Guys, Russian hackers have hacked LinkedIn and stolen about 6.5 million passwords. Go change your password now. http://www.reddit.com/r/technology/comments/unt92/russian_hackers_claim_to_have_65m_linkedin/ It's a list of unsalted SHA1 hashes. The ones that have already been cracked have the first few digits changed to 0s. I downloaded the list and checked for mine -- regrettably mine was there AND it had been cracked. Feel quite ashamed right about now. EDIT: I mentioned this in another post but I agree that it should be said here -- this is particularly important if you use the same password for other sites, like your email account. Hackers will try to use your cracked password to glean as much information about you as they can from popular web sites, and then use that for identity theft. That's what makes password lists like this so valuable on the black market. If you have an account on LinkedIn, regardless of whether your password was published or not, you need to go change it now -- to something much more secure.
Wait. Change my LinkedIn password or change the password for every site that has the same password as my LinkedIn account?
If I were you I would change it on every site you know that has that same password. Odds are that they can link it to your email address, and if so there's no stopping them.
They seriously didn't salt passwords. Isn't that pretty elementary nowadays. I thought doing that was standard practice.
I know. Utterly inexcusable for a site of that size and a publicly traded company. At the very least you should be using SHA256 with a salt. Did nobody learn from Sony's PSN fiasco?
They got the hashes. It isn't the same as the password. So usually what you do is have a salt and use that salt to hash the password. The hashing function like sha2 acts as a one way function so that y=f(x). However whereas in most functions you can solve for x the hashing function makes it very difficult to solve for x. When you use a password they don't save the actual password, or they shouldn't. They should save f(password+salt). In this case brute force computing all the possible hashes will take a very long time. As long as you aren't using a simple password you should be ok.
They didn't use a salt. Also, about half the passwords have been cracked already (don't know if they're using brute force or not). My password was a non-dictionary password with numbers in it, although admittedly not very long, and it had been cracked.
