SYDNEY, Asutralia -- A New York-based Web developer and his colleagues have built a Web-based application for people to see if their LinkedIn password hash is among 6.5 million released on a Russian hacker forum.
The password breach, revealed on Wednesday, is significant due to the detailed personal data stored by LinkedIn and the chance for hackers to spear phish high-level executives or spread malicious links.
LinkedIn is telling some users to reset their passwords, but there is another way for users to see if their account was compromised.
LeakedIn then checks to see if the hash is on the list of breached passwords. Not all of the hashes in the list have been converted to original passwords yet, but it is likely hackers are working on it. Shiflett wrote that "I discovered that my password was not only one of the 6.5 million that had been leaked, it was also among those that had been cracked. I was a victim."
Password hashes can be converted to plain-text by using powerful graphics processors and free password cracking tools such as "John the Ripper," which can be used with a regular PC, and "oclHashcat." How long that process takes depends on the passwords' complexity.
Those cracking applications use word lists compiled from other password breaches in so-called dictionary attacks, which seek to match already computed hashes with those on the new list. Another method is a brute-force attack in which the programs rapidly try different password combinations in the hope of finding a matching hash. Brute-force attacks are more time consuming for longer passwords that contain a mix of upper- and lower-case letters, digits and symbols.
Robert David Graham, CEO of the security consultancy Errata Security, wrote that each character of a password has 100 possible combinations composed of either upper or lower case, digits or symbols. A five-character password would have 10 billion possible combinations and could be cracked in 5 seconds using a top-of-the-line Radeon HD 7970 graphics processor.
A six-character password would take a little over 500 seconds, but a seven-character password would take 13 hours, Graham wrote. Eight characters pushes the time up to 57 days, with a nine-character password taking up to 15 years.
"In other words, if your password was seven letters, the hacker has already cracked it, but if it's nine letters, it's too difficult to crack with brute force," Graham wrote.
Many of the hashes in the dump have five zeros as the first five characters of the hash. Graham wrote that some people "think that this means that the hacker has already cracked any passwords that have been zeroed out this way."