Lessons learned from cracking 2 million LinkedIn passwords
by Francois Pesce - Principal Engineer at Qualys - Monday, 11 June 2012.
It is interesting to see that the most elaborate passwords found in the 3rd or 4th iteration of this kind of recursive dictionary cracking were related to the word linkedin most of the time. If I tried to match the word linkedin slightly modified (reversed or with '1' or '!' instead of 'i' like in l1nked1n):
  • In the first iteration, 558 passwords found in the 554,404 (0.1%) are related to the ‘Linkedin’ string
  • In the second iteration, 3248 out of 22,688 (14%) are related to the ‘Linkedin’ string
  • Third iteration: 1,733 out of 3,682 (47%)
  • Fourth iteration: 539 out of 917 (59%)
  • Fifth iteration: 217 out of 330 (66%)
  • Sixth iteration: 119 out of 152 (78%)
  • Seventh iteration: 40 out of 51 (78%)
  • And so on through the tenth iteration.
An example of what I found on the 7th pass is: m0c.nideknil. Another example is: lsw4linkedin, which was found on the tenth pass. To illustrate how the rules work for modifying words in the dictionary, below is the actual set of modifications used to get from the dictionary entry 'pwlink' to the successfully cracked password 'lsw4linkedin' over the ten iterations:
  • pwdlink from pwlink with the rule "insert d in 3rd position"
  • pwd4link from pwdlink with the rule "insert 4 in 4th position"
  • pwd4linked from pwd4link with the rule "append ed"
  • pw4linked from pwd4linked with the rule "remove 3rd char"
  • pw4linkedin from pw4linked with the rule "append in"
  • mpw4linkedin from pw4linkedin with the rule "prepend m"
  • mw4linkedin from mpw4linkedin with the rule "remove second character"
  • smw4linkedin from mw4linkedin with the rule "prepend s"
  • sw4linkedin from smw4linkedin with the rule "remove second character"
  • lsw4linkedin from sw4linkedin with the rule "prepend l".
This is the deepest password found, i.e. the only one obtained in the last iteration. This clearly shows that no matter how elaborate a password you choose, as long as it is based on words and rules, even if there are many words and many rules, it will probably be cracked. The fact is that on a huge file like the LinkedIn leak, every password you find can help you to get another one. That is because human-created passwords are not random, and programs like John the Ripper and dictionary attacks can use patterns, either already known or discovered in the password hash file, to greatly reduce the time needed to crack them.

Password management

It is highly recommended to use a strong random password generator that is known to be actually random. It is funny to note that a very old version of a command line tool called "mkpasswd" produced passwords based on a bad random salt and was generating only 32768 different passwords, this was reported and fixed 10 years ago, but I was still able to recover 140 passwords in the leaked file that had been generated by this vulnerable version of mkpasswd.

Evidence indicates that the hacker who made this leak public was most likely trying to get cracked passwords from an online community, a kind of crowdsource cracking. Since he probably possesses the list of logins as well, you might want to change your passwords in other accounts if you think he can access them with the information he has. Note that if you have unique passwords created with simple rules, you might change them as well. For example, if your password for LinkedIn is MyPW4Linkedin, a malicious cracker might guess that MyPW4Facebook might be your Facebook password. It is also recommended to change your password if your username can be guessed from it, because every password cracker on the planet is currently playing with this password file.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Tue, Feb 9th