Shared publicly  - 
 
Is your LinkedIn password leaked? You can check it yourself!
An update on my own post about the LinkedIn password leak as there are 6,5 million passwords posted on the internet by the Russian group asking for help in cracking them.

Before reading on first do a realitity check: only 6,5 million are supposedly stolen out of 160 million accounts so the odds are this time with you :)

Now the stolen password list seems to be an older one with so called unsalted passwords so you can check yourself if yours is compromised.  If you used TinkerTinker123 or another pw out of a list of 160.000 available on the internet it´s already cracked. That list is here http://www.mediafire.com/?bq8bd5iojp50zci

If not, go to the next step: find out how your password looks in so called SHA-1 format, then download the file with all the hashed passwords and see if your pw is in the list.  The example TinkerTinker123 looks like this: e6e2f76d8f0700dde2aa8d2d5b73deb0e13478fa 

Don´t be scared by the cryptic lengthy string. There are websites which convert your password into this format (SHA-1) but be aware that you need a trustworthy site which doesn´t store your password! Technically you need a local running Java client and preferably a safe https: connection. Most sites are currently down, but if you know a safe and working one, put it in the comments. 

The alternative is to encrypt your linkedIn password on your own machine which Lunix and Apple  users can do in a terminal window.  Windows users can download this program and read the readme :)
http://sourceforge.net/projects/gnuwin32/files/openssl/0.9.8h-1/openssl-0.9.8h-1-bin.zip/download

Downloading the large list of stolen encrypted passwords can be done here http://www.tozz.nl/temp/combo_not.zip or here https://disk.yandex.net/disk/public/?hash=pCAcIfV7wxXCL/YPhObEEH5u5PKPlp%2BmuGtgOEptAS4%3D or you check the comments for an up to date link if these are flooded.

Now open this log list in f.i. Notepad++ or  Wordpad if you are patient. Search for the  SHA-1 string made of your own password. If you can´t find it, try again without the first five characters of your long string (1), still not found: you are safe. If not make sure you didn´t use this password elsewhere and if you did change it immediately and notify LinkedIn as well. 

When you´re sure your password was not leaked, head over the linked topic for an explanation and discussion about the reality of choosing a safe password

(1) the list seems to be manipulated by he Russians as the first five characters of the SHA-1 string are replaced by 00000.  You can check this if you´re savvy by searching for SHA variations of   ´password´ which pop up as 000001e4c9b93f3f0682250b6cf8331b7ee68fd8 
25
16
Akila Wajirasena's profile photoChristian Bianchini's profile photocesare casadonte's profile photoNoleis de Carvalho Filho's profile photo
37 comments
 
$ echo -n TinkerTinker123 | sha1sum
e6e2f76d8f0700dde2aa8d2d5b73deb0e13478fa  -
 
Also, Sophos is saying "Although the data which has been released so far does not include associated email addresses, it is reasonable to assume that such information may be in the hands of the criminals,". Better to be safe than sorry but if there are NOT confirmed emails associated with the passwords this list is essentially useless.
 
It seem very fair to assume the attackers have the full details +Paul Spoerry so once their request to help cracking the list is fulfilled they have full access to your linkedIn account and other places they can find tracing your profile.  
 
Oh, and mine was not in the list :) 
I can of course provide a friendly service: just put your pw in the comments and I will tell you if it´s compromised ;)
 
+Sergii Tkachenko the post was written for people without unix shell commands. The leading zero´s are mentioned.
 
My hash and also for 2 other collegea's we're not leaked, at least not in this file. All changed password. :)
 
+Max Huijgen , Windows 7 users (or any windows with powershell) can do this:
PS>"TinkerTinker123" | %{ [string]::join("",([Security.Cryptography.HashAlgorithm]::Create('SHA1').Co
mputeHash(([System.Text.Encoding]::UTF8).GetBytes($_)) | %{"{0:x2}" -f $_ }))}
e6e2f76d8f0700dde2aa8d2d5b73deb0e13478fa

The utility below may be a tad easier for most Windows users than your suggestion...
http://www.slavasoft.com/hashcalc/index.htm
 
Thanks for the small utility +Olivier Poulet  I wanted to restrict my suggestion to something with source code, but I´m paranoid with my passwords.
Should the PS command work out of the box on a Windows 7 system??? 
 
+Max Huijgen Yes, it should on 7, probably on Vista also (can't remember if Powershell came out of the box), and on XP provided you install Powershell.
+Bas van der Veeken Indeed, the ability to (realtively) easily use .Net classes comes in handy. Google around, and you'll find you can actually compile .Net code from PowerShell, and immediately use the resulting class.
 
