6.5 million LinkedIn passwords have been out there in the wild, being hacked and leaked by a hacker. The passwords were in the form of hashtag, which means they were still encrypted. We were told LinkedIn encrypted passwords using SHA-1. Now, it is being reported that the hackers have been able to decrypt more than 60% of these leaked passwords.
This has now been reported by a security firm Sophos. With the passwords so readily available online, it was only a material of time before hackers were able to crack it. Moreover, no matter what hashing was applied, hackers must be using a hit-and-trial method, deploying multiple tools to see which works. And they, apparently, have found the one they needed.
Although SHA-1 is considered one of the most security and efficient hashing protocol for passwords, it shouldn’t be used as a stand-alone mechanism for password protection. That is because there are a whole lot of tools available to decrypt SHA-1-encrypted passwords. Most of the companies tend to use SHA-1 in correlation to other hashing techniques so that even if the passwords are leaked, they can’t be cracked.
Normally, ‘salting’ is used in combination with SHA-1 to secure the passwords. Some security researchers believe that using only SHA-1 encryption on passwords is nearly as bad as keeping them in simple text files.
LinkedIn seems to have relied only on SHA-1, which is rather disappointing. According to a security researcher, “They chose a moderate security method. For an organization as large as LinkedIn, I would expect better.”
LinkedIn has already announced that it has made the compromised passwords invalid and that the users of such accounts can check a follow-up email to see how they can reset their passwords. If you want to change your LinkedIn passwords, here is a step-by-step guide.
Source: Computer World