logIt Log Around The Clock

Alas my LinkedIn password is in the file! (Howto check compromised password)

In Web Apps on 12 June 2012 with no comments 57 views

When LinkedIn privacy breach was about to be revealed during Yuval Ne’eman workshop in Tel Aviv University, suddenly the timeline trends were that of friends, telling people to change LinkedIn password. Both were separate issues and of course the privacy breach was then subsided from people’s attention. To tell you the truth, as a secret admirer of conspiracy theory (whether I admit it or not), this coincident was just too perfectly timed. But, I’m also curious whether my password was among the stolen 6,458,020 (yes: 6,4 millions) uploaded by the hacker in hashed SHA-1 without the user name.

Snapshot of uploaded contact data from calendar (skycure.com)

There is not other way but to check my password against the combo_not.txt found via Filestube. People already posted howto check this, the easiest way is doing a single line in the shell:

$ printf bandito | openssl sha1 | cut -c10- | grep -f - combo_not.txt
00000d40df69b72328229d2425714f40d7d9a7a3

Bingo! a match there for the password “bandito” (I choose this randomly expecting some person out there is using it). Another way (for comparison as I’m no security expert) is by this short python script (slightly altered from Phobos Technology blog post):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

"""
Save this file as linkedin_hash.py and ensure it's
in the same folder as combo_not.txt
Usage: python linkedin_hash.py hunter2
"""
from hashlib import sha1
import sys
password = sys.argv[1]
hsh = sha1(password).hexdigest()
print "SHA-1: %s" % hsh
x = 0
for line in open('combo_not.txt','r'):
    if hsh == line.strip():
        x += 1
    elif "00000" + hsh[5:] == line.strip():
        x += 1
        print "Matching line: %s" % line
print "Number of matches: %d" % x

My verdict is: my password is on the list and I’m considering a leap of faith from devoted conspiracy believer.

PS: I don’t find that “password” or “123456″ as common passwords used by many people.
PPS: A side story: Indonesians are found to be using weakest passwords (as research over Yahoo ID revealed)