012, 08:11:25 PM
 #13

"Just provide your password (which we hash with JavaScript; view source to verify) or a SHA-1 hash of your password below, and we'll check."

browser hashes password -----sends to server-----> server replies if hash matches.



Oh that's okay then... as long as it says "we're honest" on the website, it must be fine.

1AAZ4xBHbiCr96nsZJ8jtPkSzsg1CqhwDa
mcorlett
Donator
Sr. Member
*
Offline Offline

Activity: 308



View Profile
June 06, 2012, 08:14:00 PM
 #14

"Just provide your password (which we hash with JavaScript; view source to verify) or a SHA-1 hash of your password below, and we'll check."

browser hashes password -----sends to server-----> server replies if hash matches.



Oh that's okay then... as long as it says "we're honest" on the website, it must be fine.
The source is available for anyone to read.

gweedo
Legendary
*
Offline Offline

Activity: 1246


Java, PHP, HTML/CSS Programmer for Hire!


View Profile WWW
June 06, 2012, 08:16:48 PM
 #15

"Just provide your password (which we hash with JavaScript; view source to verify) or a SHA-1 hash of your password below, and we'll check."

browser hashes password -----sends to server-----> server replies if hash matches.



Oh that's okay then... as long as it says "we're honest" on the website, it must be fine.
The source is available for anyone to read.

Just change your password on linkedin, then you don't need to worry about if the source is read able or anything. Problem Solved Smiley

Want to earn 2500 SATOSHIS per hour? Come Chat and Chill in https://goseemybits.com/lobby
epetroel
Sr. Member
****
Offline Offline

Activity: 428


View Profile
June 06, 2012, 08:18:37 PM
 #16

I expect that they didn't get all user's passwords.  

I downloaded the leaked text file and verified that the hash of my password was NOT in there.  Checked the hash of another friend from work here, and his wasn't either.  So either they didn't get all the passwords, they got all the passwords but didn't release all of them, or the list is a fake.  Probably one of the first two (i doubt it's a fake)

EDIT: Also, usernames were not included in the file.  So either they don't have the usernames to go with the passwords or more likely they have them but just didn't release them.  Probably just waiting to sell the username+password hash list to the highest bidder.
Serge
Legendary
*
Offline Offline

Activity: 1050


View Profile
June 06, 2012, 08:48:49 PM
 #17

they got 6.5mil out of 150million users
epetroel
Sr. Member
****
Offline Offline

Activity: 428


View Profile
June 06, 2012, 08:55:35 PM
 #18

they got 6.5mil out of 150million users

Well, there were 6.5 million distinct passwords.  Considering many users pick the same bad passwords, that very likely represents a lot more than 6.5 million users.
Serenata
Sr. Member
****
Offline Offline

Activity: 251



View Profile WWW
June 06, 2012, 09:03:00 PM
 #19

Who salts a password?  Is that something I have to do when creating a password, or is that directed at the password manager to make sure to salt the passwords?

kjlimo,
It is, unfortunately, up to the website operator to do.  The safest thing you can do as a consumer is user a random password at each site.

+1
Cool tool for the job > Keepass

BitcoinX.gr - Το ελληνικό στέκι του Bitcoin

My GPG Key
justusranvier
Legendary
*
Offline Offline

Activity: 1400



View Profile WWW
June 06, 2012, 09:03:20 PM
 #20

The safest thing you can do as a consumer is user a random password at each site.
Doing that is much easier with a dedicated password manager, like LastPass.
Pages: [1] 2 3 4 5 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!