LinkedIn password database compromised
AP NANOG
nanog at armoredpackets.com
Wed Jun 20 19:30:58 UTC 2012
I normally don't respond and just sit back leeching knowledge, however
this incident with LinkedIn & eHarmony strikes close to home. Not just
because my password was in this list of dumped LinkedIn accounts, but
the fact that this incident struck virtually every business professional
and corporation across the world. Please bare with me while I ramble a
few thoughts...
The real problem with authentication falls on "trust". You either have
to trust the website is storing the data securely or some other party
will verify you are who you really are. Just as in the example of the
DMV. If you think about your daily life you have put your entire life
on display for the world. You trust the DMV with your drivers license
information, address, social security number, heck they are even asking
for email now. If your active or prior military you have given that
same information, plus DNA and fingerprints. Think about how much
information about you and your habits occur from simply using "rewards"
cards, or "gas points". You, meaning users, give up your identity
everyday and with little regard, but when it comes to a website or
tracking you across websites we throw our hands up and scream "stop".
Please don't get me wrong, I am a HUGE fan boy of privacy and protection
of data, but responsibility ultimately falls back on the user. Those
users who do not know any better are still at fault, but it is our job
to educate them in better methods of protection.
So the question falls back on how can we make things better?
The fact that we must trust people outside ourselves is key. We need to
explain the importance of things such as KeePass (http://keepass.info/),
and pass-phases, rather than words. Below is an example, my password
which was leaked during the LinkedIn dump, but till I started using this
as an example the likelihood of the hash being cracking it was VERY
slim. Use this as an example of how to select a password for websites
and how even if the hashes are dumped the likelihood of cracking it is slim.
Password: !p3ngu1n_Pow3r!
SHA1 Hash: b34e3de2528855f02cf9ed04c217a15c61b35657
LinkedIn Hash: 00000de2528855f02cf9ed04c217a15c61b35657
To crack this pass-phase using the following systems it would take the
the associated amount of time:
$180,000 cracker it would take roughly 2 decades, 7 years to complete
the crack
$900 cracker it would take 3 centuries, 3 decades to complete the crack
Average graphics card it would take 15 centuries to complete the crack
Average desktop computer would take 795 centuries to complete the crack
Now what does this mean in the schema of things. You cannot trust any
website, third party identity verification, one time password, etc. You
can only trust yourself in creating a password that even if dumped will
make it nearly impossible to crack. Use some form of nomenclature to
identify a website separate from the base pass-phrase, thus giving you
individual "passwords" and in turn if one site gets dumped the others
remain safe.
Practicality is more along the lines of what the solution is. It is not
practical to develop an pub/priv solution because of the user
themselves, it is however practical to educate everyone we meet,
preaching to them how to make simple changes can increase their
protection ten fold.
A similar question though comes from "Website xyz.com was just dumped,
how do I know if my password was in this group?". Just from previous
experience, organizations release the warning stating they had a breach,
but it normally takes a good bit of time, as seen with LinkedIn, for
them to release who was part of this dump. If they ever really do,
sometimes it becomes a blanket "We were breached please change your
password." story. If a website you have been using is breached then I
revert back to the original statement saying that the issue becomes
trust. In the early days of LinkedIn websites claiming to check your
password against the database dump were popping up left and right. Is
it truly wise to jump to these sites and put your password, which
potentially will take decades to crack, into a website that claims to
check it without storing that password anywhere. I know there are sites
which were created by companies and individuals with outstanding
reputations, however it was outside my control and thus not trusted. I
decided to write a small, very simple, Python script that will run on
your local machine and allow you to check your password against the dump
of hashes. Right now it only does the LinkedIn dumps, but my goal is to
do any dump all you have to do is point it to the file. I also then
decided to take a little longer on the next release and learn to code in
a GUI for users who may not be a techie. I will continue to work on the
GUI release, but if you want to get that release email me and I'll make
sure you are aware of its release.
Until then I hope this helps those who may not feel comfortable about
checking a password against a website and trusting that website doesn't
store your password.
http://www.armoredpackets.com/hashcheck_a_small_piece_of_mind
I also hope that my explanation about how trust is the real issue, and
that ultimately you can't trust any site nor any method. That by making
simple, yet effective, changes in how you create and use passwords will
protect you long enough to safely change the passwords/pass-phrases for
all your sites.
Back to leeching knowledge :-)
Keep up the great conversations!
- Robert Miller
(arch3angel)
On 6/13/12 3:54 PM, Grant Ridder wrote:
> Hi Everyone,
>
> I thought that i would share an IEEE article about LinkenIn and eHarmony.
>
> http://spectrum.ieee.org/riskfactor/telecom/security/linkedin-and-eharmony-hacked-8-million-passwords-taken/?utm_source=computerwise&utm_medium=email&utm_campaign=061312
>
>
> -Grant
>
> On Wed, Jun 13, 2012 at 1:05 PM, Phil Pishioneri <pgp+nanog at psu.edu> wrote:
>
>> On 6/8/12 7:22 PM, Luke S. Crawford wrote:
>>
>>> I haven't found any way that is as simple and as portable as using
>>> ssh that works in a web browser.
>>>
>> The Enigform Firefox Add-on (plus mod_openpgp on Apache httpd) seems
>> similar:
>>
>> http://wordpress.org/extend/**plugins/wp-enigform-**authentication/<http://wordpress.org/extend/plugins/wp-enigform-authentication/>
>>
>> Enigform is a Firefox Add-On which uses OpenPGP to digitally sign
>>> outgoing HTTP requests and Securely login to remote web sites, as long
>>> as the remote web server is Enigform-compliant.
>>>
>> -Phil
>>
>>
More information about the NANOG
mailing list