[Password Leak] LinkedIn database hacked

[i_rape_bitcoins]

This morning, a dump of unique passwords from LinkedIn databases had been posted. From the dump, it is revealed that password hashes did not include a salt. This allows the attacker to generate a rainbow table that is valid with all the hashes. So expect your password compromised. (feel the same as if your password were leaked plain-text)

If you have a LinkedIn account and use the same password for other services (such as mtgox), please change your password. If you are unsure, visit LeakedIn to check.

More news here: https://news.ycombinator.com/item?id=4073309

[kjlimo]

And remember to always salt your passwords 

Who salts a password?  Is that something I have to do when creating a password, or is that directed at the password manager to make sure to salt the passwords?

[mcorlett]

Is that something I have to do when creating a password, or is that directed at the password manager to make sure to salt the passwords?

The latter.

[ErebusBat]

Who salts a password?  Is that something I have to do when creating a password, or is that directed at the password manager to make sure to salt the passwords?

kjlimo,

It is, unfortunately, up to the website operator to do.  The safest thing you can do as a consumer is user a random password at each site.

[TangibleCryptography]

Honestly I feel it is going to take companies being force to publicly disclose their exact mechanism for storing passwords and face civil penalties for inaccurate disclosures.   I mean it is 2012 not 1971.  There is absolutely no possible excuse for not using bcypt (or similar) much less not even salting the passwords.     Security through obscurity is no security at all.

Maybe we can get such information from Bitcoin websites via public pressure.

So major Bitcoin businesses and exchanges how are you storing your passwords?
MtGox?
CampBX?
Bitcointalk?
Bitmit?
Deepbit?
Bitcoinica?

Any volunteers?

[nimda]

Goddammit, I can't find a mirror of the leak.
Oh, found it. This is fun.

[weex]

CoinDL and ExchB both use salt and multiple rounds of hashing.

[realnowhereman]

If you have a LinkedIn account and use the same password for other services (such as mtgox), please change your password. If you are unsure, visit LeakedIn to check.

Seriously people: don't go to LEAKEDin and type your password.  Whether it's honest or not, you gain nothing from potentially handing your password over to some random site on the Internet.

[i_rape_bitcoins]

If you have a LinkedIn account and use the same password for other services (such as mtgox), please change your password. If you are unsure, visit LeakedIn to check.

Seriously people: don't go to LEAKEDin and type your password.  Whether it's honest or not, you gain nothing from potentially handing your password over to some random site on the Internet.

"Just provide your password (which we hash with JavaScript; view source to verify) or a SHA-1 hash of your password below, and we'll check."

browser hashes password -----sends to server-----> server replies if hash matches.

[theymos]

Bitcointalk?

SMF uses SHA-1 hashes salted with the username. Not the greatest, though better than LinkedIn. (I'm trying to improve our password security.)

[realnowhereman]

"Just provide your password (which we hash with JavaScript; view source to verify) or a SHA-1 hash of your password below, and we'll check."

browser hashes password -----sends to server-----> server replies if hash matches.

Oh that's okay then... as long as it says "we're honest" on the website, it must be fine.

[mcorlett]

"Just provide your password (which we hash with JavaScript; view source to verify) or a SHA-1 hash of your password below, and we'll check."

browser hashes password -----sends to server-----> server replies if hash matches.

Oh that's okay then... as long as it says "we're honest" on the website, it must be fine.

The source is available for anyone to read.

[epetroel]

I expect that they didn't get all user's passwords.  

I downloaded the leaked text file and verified that the hash of my password was NOT in there.  Checked the hash of another friend from work here, and his wasn't either.  So either they didn't get all the passwords, they got all the passwords but didn't release all of them, or the list is a fake.  Probably one of the first two (i doubt it's a fake)

EDIT: Also, usernames were not included in the file.  So either they don't have the usernames to go with the passwords or more likely they have them but just didn't release them.  Probably just waiting to sell the username+password hash list to the highest bidder.

[Serge]

they got 6.5mil out of 150million users

[epetroel]

they got 6.5mil out of 150million users

Well, there were 6.5 million distinct passwords.  Considering many users pick the same bad passwords, that very likely represents a lot more than 6.5 million users.

[Serenata]

Who salts a password?  Is that something I have to do when creating a password, or is that directed at the password manager to make sure to salt the passwords?

kjlimo,
It is, unfortunately, up to the website operator to do.  The safest thing you can do as a consumer is user a random password at each site.

+1
Cool tool for the job > Keepass

[justusranvier]

The safest thing you can do as a consumer is user a random password at each site.

Doing that is much easier with a dedicated password manager, like LastPass.

[Xenland]

http://CheaperInBitcoins.com salts its passwords with 254 random characters uniquly per account, along with appending another salt that is the customers ID# multiplied by an undisclosed number on top of requiring users/merchants/customers a password of 10 characters or more. so to visualise the hashing it would look something like this in pseudo code

Code:

hash("sha512", <random 254 characters> (<user_id> * <undisclosed number>) <customer/username password>)

[Steve]

"Just provide your password (which we hash with JavaScript; view source to verify) or a SHA-1 hash of your password below, and we'll check."

browser hashes password -----sends to server-----> server replies if hash matches.

Oh that's okay then... as long as it says "we're honest" on the website, it must be fine.

The source is available for anyone to read.

Just change your password on linkedin, then you don't need to worry about if the source is read able or anything. Problem Solved

Uhhh…as well as every other site where you may have happened to use the same username and password.  People really do need a way of testing whether specific passwords are in that list…because many may have forgotten what password they used (with browser autofill, etc) and if they reset it, well, that doesn't tell them which password has been compromised.  Otherwise, they may need to change every password on every site, which can be tedious.

Just more justification to use unique, generated passwords on every site.

[Steve]

The safest thing you can do as a consumer is user a random password at each site.

Doing that is much easier with a dedicated password manager, like LastPass.

I prefer to use something that generates a password from a master instead of storing any passwords anywhere.  Here's one such solution:
http://passwordmaker.org/passwordmaker.html

You enter a master password and other details (like the domain name and user id) then it uses a hash function to generate a password that doesn't need to be stored anywhere.  It does all of that on the client, in the browser and you can access it from any computer with an internet connection and a browser (only on a computer you trust of course).