Bitcoin Forum
November 15, 2024, 08:35:27 AM *
News: Check out the artwork 1Dq created to commemorate this forum's 15th anniversary
 
   Home   Help Search Login Register More  
Pages: [1] 2 3 4 5 »  All
  Print  
Author Topic: [Password Leak] LinkedIn database hacked  (Read 12910 times)
i_rape_bitcoins (OP)
Member
**
Offline Offline

Activity: 70
Merit: 10



View Profile
June 06, 2012, 07:13:12 PM
 #1

This morning, a dump of unique passwords from LinkedIn databases had been posted. From the dump, it is revealed that password hashes did not include a salt. This allows the attacker to generate a rainbow table that is valid with all the hashes. So expect your password compromised. (feel the same as if your password were leaked plain-text)

If you have a LinkedIn account and use the same password for other services (such as mtgox), please change your password. If you are unsure, visit LeakedIn to check.

More news here: https://news.ycombinator.com/item?id=4073309

~I_RAPE_BITCOINS~
kjlimo
Legendary
*
Offline Offline

Activity: 2114
Merit: 1031


View Profile WWW
June 06, 2012, 07:29:22 PM
 #2

And remember to always salt your passwords  Wink

Who salts a password?  Is that something I have to do when creating a password, or is that directed at the password manager to make sure to salt the passwords?

Coinbase for selling BTCs
Fold for spending BTCs
PM me with any questions on these sites/apps!  http://www.montybitcoin.com


or Vircurex for trading alt cryptocurrencies like DOGEs
CoinNinja for exploring the blockchain.
mcorlett
Donator
Sr. Member
*
Offline Offline

Activity: 308
Merit: 250



View Profile
June 06, 2012, 07:30:12 PM
 #3

Is that something I have to do when creating a password, or is that directed at the password manager to make sure to salt the passwords?
The latter.

ErebusBat
Hero Member
*****
Offline Offline

Activity: 560
Merit: 500

I am the one who knocks


View Profile
June 06, 2012, 07:31:56 PM
 #4

Who salts a password?  Is that something I have to do when creating a password, or is that directed at the password manager to make sure to salt the passwords?

kjlimo,

It is, unfortunately, up to the website operator to do.  The safest thing you can do as a consumer is user a random password at each site.

░▒▓█ Coinroll.it - 1% House Edge Dice Game █▓▒░ • Coinroll Thread • *FREE* 100 BTC Raffle

Signup for CEX.io BitFury exchange and get GHS Instantly!  Don't wait for shipping, mine NOW!
TangibleCryptography
Sr. Member
****
Offline Offline

Activity: 476
Merit: 250


Tangible Cryptography LLC


View Profile WWW
June 06, 2012, 07:37:38 PM
 #5

Honestly I feel it is going to take companies being force to publicly disclose their exact mechanism for storing passwords and face civil penalties for inaccurate disclosures.   I mean it is 2012 not 1971.  There is absolutely no possible excuse for not using bcypt (or similar) much less not even salting the passwords.     Security through obscurity is no security at all.

Maybe we can get such information from Bitcoin websites via public pressure.

So major Bitcoin businesses and exchanges how are you storing your passwords?
MtGox?
CampBX?
Bitcointalk?
Bitmit?
Deepbit?
Bitcoinica?

Any volunteers?
nimda
Hero Member
*****
Offline Offline

Activity: 784
Merit: 1000


0xFB0D8D1534241423


View Profile
June 06, 2012, 07:47:34 PM
 #6

Goddammit, I can't find a mirror of the leak.
Oh, found it. This is fun.
weex
Legendary
*
Offline Offline

Activity: 1102
Merit: 1014



View Profile
June 06, 2012, 07:52:31 PM
 #7

CoinDL and ExchB both use salt and multiple rounds of hashing.
realnowhereman
Hero Member
*****
Offline Offline

Activity: 504
Merit: 502



View Profile
June 06, 2012, 07:55:28 PM
 #8

If you have a LinkedIn account and use the same password for other services (such as mtgox), please change your password. If you are unsure, visit LeakedIn to check.

Seriously people: don't go to LEAKEDin and type your password.  Whether it's honest or not, you gain nothing from potentially handing your password over to some random site on the Internet.

1AAZ4xBHbiCr96nsZJ8jtPkSzsg1CqhwDa
i_rape_bitcoins (OP)
Member
**
Offline Offline

Activity: 70
Merit: 10



View Profile
June 06, 2012, 08:07:39 PM
 #9

If you have a LinkedIn account and use the same password for other services (such as mtgox), please change your password. If you are unsure, visit LeakedIn to check.

Seriously people: don't go to LEAKEDin and type your password.  Whether it's honest or not, you gain nothing from potentially handing your password over to some random site on the Internet.


"Just provide your password (which we hash with JavaScript; view source to verify) or a SHA-1 hash of your password below, and we'll check."

browser hashes password -----sends to server-----> server replies if hash matches.


~I_RAPE_BITCOINS~
theymos
Administrator
Legendary
*
Offline Offline

Activity: 5376
Merit: 13420


View Profile
June 06, 2012, 08:08:27 PM
 #10

Bitcointalk?

SMF uses SHA-1 hashes salted with the username. Not the greatest, though better than LinkedIn. (I'm trying to improve our password security.)

