6.5 Million Encrypted LinkedIn Passwords Leaked Online

Status
Not open for further replies.
Yet another reason to steer clear of cloud anything. I'm just waiting for some leak where all the personal documents, pictures, financials, &c stored on cloud servers (such as Google Docs, iCloud or Dropbox) are compromised. Perhaps by some hacker getting a back door, perusing and downloading sensitive info from millions of users for weeks on end.

Given that they can reset the password the info must be inherently insecure. If everything was encrypted by password then a reset would be impossible.
 

rantoc

Distinguished
Dec 17, 2009
550
0
18,930
Yeah, the cloud idea is awesome. Collect EVERYONES data at ONE site so the hackers won't have to hack several systems that's only available when turned on. Rather have it collected just waiting for pickup at a data-center thats available 24/7. Frankly, no system is completely secure and until that day any sane person would not store any important data in the cloud!
 

dalethepcman

Distinguished
Jul 1, 2010
541
0
18,940
how to create a dictionary/brute force secure password. Take any acronym/phrase that has 4+ characters/words in it lets take "WYSIWYG" as an example. Type out the entire acronym in whole words(whatyouseeiswhatyouget)using your favorite punctuation to divide the words. (what!you!see!is!what!you!get)Captialize the first or last word Place in numerical order (What!You!See!Is!What!You!Get) Next inset the number of each word in the acronym before or after each word. What1!You2!See3!Is4!What5!You6!Get7

Easy to remember, and impossible to brute/dictionary

But when the hackers keylog your password it gives them a laugh when they see that your password is something like The!1Only!2Way!3You!4Will!5Know!6This!7Is!8If!9You!0Keylog.

Rule of thumb, unless it has 2 or three phase authentication, its not secure. If its not secure, don't store anything secret/important.
 
G

Guest

Guest
hoof_hearted: Great post, most people probably wouldn't think of that aspect of password storage when choosing a truly stupid password.
 

Pawessum16

Distinguished
Nov 3, 2010
56
0
18,580
[citation][nom]hoof_hearted[/nom]You'd be suprised at how many of your password's SHA1 can be found in google.password (5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8)7340 results1234 (7110eda4d09e062aa5e4a390b0a572ac0d2c0220) 1290 resultsHello World (0a4d55a8d778e5022fab701977c5d840bbc486d0) 226 resultsI used http://www.digitalsecurityexperts.com[/citation]
I would actually recommend not using a random website to hash your passwords, instead, do it yourself through some kind of reputable program or better yet, make yourself a little sha1 encrypting script in the programming language of your choice (they all have built in sha1 functions), or else you're potentially building up a nice little database of sha1 hashes connected to password strings for whoever owns the website.
 

dalethepcman

Distinguished
Jul 1, 2010
541
0
18,940
[citation][nom]pawessum16[/nom]I would actually recommend not using a random website to hash your passwords, instead, do it yourself through some kind of reputable program or better yet, make yourself a little sha1 encrypting script in the programming language of your choice (they all have built in sha1 functions), or else you're potentially building up a nice little database of sha1 hashes connected to password strings for whoever owns the website.[/citation]

If you wanted to build a nice little database of SHA1 hashes, then it would be much easier to download the 100 most popular passwords from as many sites as you can and hash them all. Why go to the trouble of making a webapp to generate password hashes for the intent of stealing accounts?
 

agnickolov

Distinguished
Aug 10, 2006
147
0
18,630
[citation][nom]dalethepcman[/nom]If you wanted to build a nice little database of SHA1 hashes, then it would be much easier to download the 100 most popular passwords from as many sites as you can and hash them all. Why go to the trouble of making a webapp to generate password hashes for the intent of stealing accounts?[/citation]
Because [naive] users of said site would presumably input real passwords, not dictionary entries. Hence the original poster's warning. My thinking goes along the same lines...
 

f-14

Distinguished
Apr 2, 2010
774
0
18,940
doesn't surprise me that linkdin does this, i bet the password leak by the russian was done just to throw it out there when the SEC , FCC, Secret Service and FTC come knocking at the linkdin corporate offices demanding to know where they are getting their information from with all the stock profits they are making.
the amount of abuses that could be done with this feature is mind boggling.
worse than facebook even.

after reading the article toms had about p/w cracking i don't really bother to worry about p/w's any more i just don't put sensitive info on the net any more
18 hours to crack any p/w even if it has asics, if they want it that bad they will have it, i'm simply just going to make it not worth their while.
 

freggo

Distinguished
Nov 22, 2008
778
0
18,930
all the security in the database world doesn't do you any good if people use the same password on every site. All it takes is a few honeypot sites and you get email addressed and corresponding passwords.

Not that I've ever checked that in the real world of course but a substantial number of these combinations then work on Yahoo, GMail and other accounts. ahem.

 
Status
Not open for further replies.