Linkedin passwords compromised

Today, June 6th of 2012, the news came out that Linkedin passwords have been compromised. Over the years there have been a lot of discussions on what is a safe way to store, but also to choose a safe password. Assuming the provider of the service you are using is using a very insecure method to store password but are encoding them can give you some examples on how to choose a new one.

This example provides some links to find, test and create a password in md5 without the password being hashed _and_ salted.

Online there are some tools to help you disclose passwords for md5 encrypted passwords. They are also known as rainbow table services. You just grab an md5 encoded password and you check it on the website. One of them is used here, if you search for online rainbow table search you will find others too.

http://www.tmto.org/pages/passwordtools/hashcracker/

In the left box you paste up to 10 md5 hashed passwords and it will give you the password if it has it in the database. Some examples

password: linkedin
md5 string:  f1576406b382b7d1c8c2607f7c563d4f

password: gmail
md5 string  de01c1d48db6c321c637457113ed80d5

password: grandpa
md5 string: 224c1c878dec9c52ea8a8aaaf46a8872

password: semperfi
md5 string: 073de059ab0b79721180e1f87440d4fe

The checker displays the passwords for all of them:

f1576406b382b7d1c8c2607f7c563d4f:linkedin
de01c1d48db6c321c637457113ed80d5:gmail
073de059ab0b79721180e1f87440d4fe:semperfi
224c1c878dec9c52ea8a8aaaf46a8872:grandpa

As you can see the most common words are known already. If a site like linkedin is using md5 encryption only and someone is able to get the passwords they only need to run them through such a service (be aware, it is not hard to build something like this).

Use stronger password people. An unknown word combined with digits and other signs will make it very hard to decrypt it. Once you have chosen a password check it against a rainbow database to see if it is know there. If it is choose another one. It is not hard to imagine other encryption tools will have a simular database.

To generate md5 strings of a password you could use a database like mysql but I am sure there are some other tools for it too. In mysql you just run the following query:

select md5(‘linkedin’);

One thought on “Linkedin passwords compromised

  1. md5zone June 7, 2012 at 4:31 am Reply

    Very Nice Post, I have one more site for Md5 decoding i.e. md5hacker

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: