Leaked In

As many readers already know, Linked In had a password database leak. Since Linked In’s implementation of password hashing didn’t use salt, a variety of methods including rainbow tables and brute force can be used to guess the passwords. There’s even a handy website called leakedin.org that computes the password hash and checks to see if the resulting scrambled password is within the leaked set.

I thought it’d be fun to try to guess some passwords just based on intuition alone, using LeakedIn to check the guesses. Here’s some of the more entertaining passwords that are in the database: ‘obama2012’, ‘Obama2012’, ‘paladin’, ‘linkedinsucks’, ‘fuckyou’, ‘godsaveus’, ‘ihatemyjob’, ‘ihatejews’ (tsk tsk), ‘manson’, ‘starbucks’, ‘qwer1234’, ‘qwerty’, ‘aoeusnth’ (hello fellow dvorak user!), ‘bigtits’ (really?), ‘colbert’, ‘c0lbert’, ‘bieber’, ‘ilovejustin’, ’50cent’, ‘john316’, ‘john3:16’, ‘John3:16’, ‘1cor13’, ‘psalm23’, ‘exodus20’, ‘isiah40’, ‘Matthew6:33’, ‘hebrews11’ (bible verses are quite popular passwords!).

Interestingly, there is no ‘romney2012’ or any variant thereof.

34 Responses to “Leaked In”

  1. slw says:

    There is however a “palin2012” :P

  2. Jean says:

    Thanks!!

    If you’re afraid to send them you password, you can generate a hash under the OSX terminal:
    echo -n “yourpassword” | openssl sha1
    (source: http://osxdaily.com/2012/06/06/check-sha1-hash-of-string/ )

    • bunnie says:

      A cursory inspection of the code shows it computes the SHA-1 using javascript client-side, so I think you’re not sending passwords over the internet. Of course, maybe someone buried something very tricky in the code, or they rotate the code delivered to clients…definitely safer to do it your way!

  3. f4grx says:

    LOL

    changed my password just in case.

    seriously, salts have been known for ages! why not use them? to save what? some bytes in each database record?

  4. Melissa says:

    Dvorak users unite! :D

    • Russ says:

      aoeui4ever!

    • bunnie says:

      yay! I’m not alone…someone else with the oddly worn out ‘;’, yet the oddly unused ‘e’ keys on their keyboard…and all the odd stares from coworkers and clients as you hunt and peck for keys on their keyboards. On the other hand, it’s always amusing to watch the IT guy come in and try to ‘fix’ something on your keyboard…

  5. Travis says:

    @f4grx: not to save bytes in the database. It’s pure developers laziness. There is no other excuse. Either they don’t care, or they are just clueless. Very few developers know anything about security, and for most companies, it’s an afterthought at best.

  6. ik says:

    Linotype fans are also represented – both “etaoin” and “etaoinshrdlu” are on the list.

  7. “password” is also in there (of course).

  8. f4grx says:

    … and the smallboobs are safe (no, you didn’t read this, I didn’t write it)

    however, hellokitty is not. Poor thing.

    There’s also :

    january,februrary,september,october,november,december
    janvier,fevrier,juillet,octobre,novembre,decembre (french)

    adolfhitler
    may8th
    july4th

    angels
    holymary
    holyspirit
    godfather
    jesuschrist (right, we’ve got the whole family here)

    asshole, Asshole,
    Pokemon, pokemon,
    pikachu,
    salameche,
    Kungfu, kungfu,
    fortytwo,
    taichi,
    karate,
    linkedin (wow that was original)
    facebook
    youtube
    viadeo (ha ha)
    myspace
    secure (you bet)
    hacker
    bullion
    iamrich
    iloveyou
    checkmate
    button
    psycho
    password
    potato
    coffee
    greentea
    chocolate
    football
    darling
    verify
    killme

    relevant to our interests :

    hamradio (oh no they did it)
    amplifier
    transistor
    circuit
    interface
    javascript
    connector
    socket
    microchip

    chumby (ha ha)
    cellular
    netcat
    struts
    google
    microsoft
    macbook
    macbookpro
    houston

    it seems that spaces are permitted so there’s also
    fuck you
    i love you
    …etc that increases the number of possibles.

    that’s a bit of fun!