Some examples of passwords already cracked out of the LinkedIn files: ajedresserdeja, iam14ever, id10tsid10ts so this must be part of a smart dictionary attack. There are more examples of this kind.
Also cracked: emekaa2k (9 chars), niños94,  (eight with special char and numbers, etc). 
Hundred thousands of  8 character combinations without caps but with letter and special characters are cracked as well so these Russian already put a lot of effort into it. 
 
chillbchillb123 f.i. also cracked by them. That´s 15 chars!!!  so they definitely use large and smart Markov based rainbow tables. 
 
This is such a good post. Thank you Max.
 
I don't know what to think: my password was a junk one and was cracked (fairly easily, i suspect)
A friend of mine that is a well known name worldwide in the field of security has his cracked, too (and even if i don't know what his password was, i can assume it was a strong one...).
A coworker of mine checked his junkier-than-mine password but it wasn't compromised (and here i think its hash simply didn't leak)
It's hideous when one finds he's trusting someone that doesn't deserve his trust, but te worst part of the story is that linkedin didn't respond properly to the attack, either.
To whom says that without other details passwords are useless: not completely true as those passwords will surely become part of the dictionary those guys will use, next time. So never use again a compromised password or its variations.
+Olivier Poulet thanks. For me, being a pro in the field of .net related and discovering I completely ignored such a useful feature is priceless :)
 
+Giancarlo Todone The password I was using on LinkedIn wasn't strong since I never really used it, and it's not in the list. 

The most important stuff I use have two-step verifications. Facebook is not that important for me, however I think it's about time they introduce something similar.
 
Hi +Luke Psaila good tip, but I really wanted to avoid all online pw checkers. Call me paranoid :)
 
+Max Huijgen  You're right to be paranoid on this.
Nice tip: you can use verifiers that claim to do verification on client side offline .
Just load the strenght checker page, then disconnect/unplug net cable and then do your verify.
Then close the page, purge cache and reconnect.
If something goes wrong, then the checker wasn't honest on its data treatment policy...
 
+Max Huijgen Mine was in the list! I very much understand not using an online service, and the next best thing would be KeePass. 

As for LastPass though, it's pretty darn safe! I mean NO system is perfect but with lastpass your hosted data is encrypted, but you should use a strong MASTER password. I think there is a balance between security and usability and LastPass does both for me. 

LastPass does NOT know your master password. Your master password is encrypted on YOUR machine, salted, and then it stores that. LastPass stores the result of the salt and uses that, not your master password, to authenticate you. So to break your password they'd have to guess password, compute the salted hash, and then compare it to the value stored in the database. But even if they managed to do this they still don't have access to your actual encrypted data (sites, usernames, passwords, formfills, etc.). So... it's safer than using the same "strong" password on every site. 

Oh... and they offer two factor authentication (like Google Authenticator) which is doubley awesome.
 
+Paul Spoerry my sole objection against the Keepass, LassPass etc. programs is that they diminish your protection against the simplest way to get a pw: just observe someone typing it. 
That´s why you want simple, relatively easy to type and memorized passwords. The weakest chain is the user typing his pw by having to peek for the correct pw and then spending ages getting the combination entered. 
 
I'm not sure about KeePass but that's actually one of the best parts of LastPass +Max Huijgen. You don't have to look up your passwords. Once activated (and yes, you'd have to watch for shoulder surfers; but just in the same way as when logging onto your machine) it can autofill passwords so that nobody can watch you type it in (or it can fill them in  via keyboard shortcuts you define). Please don't misread this as casting a stone toward any one approach, just sharing my experience with LastPass.
 
Yup. It actually makes me feel even better about the product +Max Huijgen. If you read into it they raised the alarm "too fast", in other words they saw something odd and responded immediately. Also "... users with a strong master password have no reason to worry at this point."
 
The latest update on the LinkedIn password is that so far 3,427,202 passwords have already been cracked with the longest a 29 letter sentence from the bible. 
 
that would take quite some time to type in a smartphone :p
 
on that page they do calculate the Hash on the browser and then just upload the hash.  Check the code:
var hash = Sha1.hash(password);
    
    var html = "The SHA-1 hash of your password is: <b>"+hash+"</b>";
    html += "<br/><br/>";
    html += "<div id='status'>Please wait while we check if your password was one of the ones that was compromised...</div>";
    $("#newcontent").html(html);
    
    $.ajax({global:false,type:"POST",cache:false,dataType:"json",
            url:    "/linkedin/index.php?rand=77688867805",
            data:   {cmd:"check",hash:hash},
            success:checkack,
            failure:checknack});

So, paranoia can be turned off +Max Huijgen  and +Luke Psaila 
Add a comment...