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
realnowhereman
Hero Member
*****
Offline Offline

Activity: 504
Merit: 502



View Profile
June 06, 2012, 08:11:25 PM
 #11

"Just provide your password (which we hash with JavaScript; view source to verify) or a SHA-1 hash of your password below, and we'll check."

browser hashes password -----sends to server-----> server replies if hash matches.



Oh that's okay then... as long as it says "we're honest" on the website, it must be fine.

1AAZ4xBHbiCr96nsZJ8jtPkSzsg1CqhwDa
mcorlett
Donator
Sr. Member
*
Offline Offline

Activity: 308
Merit: 250



View Profile
June 06, 2012, 08:14:00 PM
 #12

"Just provide your password (which we hash with JavaScript; view source to verify) or a SHA-1 hash of your password below, and we'll check."

browser hashes password -----sends to server-----> server replies if hash matches.



Oh that's okay then... as long as it says "we're honest" on the website, it must be fine.
The source is available for anyone to read.

epetroel
Sr. Member
****
Offline Offline

Activity: 431
Merit: 251


View Profile
June 06, 2012, 08:18:37 PM
 #13

I expect that they didn't get all user's passwords.  

I downloaded the leaked text file and verified that the hash of my password was NOT in there.  Checked the hash of another friend from work here, and his wasn't either.  So either they didn't get all the passwords, they got all the passwords but didn't release all of them, or the list is a fake.  Probably one of the first two (i doubt it's a fake)

EDIT: Also, usernames were not included in the file.  So either they don't have the usernames to go with the passwords or more likely they have them but just didn't release them.  Probably just waiting to sell the username+password hash list to the highest bidder.
Serge
Legendary
*
Offline Offline

Activity: 1050
Merit: 1000


View Profile
June 06, 2012, 08:48:49 PM
 #14

they got 6.5mil out of 150million users
epetroel
Sr. Member
****
Offline Offline

Activity: 431
Merit: 251


View Profile
June 06, 2012, 08:55:35 PM
 #15

they got 6.5mil out of 150million users

Well, there were 6.5 million distinct passwords.  Considering many users pick the same bad passwords, that very likely represents a lot more than 6.5 million users.
Serenata
Sr. Member
****
Offline Offline

Activity: 250
Merit: 250



View Profile WWW
June 06, 2012, 09:03:00 PM
 #16

Who salts a password?  Is that something I have to do when creating a password, or is that directed at the password manager to make sure to salt the passwords?

kjlimo,
It is, unfortunately, up to the website operator to do.  The safest thing you can do as a consumer is user a random password at each site.

+1
Cool tool for the job > Keepass

BitcoinX.gr - To ελληνικό στέκι τoυ Bitcoin

My GPG Key
justusranvier
Legendary
*
Offline Offline

Activity: 1400
Merit: 1013



View Profile
June 06, 2012, 09:03:20 PM
 #17

The safest thing you can do as a consumer is user a random password at each site.
Doing that is much easier with a dedicated password manager, like LastPass.
Xenland
Legendary
*
Offline Offline

Activity: 980
Merit: 1003


I'm not just any shaman, I'm a Sha256man


View Profile
June 06, 2012, 09:08:00 PM
 #18

http://CheaperInBitcoins.com salts its passwords with 254 random characters uniquly per account, along with appending another salt that is the customers ID# multiplied by an undisclosed number on top of requiring users/merchants/customers a password of 10 characters or more. so to visualise the hashing it would look something like this in pseudo code
Code:
hash("sha512", <random 254 characters> (<user_id> * <undisclosed number>) <customer/username password>)
Steve
Hero Member
*****
Offline Offline

Activity: 868
Merit: 1008



View Profile WWW
June 06, 2012, 09:08:50 PM
 #19

"Just provide your password (which we hash with JavaScript; view source to verify) or a SHA-1 hash of your password below, and we'll check."

browser hashes password -----sends to server-----> server replies if hash matches.



Oh that's okay then... as long as it says "we're honest" on the website, it must be fine.
The source is available for anyone to read.

Just change your password on linkedin, then you don't need to worry about if the source is read able or anything. Problem Solved Smiley
Uhhh…as well as every other site where you may have happened to use the same username and password.  People really do need a way of testing whether specific passwords are in that list…because many may have forgotten what password they used (with browser autofill, etc) and if they reset it, well, that doesn't tell them which password has been compromised.  Otherwise, they may need to change every password on every site, which can be tedious.

Just more justification to use unique, generated passwords on every site.

(gasteve on IRC) Does your website accept cash? https://bitpay.com
Steve
Hero Member
*****
Offline Offline

Activity: 868
Merit: 1008



View Profile WWW
June 06, 2012, 09:16:04 PM
 #20

The safest thing you can do as a consumer is user a random password at each site.
Doing that is much easier with a dedicated password manager, like LastPass.
I prefer to use something that generates a password from a master instead of storing any passwords anywhere.  Here's one such solution:
http://passwordmaker.org/passwordmaker.html

You enter a master password and other details (like the domain name and user id) then it uses a hash function to generate a password that doesn't need to be stored anywhere.  It does all of that on the client, in the browser and you can access it from any computer with an internet connection and a browser (only on a computer you trust of course).

(gasteve on IRC) Does your website accept cash? https://bitpay.com
Pages: [1] 2 3 4 5 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!