    I will stop here …

    @Travis I’m sharing your analysis. The problem I think is that people consider sha1 safe while md5 is not, with no idea of what it means.

  9. Anonymous says:

    Wow! all I can say is Wow! My password was on the short list in the main body of the post (which I saw reposted on BoingBoing)… hence the anon name in this comment. Guess it’s time to change that password!

  10. f4grx says:

    any non-random password not in CamElc0wboY with less than 14 characters is unsafe

    it’s a pain to remember;

    but it’s strong for longer.

    • Noah says:

      OK, I have to ask; what’s CamElc0wboY?
      The *only* Google hit on that word is this here blog post…

      • Jeff B says:

        Maybe halfway through typing “CaMeLcAsE” he autotyped some part of his password.

  11. Duh says:

    11111111
    wachtwoord
    friend
    letmein
    nederland
    germany
    england
    deutschland
    voetbal
    ….it’s very difficult to find something that’s not a password!

  12. brrr says:

    ‘yourock’

    check

  13. f4grx says:

    victim
    samsung
    laptop
    plumber
    security
    safety
    keyword
    android
    iphone
    blackberry
    baguette
    cheesecake
    camembert
    roquefort (hmm there’s quite a bunch of french accouts there)
    breakfast
    frenchfries
    unbelievable (I swear it’s a password!)
    not passwords:
    casablanca
    constantinople
    vladivostok

    —————-
    hmm… quite unbelievable!
    I bet about 95% of all good national dictionnaries is inside this list!

    except “smartphone” and “pizza” !

    • f4grx says:

      (sorry, small mistake, these cities are also in the list, there’s a spurious text that was meant to be elsewhere)

  14. Tom says:

    bozotheclown – Check.

  15. Tom Ames says:

    ‘boscoe’ is there, as are ‘costanza’ and ‘kramer’.

  16. caustik says:

    any publicity is good publicity, they probably had a jump in number of users logging in to the site.

  17. f4grx says:

    http://www.lemonde.fr/technologies/article/2012/06/11/linkedin-rassure-ses-utilisateurs-apres-le-vol-de-6-5-millions-de-mots-de-passe_1716550_651865.html#xtor=RSS-3208

    executive summary:

    -emails not published, so you’re still safe
    -majority of passwords still ciphered
    -working with FBI to find authors of leak
    -world class security team put in place
    -reinforced security

    http://knowyourmeme.com/photos/112480-are-you-serious-face-seriously

    I wonder if ‘reinforced security’ means SHA-256…

  18. Noah says:

    More great password choices in the list:

    fuckme
    fucker
    pigfucker
    horsefucker
    unclefucker (SouthPark!)
    motherfucker

    Thankfully, the sheep, cows and chickens are safe.

  19. 320x200 says:

    LinkedIn users are HOT!…
    damnsexy, sexydog, sexyman, sexywoman, sexykid, toosexy, supersexy, sexydick, sexypenis, sexyhair, sexymom, sexyuncle, sexychicken, sexypig, sexysnake…

  20. Amass says:

    There are plenty of softwares that generate a hard-to-guess password that’s easy to change. I use one of them for all my accounts and never had a problem because i regenerated a new password everytime i found out about a rumor like this. The internet is as safe as you make it for yourself.

  21. Some people will change their password after this post!
    Actually you should use a password that includes many letters and numbers yo keep your account safe

    • Braco says:

      Did you changed your password?I did haha!It was John234.Now I have a password that includes many letters and numbers.

      • Epilare says:

        Your password John 234 was a password that included many letters and numbers.Why change it?Maybe we’ll have to get back to the old passwords,because no one will guess that we kept our weak pasword.Haha!

  22. Mitch Yake says:

    I saw you at Lucca, I knew you at Pisa. – Italian Proverb