Password Leaks Are More Dangerous Than You Think

Yesterday it hit the news that LinkedIn.com was hacked and approximately 6.5 million passwords were stolen. The passwords were encrypted so they are not readable to the untrained observer. For example, all of linkedin's passwords were encrypted using one-way encryption called a hash. One-way encryption means that once it is encrypted it's pretty much impossible for anyone to decrypt it directly. This is perfect for passwords because we never need to decrypt them. When a user supplies his/her password to login somewhere the system simply hashes the password they supply and compares the hash to the hash that is stored in the system. Passwords don't need to be decrypted because you can just compare the encrypted values when authenticating someone. One-way encryption is pretty much the safest encryption there is, but it can't be used in all cases. For instance, systems that have to store credit cards in their database cannot use one-way encryption because they have to be able to decrypt the value occasionally so that they can get the credit card number when it's time to charge it.

Despite LinkedIn's passwords being hashed there are still a lot of things smart hackers can do with them. For example, the list contains about 6.5 million passwords so surely some of them are really insecure passwords like "abc1234" or "Password1", etc. All you need to do to find those is create an SHA1 hash (SHA1 is a type of hash algorithm and it's the one LinkedIn used) of these common passwords and then see if the hash values match any on the list. Even the most amateur hacker could come away with hundreds of accounts for which they now know the passwords to. However, it doesn't stop there.

After the news hit yesterday some people in the office where I work circulated an email about the incident and warned people to change their passwords. Several people responded saying that because there are 6.5 million accounts on the list they were not worried. After all there was only a 1 in 6.5 million chance that their account would be compromised, right? WRONG! This is a great example of why human beings are terrible at on-the-fly math. To say there is only a 1 in 6.5 million chance makes the assumption that only one guy has the list of passwords and will pick an account at random to try to hack into. All I had to do was one Google search and I found a thread on Reddit.com with several links to the list of passwords that were leaked. The availability of leaked data like this means that hundreds, or more likely thousands, of people will be mining the data for whatever they can find. Even if only 100 people mine the list of passwords then the chances of your account being one of the ones that gets compromised goes up drastically to 1 in 65,000.

It's easy for people to overlook the dangers of such a breach. People tend to think that since it's just their LinkedIn account that it's not a big deal. Having access to someone else's account is a great opportunity for a hacker. If I were a malicious hacker this list would be a gold mine because I could pose as any number of people and use their identity to further my evil hacker agenda. Let's say I am only slightly shady and I just want to make a quick penny with your account. I would log in as you and immediately send links to all your friends to a page filled with ads that generate income for me when clicked. I would spam them into oblivion hoping that their trust in you would make my spam seem reputable and make them more likely to click it. I would then use the username/email and password that I have to see if I can find any of your accounts on other sites. If you used the same password on other services such as Facebook or Gmail then I would have access to those too. I would go log into those services as you and again spam all your friends.

Most of this would go unnoticed by you because I would delete as many obvious traces such as sent messages in your outbox, etc. You would log into your accounts like normal and have no idea. It would be up to your friends to notify you that you have been up to some very odd things. Now let's say that I am even more shady and I want to use your account to gain control of people's computers and get access to all the data stored on them. The first thing I would do as a professional hacker is spend an evening writing my own small program. When it's installed it simply reads files from my hard drive and tracks all the keys that get pressed on the keyboard. Whenever the computer is turned on this program would connect out to a server on the internet called a proxy server. The proxy server would then forward that connection to my personal computer at home. Ideally this programming would have been done already and I would just be waiting for opportunities to install it on someone's computer. Well now let's say I have access to your accounts again because you were silly enough to use the same password for everything under the sun. I can now send a link to all your friends to download and try out this awesome game. Because they think I am you they may not question it. They just installed my little virus and it is now connecting up to my computer at home and giving me complete access to their file system and everything they type. Furthermore the use of a proxy server in the middle of the connection adds an element of anonymity to what I'm up to just in case a smart person found the virus and tried to see where it was communicating with; instead of seeing the IP address of my home computer they would simply see the IP of the proxy server. If I added more proxy servers in the middle then it would be even harder to trace the connection back to me. Remaining anonymous gets easier for hackers with the more computers they infect because they can potentially use each infected computer as yet another proxy.

The possibilities after that are limitless. Let us hope that you didn't also use that same password for your online banking account! All of this would have happened because you used an easy to guess password and you used it for everything. Thanks to this little leak from LinkedIn I was able to commandeer your online identity and use it to push my hacker agenda. Now anytime your gullible friends type in their credit card number, expiration, and CVV code into a website it will be logged into a file and sent to me. All I have to do is search that file for 16 digit numbers and I'm likely to find credit cards. You know those little things next to password boxes that tell you how strong your password is as your typing it? You had better be making sure that they are all STRONG before you click the submit button. Hackers have giant lists of common passwords that they can freely hash and compare to hashed lists like the one from LinkedIn. If your password is simple enough that a hacker was able to guess it using a list of common passwords then you better start coming up with a more complex password.

The company I work for uses the same SHA1 hashing algorithm for storing passwords that LinkedIn uses. I wrote a small program to go through the thousands of users in our database and compare their hashed passwords to the passwords from the LinkedIn list. I found over 250 matches. That's over 250 people that use the same password on our site as they do on Linked In. It's possible that their password on our site is actually matching with someone else's password on Linked In, but if that's the case then that's actually worse. If your password is so generic that it happens to match up with someone else's password on another website then you aren't making your passwords complex enough.

Bottom line kids, change your passwords! When something like this leaks it is important to recognize that even strong passwords are not impossible to figure out with enough time and effort. Surely having the hash of a password is not as bad as having the actual password, but it's still pretty bad nevertheless.

  • Always use strong passwords with a healthy mix of numbers, lower and upper case letters, and even some symbols if you can.
  • Use different passwords for different sites.
  • Don't write your passwords down in one place. Keeping track of all your different passwords can be difficult. Try searching for online password managers. There are utilities that can help you securely keep track of all your passwords. There are even browser extensions that will generate completely random passwords for you and then store them so it can automatically insert it when you're logging in at a later point.

    I highly recommend you take some time to come up with a strategy that you can use to keep your passwords secure and hard to break.

Chev

Read more posts by this author.

comments powered by Disqus