- In the first iteration, 558 passwords found in the 554,404 (0.1%) are related to the ‘Linkedin’ string
- In the second iteration, 3248 out of 22,688 (14%) are related to the ‘Linkedin’ string
- Third iteration: 1,733 out of 3,682 (47%)
- Fourth iteration: 539 out of 917 (59%)
- Fifth iteration: 217 out of 330 (66%)
- Sixth iteration: 119 out of 152 (78%)
- Seventh iteration: 40 out of 51 (78%)
- And so on through the tenth iteration.
- pwdlink from pwlink with the rule "insert d in 3rd position"
- pwd4link from pwdlink with the rule "insert 4 in 4th position"
- pwd4linked from pwd4link with the rule "append ed"
- pw4linked from pwd4linked with the rule "remove 3rd char"
- pw4linkedin from pw4linked with the rule "append in"
- mpw4linkedin from pw4linkedin with the rule "prepend m"
- mw4linkedin from mpw4linkedin with the rule "remove second character"
- smw4linkedin from mw4linkedin with the rule "prepend s"
- sw4linkedin from smw4linkedin with the rule "remove second character"
- lsw4linkedin from sw4linkedin with the rule "prepend l".
It is highly recommended to use a strong random password generator that is known to be actually random. It is funny to note that a very old version of a command line tool called "mkpasswd" produced passwords based on a bad random salt and was generating only 32768 different passwords, this was reported and fixed 10 years ago, but I was still able to recover 140 passwords in the leaked file that had been generated by this vulnerable version of mkpasswd.
Evidence indicates that the hacker who made this leak public was most likely trying to get cracked passwords from an online community, a kind of crowdsource cracking. Since he probably possesses the list of logins as well, you might want to change your passwords in other accounts if you think he can access them with the information he has. Note that if you have unique passwords created with simple rules, you might change them as well. For example, if your password for LinkedIn is MyPW4Linkedin, a malicious cracker might guess that MyPW4Facebook might be your Facebook password. It is also recommended to change your password if your username can be guessed from it, because every password cracker on the planet is currently playing with this password file.
The author of John the Ripper, Solar Designer, did a great presentation on the past, present and future of password security. Although the security industry has put a lot of work into making good hash functions (and there's still more work to do), I believe that poorly chosen passwords are a concern. Maybe we should demand that our browsers (using secured storage as in Firefox Manager) or 3rd-party single-sign-on providers create easier solutions to help us resist the temptation of using simple passwords and re-using the same passwords with simple variations.
Note: The hashes in the 120MB file sometimes had their five first characters rewritten with 0. If we look at the 6th to 40th characters, we can even find duplicates of these substrings in the file meaning the first five characters have been used for some unknown purpose: is it LinkedIn that stores user information here? is it the initial attacker that tagged a set of account to compromise? This is unknown.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.