- There is no indication that the hacker is "out" of LinkedIn at the moment. So any passwords that are being changed currently could end up going to the hackers again. And with the fact that the most likely password a person is going to use is one they use elsewhere.. that means the hackers have a much larger set to use.
- The password hashes are stored in an Unsalted SHA1 format. This is criminally poor judgement of whoever implemented this part of the password system. The SHA1sum is a very very fast to match passwords to. This means that even 5 year old hardware can work through a terabyte dictionary in a day or so even with millions of hashes to check against. So most passwords less than 8 characters is going to be found within months and passwords longer than that but easily found via "rulesets" will be found in a similar timeframe.
The passwords being found in this set look very corporate in how they are setup. People were using "good" password rules: mixing Uppercase, Punctuation, LowerCased, Number, longer than 10 characters, etc. These are probably the ones most likely used elsewhere.
If you used your LinkedIn password anywhere else, or you use a similar pattern (say your password was 123LinkedInQ@$ and you use that pattern elsewhere so your Fedora password was 123FedoraQ@$, please change your password at those other locations, and please please use a different pattern.
No comments:
Post a Comment