As many readers already know, Linked In had a password database leak. Since Linked In’s implementation of password hashing didn’t use salt, a variety of methods including rainbow tables and brute force can be used to guess the passwords. There’s even a handy website called leakedin.org that computes the password hash and checks to see if the resulting scrambled password is within the leaked set.
I thought it’d be fun to try to guess some passwords just based on intuition alone, using LeakedIn to check the guesses. Here’s some of the more entertaining passwords that are in the database: ‘obama2012’, ‘Obama2012’, ‘paladin’, ‘linkedinsucks’, ‘fuckyou’, ‘godsaveus’, ‘ihatemyjob’, ‘ihatejews’ (tsk tsk), ‘manson’, ‘starbucks’, ‘qwer1234’, ‘qwerty’, ‘aoeusnth’ (hello fellow dvorak user!), ‘bigtits’ (really?), ‘colbert’, ‘c0lbert’, ‘bieber’, ‘ilovejustin’, ’50cent’, ‘john316’, ‘john3:16’, ‘John3:16’, ‘1cor13’, ‘psalm23’, ‘exodus20’, ‘isiah40’, ‘Matthew6:33’, ‘hebrews11’ (bible verses are quite popular passwords!).
Interestingly, there is no ‘romney2012’ or any variant thereof.
There is however a “palin2012” :P
Thanks!!
If you’re afraid to send them you password, you can generate a hash under the OSX terminal:
echo -n “yourpassword” | openssl sha1
(source: http://osxdaily.com/2012/06/06/check-sha1-hash-of-string/ )
A cursory inspection of the code shows it computes the SHA-1 using javascript client-side, so I think you’re not sending passwords over the internet. Of course, maybe someone buried something very tricky in the code, or they rotate the code delivered to clients…definitely safer to do it your way!
LOL
changed my password just in case.
seriously, salts have been known for ages! why not use them? to save what? some bytes in each database record?
Dvorak users unite! :D
aoeui4ever!
yay! I’m not alone…someone else with the oddly worn out ‘;’, yet the oddly unused ‘e’ keys on their keyboard…and all the odd stares from coworkers and clients as you hunt and peck for keys on their keyboards. On the other hand, it’s always amusing to watch the IT guy come in and try to ‘fix’ something on your keyboard…
@f4grx: not to save bytes in the database. It’s pure developers laziness. There is no other excuse. Either they don’t care, or they are just clueless. Very few developers know anything about security, and for most companies, it’s an afterthought at best.
Linotype fans are also represented – both “etaoin” and “etaoinshrdlu” are on the list.
“password” is also in there (of course).
So are “strongpassword”, “greatpassword” and “bestpassword”.
… and the smallboobs are safe (no, you didn’t read this, I didn’t write it)
however, hellokitty is not. Poor thing.
There’s also :
january,februrary,september,october,november,december
janvier,fevrier,juillet,octobre,novembre,decembre (french)
adolfhitler
may8th
july4th
angels
holymary
holyspirit
godfather
jesuschrist (right, we’ve got the whole family here)
asshole, Asshole,
Pokemon, pokemon,
pikachu,
salameche,
Kungfu, kungfu,
fortytwo,
taichi,
karate,
linkedin (wow that was original)
facebook
youtube
viadeo (ha ha)
myspace
secure (you bet)
hacker
bullion
iamrich
iloveyou
checkmate
button
psycho
password
potato
coffee
greentea
chocolate
football
darling
verify
killme
relevant to our interests :
hamradio (oh no they did it)
amplifier
transistor
circuit
interface
javascript
connector
socket
microchip
chumby (ha ha)
cellular
netcat
struts
google
microsoft
macbook
macbookpro
houston
it seems that spaces are permitted so there’s also
fuck you
i love you
…etc that increases the number of possibles.
that’s a bit of fun!
I will stop here …
@Travis I’m sharing your analysis. The problem I think is that people consider sha1 safe while md5 is not, with no idea of what it means.
Also relevant to our intereststs:
rodeoclown
Wow, I’m so tempted to make your post into a beatbox song!
Pokémon! Pokémon! Pikachu!
Salameche!
Shoo de wop!
Cha-cha cha!
Wow! all I can say is Wow! My password was on the short list in the main body of the post (which I saw reposted on BoingBoing)… hence the anon name in this comment. Guess it’s time to change that password!
Didn’t know you hated jews! :-)
any non-random password not in CamElc0wboY with less than 14 characters is unsafe
it’s a pain to remember;
but it’s strong for longer.
OK, I have to ask; what’s CamElc0wboY?
The *only* Google hit on that word is this here blog post…
Maybe halfway through typing “CaMeLcAsE” he autotyped some part of his password.
11111111
wachtwoord
friend
letmein
nederland
germany
england
deutschland
voetbal
….it’s very difficult to find something that’s not a password!
‘yourock’
check
victim
samsung
laptop
plumber
security
safety
keyword
android
iphone
blackberry
baguette
cheesecake
camembert
roquefort (hmm there’s quite a bunch of french accouts there)
breakfast
frenchfries
unbelievable (I swear it’s a password!)
not passwords:
casablanca
constantinople
vladivostok
—————-
hmm… quite unbelievable!
I bet about 95% of all good national dictionnaries is inside this list!
except “smartphone” and “pizza” !
(sorry, small mistake, these cities are also in the list, there’s a spurious text that was meant to be elsewhere)
bozotheclown – Check.
‘boscoe’ is there, as are ‘costanza’ and ‘kramer’.
any publicity is good publicity, they probably had a jump in number of users logging in to the site.
http://www.lemonde.fr/technologies/article/2012/06/11/linkedin-rassure-ses-utilisateurs-apres-le-vol-de-6-5-millions-de-mots-de-passe_1716550_651865.html#xtor=RSS-3208
executive summary:
-emails not published, so you’re still safe
-majority of passwords still ciphered
-working with FBI to find authors of leak
-world class security team put in place
-reinforced security
http://knowyourmeme.com/photos/112480-are-you-serious-face-seriously
I wonder if ‘reinforced security’ means SHA-256…
More great password choices in the list:
fuckme
fucker
pigfucker
horsefucker
unclefucker (SouthPark!)
motherfucker
Thankfully, the sheep, cows and chickens are safe.
LinkedIn users are HOT!…
damnsexy, sexydog, sexyman, sexywoman, sexykid, toosexy, supersexy, sexydick, sexypenis, sexyhair, sexymom, sexyuncle, sexychicken, sexypig, sexysnake…
There are plenty of softwares that generate a hard-to-guess password that’s easy to change. I use one of them for all my accounts and never had a problem because i regenerated a new password everytime i found out about a rumor like this. The internet is as safe as you make it for yourself.
Some people will change their password after this post!
Actually you should use a password that includes many letters and numbers yo keep your account safe
Did you changed your password?I did haha!It was John234.Now I have a password that includes many letters and numbers.
Your password John 234 was a password that included many letters and numbers.Why change it?Maybe we’ll have to get back to the old passwords,because no one will guess that we kept our weak pasword.Haha!
I saw you at Lucca, I knew you at Pisa. – Italian Proverb