It can take months to crack a simple password.
Only if it isn't in a dictionary somewhere already. But yes, even dictionary cracks are slowed down, somewhat. 
Topic: [Password Leak] LinkedIn database hacked - page 4. (Read 12914 times)
Honestly I feel it is going to take companies being force to publicly disclose their exact mechanism for storing passwords and face civil penalties for inaccurate disclosures. I mean it is 2012 not 1971. There is absolutely no possible excuse for not using bcypt (or similar) much less not even salting the passwords. Security through obscurity is no security at all.
Maybe we can get such information from Bitcoin websites via public pressure.
So major Bitcoin businesses and exchanges how are you storing your passwords?
MtGox?
CampBX?
Bitcointalk?
Bitmit?
Deepbit?
Bitcoinica?
Any volunteers?
Maybe we can get such information from Bitcoin websites via public pressure.
So major Bitcoin businesses and exchanges how are you storing your passwords?
MtGox?
CampBX?
Bitcointalk?
Bitmit?
Deepbit?
Bitcoinica?
Any volunteers?
Bitcoinica: Salted BCrypt with 20 iterations. Enforce minimum 8 characters. It can take months to crack a simple password. (And I use this for all my future app projects. Also recommend everyone to do the same.)
Check This out.
http://shiflett.org/blog/2012/jun/leakedin
Link to Chris Shiflet's blog and another link to "Leakedin"
Their leaked password checker.
Happy Hunting....
http://shiflett.org/blog/2012/jun/leakedin
Link to Chris Shiflet's blog and another link to "Leakedin"
Their leaked password checker.
Happy Hunting....
This pisses me off. Really, I mean really?? I thought LinkedIn was supposed to be professional. Every newb knows that you always want some salt with your hash ( and maybe some eggs too ). Otherwise it's bland and tasteless.
Quote
So far 3,427,202 passwords have cracked from LinkedIn List Almost 50%Its been about 24 hours - The longest? a 29 letter sentence from Bible
- https://twitter.com/CrackMeIfYouCan/status/210474428407103490
So, the "username" (LinkedIn doesn't use usernames, so that's e-mail address) hasn't been leaked. So 3.4 million email passwords, maybe a quarter (more, I'ld bet) used the same password as their email, and PayPal. So presuming a party with malicious intent has control of close to a million valid email accounts and passwords .
So from there, I'm guessing access to the email accounts gives "forgot password" capability to bank accounts. Most of those will be slowed by a "mother's maiden name" mulltifactor security question, ... but there's probably thousands (or tens of thousands) of bank accounts that will get compromised as a result of this. PayPal, without having a security question hurdle even more. Dwolla uses a PIN #, ... hopefully not a whole lot of people used 4321 or 9999 PIN codes for that.
Aye ,... this could be painful.
Quote
So far 3,427,202 passwords have cracked from LinkedIn List Almost 50%Its been about 24 hours - The longest? a 29 letter sentence from Bible
- https://twitter.com/CrackMeIfYouCan/status/210474428407103490
So, the "username" (LinkedIn doesn't use usernames, so that's e-mail address) hasn't been leaked. So 3.4 million email passwords, maybe a quarter (more, I'ld bet) used the same password as their email, and PayPal. So presuming a party with malicious intent has control of close to a million valid email accounts and passwords .
So from there, I'm guessing access to the email accounts gives "forgot password" capability to bank accounts. Most of those will be slowed by a "mother's maiden name" mulltifactor security question, ... but there's probably thousands (or tens of thousands) of bank accounts that will get compromised as a result of this. PayPal, without having a security question hurdle even more. Dwolla uses a PIN #, ... hopefully not a whole lot of people used 4321 or 9999 PIN codes for that.
Aye ,... this could be painful.
GLBSE uses BCrypt + salt
Cool thing is that linkedln easily could rename their service to leakedln. Whoever used linkedln anyway ?
You enter a master password and other details (like the domain name and user id) then it uses a hash function to generate a password that doesn't need to be stored anywhere. It does all of that on the client, in the browser and you can access it from any computer with an internet connection and a browser (only on a computer you trust of course).
