The way I tested to see if my password was in the list was to first generate a SHA-1 hash of my password, then I searched in the file "combo_not.txt" that I downloaded from the Internet containing the 6 million password hashes. I found a match.
To make it easy to calculate your SHA-1 password, I've included a form below. This is done in JavaScript inside your browser, it does not submit your password/hash to me or anybody else:
Many of the hashes have their first few digits zeroed out (as described in this ycombinator post) as shown in the this excerpt from the file:
...000000a9da36caf22886a0203caa29e7d2631174000000a9d9ccfdca4d241e44d415c15dba0b4c28000000a9298b1bfc8d1237d6f3995b2d2625ce3a000000a92ee7725afdcac707d22e2333531f9e51000000a92dbec5cff02bfa678a0f7a78b6a46573323300a988286c019e2dcc3100b355557257f632923b00a9574dd89143cde9db87871890a1082bc23c4400a900d31c9634e355e18975f8cfe710ab7d354b00a96d36f0c48d0c286b29120f8409e3bde1405700a93eac557d85d2f1347db8f9a312557fc8...This means instead of searching for the complete SHA-1 output, you want to search for just the later part of the hash. People think that this means that the hacker has already cracked any passwords that have been zeroed out this way, which means that if you see zeroes in your matching password, then your password is already stolen.
Also note that if your password is long enough (like greater than 15 characters) and complex enough, then it's still probably safe. A 15 character SHA-1 password composed of upper/lower case with symbols and digits is too large for "brute-force" and "rainbow tables". However, if you've composed it of dictionary words, then it could fall to a "mutated dictionary" attack.Update: the following link is a pointer to a download of the file, which by the time you read this, is almost certainly been removed https://disk.yandex.net/disk/public/?hash=pCAcIfV7wxXCL/YPhObEEH5u5PKPlp%2BmuGtgOEptAS4%3DUpdate: This is a sorted list of unique passwords. Thus, if 50 people use the password "password", it'll only show up once in this list. Which it does. The password of "password" is hashed using SHA-1 to "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8", which appears as "000001e4c9b93f3f0682250b6cf8331b7ee68fd8" in this list.Update: Where do these passwords come from? The answer is the: the cracking underground. When hackers break into a network and steal the encrypted passwords, they crack as many as they can, and then exchange the dumps with their friends. Each hacker uses different tools, uses different dictionaries, and so on. Thus, once they've exhausted your their techniques, another hacker is still likely to be able to crack many more passwords.Update: It took me only a couple minutes to verify that this hack is real, yet LinkedIn has not been able to:
Our team continues to investigate, but at this time, we're still unable to confirm that any security breach has occurred. Stay tuned here.
— LinkedIn (@LinkedIn) June 6, 2012
This reflects poorly on the trustworthiness of LinkedIn. It's proper that you make such a comment before you know what's going on, but they've had hours to verify this, we should've gotten an update by now.Update:LinkedIn has a semi-confirmation as explained in their blogpost here. However, it only says they confirm that some of the passwords that were compromised correspond to LinkedIn accounts. That avoids accepting blame, after all, in other prominent password attacks (like one recently against Twitter), the source of the hack was not Twitter's fault, but due to "password reuse", as users used the same password for Twitter that they used for other websites, and it's the other websites that were hacked. As I (and other security pros) have confirmed, we don't reuse passwords. This password list comes from LinkedIn, and from no other source.Update: How fast can hackers crack passwords? The answer "2 billion per second" using the Radeon HD 7970 (the latest top-of-the-line graphics processor). Each letter of a password has 100 combinations (UPPER, lower, d1g1ts, $ymbols). A 5 letter password therefore has 100 x 100 x 100 x 100 x 100 or 10 billion combinations, meaning it can be cracked in 5 seconds. A 6 letter password has 100 times that, or 500 seconds. A 7 letter password has 100 times that, or 50,000 seconds, or 13 hours. An 8 character password is roughly 57 days. A 9 character password is 100 times that, about 15 years. In other words, if your password was 7 letters, the hacker has already cracked it, but if it's 9 letters, it's too difficult to crack with brute force.Update: A site http://leakedin.org will check this for you. They claim to has the password in the browser (like I do above), then check the database. I don't know if this is true -- but since you are going to change your password regardless, maybe it doesn't matter.Update: What does password cracking look like? I started the "hashcat" tool to examine the file. It looks like this:
I'm using the latest Radeon HD 7970 graphics card. Note that I'm only getting a cracking rate of 400-million passwords/second, while the 7970 can actually do 2-billion/second. That's because I'm doing "multi-hash" cracking, testing each hash against the entire original list of 6.5 million hashes. That lookup takes longer than calculating the hash in the first place. I can dramatically increase hashing speed by first removing all the easily cracked passwords from the list, making it smaller, and hence making lookups faster.
Hiç yorum yok:
Yorum Gönder