Wednesday, June 6, 2012

Leaked passwords

Very rarely do you have control over how your password is stored on any web site or external server.  There is always the possibility passwords can be retrieved and then subsequently cracked.  Hopefully most sites take extreme care and perform some sort of encryption, but there are probably still cases where passwords are stored in the clear.  No trick to cracking those.  

The latest LinkedIn password leak (see also here or here), sounds like the passwords were retrieved in a simple, unsalted SHA-1 hash format.  While that makes it a little harder to crack, it is far from impossible.  If that is the case, you can run a "known" word against the SHA-1 algorithm and then see if the resulting hashed string matches anything on the leaked list.  While that could take a long time one-by-one, it is simple enough to automate against any dictionary or list of common passwords.  And as has been publicized in numerous reports, most passwords are a) relatively simple to guess and b) reused for multiple accounts.  You almost have to treat each password as single use, changing it often, making it complex enough to avoid casual cracking yet easy enough to use.  Sounds pretty simple, right?