I used a tool like that before but found it more convenient to use a tool that came with plugins for every browser I use including Android. I want my password manager to Just Work no matter which browser I am using so I've found it to be easier to disable the built-in managers and just use the LastPass plugin for everything. 
The safest thing you can do as a consumer is user a random password at each site.
Doing that is much easier with a dedicated password manager, like LastPass.http://passwordmaker.org/passwordmaker.html
You enter a master password and other details (like the domain name and user id) then it uses a hash function to generate a password that doesn't need to be stored anywhere. It does all of that on the client, in the browser and you can access it from any computer with an internet connection and a browser (only on a computer you trust of course).
"Just provide your password (which we hash with JavaScript; view source to verify) or a SHA-1 hash of your password below, and we'll check."
browser hashes password -----sends to server-----> server replies if hash matches.
browser hashes password -----sends to server-----> server replies if hash matches.
Oh that's okay then... as long as it says "we're honest" on the website, it must be fine.
Just change your password on linkedin, then you don't need to worry about if the source is read able or anything. Problem Solved
Just more justification to use unique, generated passwords on every site.
http://CheaperInBitcoins.com salts its passwords with 254 random characters uniquly per account, along with appending another salt that is the customers ID# multiplied by an undisclosed number on top of requiring users/merchants/customers a password of 10 characters or more. so to visualise the hashing it would look something like this in pseudo code
Code:
hash("sha512", ( * ) )
The safest thing you can do as a consumer is user a random password at each site.
Doing that is much easier with a dedicated password manager, like LastPass. 
Who salts a password? Is that something I have to do when creating a password, or is that directed at the password manager to make sure to salt the passwords?
kjlimo,
It is, unfortunately, up to the website operator to do. The safest thing you can do as a consumer is user a random password at each site.
+1
Cool tool for the job > Keepass
they got 6.5mil out of 150million users
Well, there were 6.5 million distinct passwords. Considering many users pick the same bad passwords, that very likely represents a lot more than 6.5 million users.
"Just provide your password (which we hash with JavaScript; view source to verify) or a SHA-1 hash of your password below, and we'll check."
browser hashes password -----sends to server-----> server replies if hash matches.
browser hashes password -----sends to server-----> server replies if hash matches.
Oh that's okay then... as long as it says "we're honest" on the website, it must be fine.
Just change your password on linkedin, then you don't need to worry about if the source is read able or anything. Problem Solved
they got 6.5mil out of 150million users
I expect that they didn't get all user's passwords.
I downloaded the leaked text file and verified that the hash of my password was NOT in there. Checked the hash of another friend from work here, and his wasn't either. So either they didn't get all the passwords, they got all the passwords but didn't release all of them, or the list is a fake. Probably one of the first two (i doubt it's a fake)
EDIT: Also, usernames were not included in the file. So either they don't have the usernames to go with the passwords or more likely they have them but just didn't release them. Probably just waiting to sell the username+password hash list to the highest bidder.
I downloaded the leaked text file and verified that the hash of my password was NOT in there. Checked the hash of another friend from work here, and his wasn't either. So either they didn't get all the passwords, they got all the passwords but didn't release all of them, or the list is a fake. Probably one of the first two (i doubt it's a fake)
EDIT: Also, usernames were not included in the file. So either they don't have the usernames to go with the passwords or more likely they have them but just didn't release them. Probably just waiting to sell the username+password hash list to the highest bidder.
"Just provide your password (which we hash with JavaScript; view source to verify) or a SHA-1 hash of your password below, and we'll check."
browser hashes password -----sends to server-----> server replies if hash matches.
browser hashes password -----sends to server-----> server replies if hash matches.
Oh that's okay then... as long as it says "we're honest" on the website, it must be fine.
"Just provide your password (which we hash with JavaScript; view source to verify) or a SHA-1 hash of your password below, and we'll check."
browser hashes password -----sends to server-----> server replies if hash matches.
browser hashes password -----sends to server-----> server replies if hash matches.
Oh that's okay then... as long as it says "we're honest" on the website, it must be fine.
Jump to: