How I checked whether my LinkedIn password was leaked

Those of you who read technical news will likely have seen that six million hashed LinkedIn passwords were leaked today. There’s obviously a worry here; was your own password leaked?

First: go change your LinkedIn password. It cannot hurt to do so regardless. Some people are deleting their LinkedIn accounts over this, but I’m not.

Second, you can check whether your password was leaked. People are throwing together websites to do this: leakedin.org for one. They seem like sensible people, and they carefully ensure that your password isn’t passed to their server, but it’s bad practice to type your password into someone else’s website, secure or not, in my opinion. So here’s how I checked it myself.

The leaked password file is available for download. I got it from a MediaFire link, found at Hacker News, but that might be dead by the time you go there. There seem to be a couple of different versions out there. The one I got was a 116MB RAR archive file named SHA1.txt_1.rar. Download it and click it to uncompress it; you should get a file named SHA1.txt.

Now that you’ve got that file, you can look for passwords in it. The file (and what was stored at LinkedIn) isn’t a list of passwords: instead, it’s a list of hashes of passwords; to hash a password, you take that password and perform a mathematical transformation on it. So the word “ubuntu” becomes the hash “24bf68e341ce0fbd9259a5d51feed79682ea4eba”. The important point about hashing is that it’s easy to go from “ubuntu” to “24bf68e341ce0fbd9259a5d51feed79682ea4eba” but it’s very hard to go back again; you can’t start with the hash and get the word.

However, the flaw here is that if you’ve got a big list of hashes, you can just guess passwords and see if they’re in the list. The way you’re meant to prevent this is by salting the passwords: that is, instead of hashing “ubuntu” to get “24bf68e341ce0fbd9259a5d51feed79682ea4eba”, you invent some random characters, called the salt, and glue them on the front of the password first, and then hash that, and then store the hash: so you don’t hash “ubuntu”, you invent random characters “acjup”, and then hash “acjupubuntu” to get “ec329e9cefc6138288b5baf1e25008da3f488ad8”, something different… and then in your password file you store the hash and the salt. This makes guessing much harder. LinkedIn didn’t do this, sadly enough. So, given that you have a list of hashed passwords, you can guess a password and see whether it’s in the list. With your SHA1.txt file, try it:

$ grep `echo -n alongpasswordimadeup | shasum | cut -c6-40` SHA1.txt$

That didn’t show anything, so “alongpasswordimadeup” isn’t one of the leaked passwords. Let’s try another:

$ grep `echo -n l1nked0ut | shasum | cut -c6-40` SHA1.txt 
e7bf10afef5f2ba94b104126d04db1837f423816
000000afef5f2ba94b104126d04db1837f423816
$

That did show something, so someone on LinkedIn had the password “l1nked0ut”, and it’s been leaked. Worse, there are two hits: the hackers seem to already be working on this file to guess passwords with it, and ones that they’ve identified are in the file with the first five characters overwritten with zeroes… so our unlucky l1nked0ut person is doubly punished for their lack of imagination by having a password leaked and having had it already guessed by the leakers. Oops.

So, to check your own password, do:

$  grep `echo -n yourpassword | shasum | cut -c6-40` SHA1.txt

Note that there is an extra space before the word “grep”: this means that that command will not go into your command history (and so your password won’t be in there).

If a result shows… your password was leaked. Go and change it.

If you get no result… go and change your password anyway. And don’t use the same password as you use elsewhere.

Mine wasn’t in it, pleasingly enough, although that’s just luck.

If you want to understand this stuff more, read about encryption and secure passwords and salting. There is much literature out there about this stuff. (That is: don’t treat my explanations above as gospel: read real documentation from experts and understand!) It’s disappointing that LinkedIn made the schoolchild error of not salting stored passwords, certainly. Let’s hope that others learn from their mistake, if nothing else.

More in the discussion (powered by webmentions)

  • (no mentions, yet.)