I love taking a look at dumped passwords and analyzing them with Pipal by DigiNinja. Pipal is a great analytical program that takes a password dump and looks for patterns, including password lengths and complexities. I have always liked statistics and you can learn a lot from running passwords through Pipal.
I took a quick look at Pastebin and found that Stefan Venken (@StefanVenken) had already taken almost a million and a half of the LinkedIn passwords and analyzed them with Pipal. Here are some of the more interesting results:
Password length (length ordered)
-
6 = 281193 (20.75%)
-
7 = 211946 (15.64%)
-
8 = 444338 (32.79%)
From this portion of cracked passwords, on average 8 character passwords were the most commonly used. 444,338 users chose passwords that were 8 characters long.
In fact, a whopping 69% of the passwords that were cracked were 8 characters, or less…
30% of the cracked passwords only used lowercase letters. While 45% of the passwords contained just lowercase letters and numbers. And from the statistics, it looks like almost all of these were in the format of lowercase letters followed by one or more numbers, with the numbers always being at the end.
Overall, only 1% of the users used passwords that were made up of mixed case letters, numbers and symbols…
And according to an article on Arstechnica, all of the normal bad passwords were present, including:
- 123456
- 1234567
- 12345678
- password
- strongpassword
- And of course, linkedin
People put a lot of personal information out on LinkedIn. Many do so in looking for a new job or business opportunities. Users post their education and job experience along with the groups that they belong to. A treasure trove of information to Social Engineers. It would seem that of all the online social sites, users would really choose a long complex password to secure their account on LinkedIn.
But as every one of the top bad passwords of 2011 were found in the dump it truly makes one wonder – What in the world is people’s fascination with the password “monkey”???
CYBER ARMS - Computer Security 
Is it possible to get the list of hashes. I just want to make some analysis on such huge amount of organic data. (I hope they don’t arrest me for asking for the file).
Sounds like it was posted on a couple sites, but they have been taken down already. I am sure sanitized lists will be released soon.
I think it will only be available from people who downloaded it before they were removed. By the way, is it illegal to ask for the list?
Any early list would probably include account names with the hashes, so possibly – laws differ vastly from nation to nation. But it would be highly unethical at best.
But in time usernames will be stripped out so just the hashes exist. And lists of the passwords (sans account names) will be dumped on sites like SkullSecurity:
http://www.skullsecurity.org/wiki/index.php/Passwords
Yep only hashes will be enough, i have nothing to do with usernames. No unethical intentions. Thanks for the link.
Got a site. But can’t be sure if they are the real one: http://www.novainfosecportal.com/2012/06/06/leakedin-passwords-linked/
extremely unfortunate. The list of hashes (the large one) in the site have invalid hashes, (zeros in the begnning, some definite substrings appearing in common). I better stick to the skull security lists for any analysis.
Hashcat has a series of interesting tweets about it. 🙂
Reblogged this on lava kafle kathmandu nepal.
LOL @ Monkey… That’s a good question.
Something else that’s very important and isn’t really getting enough traffic on this. LinkedIN failed their users big time. Regardless of the strength of the user passwords, LinkedIN ONLY used a SHA-1 hash, without a salt.
SHA-1 in and of itself is cryptographically sound, not the best choice, but still valid. Any hash with the exception of SHA-512 or other 512 bit hashes without a salt is an easy target for rainbow tables, the key space is just too small…
So in addition to allowing the hashes to be captured, I assume through some sort of web application vulnerability, their overall method for protecting those credentials was a far cry from best practices.
Shame on you LinkedIN!
The other thing too Dangertux that others seem to be overlooking is how in the world did they get the hashes in the first place? I know there has been some mention of a calendar program leaking info, but if this was not the source, their servers were breached. How else would they be able to get all the hashes?
Also, if they were at a point where they could get hashes from a server, what else was done?
I would assume a database dump? In addition to weak hashing methods I guess LinkedIn also couldn’t afford a web app firewall? lol 😛
Your analysis of the passwords you have cracked (only 23%) is interesting and is great press for Pipal and your blog. Unfortunately, those stats show more about how you crack rather than letting us know any true statistics about the passwords used by the victims of this attack. With 77% of the passwords remaining (did you even try to uniq the hashes? … there’s really only 5.8 mil unique hashes), there’s a world of possibilities. The remaining passwords could all be > 60 chars with utf-8 characters — with the evidence you have, you do not know.
Well, thank you so much for your comments, Mr. Obvious! But please let me humbly point out a few, well, obvious points from the article.
I didn’t crack these passwords, as noted in the post they are from a Pastebin dump. Also noted in the post, this is a look at the passwords that WERE cracked already (within a few days of the dump going public) not the entire dump.
The focus was on how quickly some passwords were cracked and a look at the cracked ones. Hopefully encouraging people not to use simple passwords.
Soon, if not already, the full cracked hash list will be available. The Skullsecurity site comes to mind… Then we will see how many passwords were 60 chars long with utf-8 characters. 🙂
Password length more than 60 chars, ok let 60 go, 40 chars and/or UTF8 chars, are outliers. And as far as i think, complex passwords with alpha numerical case mixed and special characters with more than 20 chars in length also forms a fairly small group. So its not a target to crack the outliers, as the majority passwords are crackable in a feasible time. This discloses that people is not aware of what are “strong” and “weak” passwords.
Exactly Phoxis, well said!