User not logged in - login - register
Home Calendar Books School Tool Photo Gallery Message Boards Users Statistics Advertise Site Info
go to bottom | |
 Message Boards » » LinkedIn passwords hacked Page [1]  
aaronburro
Sup, B
53065 Posts
user info
edit post

i know it's *old* by interweb standards, but if any of you people use LinkedIn, you should change your password, and maybe change other passwords to accounts associated with your email address.

http://www.pcworld.com/article/257045/update_linkedin_confirms_account_passwords_hacked.html

This notice was brought to you by your friendly neighborhood aaronburro

6/7/2012 4:36:39 PM

pilgrimshoes
Suspended
63151 Posts
user info
edit post

after trying to remember my password in order to log in to this silly site, i got in and i saw this, which i don't remember from before:

Quote :
"Your email is safe with us! We will not store your password or email anyone without your permission. "


casually near the "see who you already know" section, got a chuckle

and changed my password

6/7/2012 4:39:48 PM

ApexDave
Veteran
143 Posts
user info
edit post

Well it's technically true. They did not store the password... just a SHA hash.. that wasn't salted.

http://leakedin.org/

That site lets you put in your password or SHA-1 hash value to see if it was in the leak.

6/7/2012 6:09:31 PM

CaelNCSU
All American
7082 Posts
user info
edit post

I for one always type my password into random sites.

6/7/2012 6:19:32 PM

Prospero
All American
11662 Posts
user info
edit post

iamgod

"Your password was leaked and cracked. Sorry, friend."

asdfjkl;

"Your password was leaked and cracked. Sorry, friend."

[Edited on June 7, 2012 at 7:37 PM. Reason : .]

6/7/2012 7:36:54 PM

smoothcrim
Universal Magnetic!
18966 Posts
user info
edit post

skeet
Looks like your password was not leaked. Hooray!
penis
Looks like your password was not leaked. Hooray!

6/7/2012 7:45:27 PM

Kickstand
All American
11596 Posts
user info
edit post

password1

"Your password was leaked and cracked. Sorry, friend."

6/7/2012 10:35:43 PM

ThePeter
TWW CHAMPION
37709 Posts
user info
edit post

Quote :
"cc8f461bc483d23e5fcc2d999b70fe65e381aa3a"


Quote :
" Looks like your password was not leaked. Hooray!
"

6/7/2012 10:40:05 PM

BobbyDigital
Thots and Prayers
41777 Posts
user info
edit post

fucknut

"Your password was leaked and cracked. Sorry, friend."

6/7/2012 11:54:27 PM

jaZon
All American
27048 Posts
user info
edit post

blowme was leaked

6/8/2012 12:12:05 AM

lewisje
All American
9196 Posts
user info
edit post

obvs. hash is better salted

om nom nom

on a more serious note, p=====B ~ `o->-< was also cracked from a separate leak (near bottom): http://xdecrypt.com/google-sha1-a45c-3

6/8/2012 1:25:24 AM

pttyndal
WINGS!!!!!
35217 Posts
user info
edit post

looks like last.fm got hacked too

http://www.pcworld.com/article/257178/music_site_lastfm_joins_the_passwordleak_parade.html

6/8/2012 8:22:04 AM

wolfpackgrrr
All American
39759 Posts
user info
edit post

Good thing I deleted my LinkedIn account years ago. I got tired of all their stupid spam.

6/8/2012 9:08:01 AM

lewisje
All American
9196 Posts
user info
edit post

I'm seriously thinking about moving to bcrypt: http://krebsonsecurity.com/2012/06/how-companies-can-beef-up-password-security/
Too bad my host hasn't upgraded its FastCGI variant of PHP to version 5.3 or 5.4, or else I would feel more comfortable installing this: http://www.openwall.com/phpass/

Instead I moved a site I maintain from a singly randomly-salted MD5 to a Whirlpool-based HMAC: https://secure.wikimedia.org/wikipedia/en/wiki/HMAC

I know I've posted this pic before, and again, although the example uses SHA-1, any hash will do for the illustration of a HMAC: http://thewolfweb.com/message_topic.aspx?topic=617783&page=1#14958141

6/11/2012 6:24:00 AM

EuroTitToss
All American
4790 Posts
user info
edit post

Quote :
"I'm seriously thinking about moving to bcrypt: "


I read Hacker News quite a bit and the funny thing is people will already call you an idiot for using bcrypt instead of scrypt (which has only been out 3 years). They obviously don't give a shit there are no publicized scrypt implementations for PHP.

I'm wondering if I should try writing one myself. It's stupid as hell writing your own crypto, but I bet other people would want it.

6/11/2012 8:36:48 AM

lewisje
All American
9196 Posts
user info
edit post

Maybe I should take the C code from the Debian FTP: http://ftp.de.debian.org/debian/pool/main/s/scrypt/

or the main site: http://www.tarsnap.com/scrypt.html

and make me a CGI program that can be called from PHP

6/11/2012 9:50:46 AM

Str8BacardiL
************
41753 Posts
user info
edit post

I just tried to log in.

Quote :
"Sorry, we need you to reset your password as a security precaution.

We've sent you an email that will allow you to reset your password quickly and easily. Please check your email now.
"


6/11/2012 10:31:16 AM

lewisje
All American
9196 Posts
user info
edit post

wait wait wait

I just found out that the aforementioned site's host used the Suhosin Patch on PHP 5.2: http://www.hardened-php.net/suhosin/

now imago switch us all over to bcrypt

[Edited on June 11, 2012 at 10:54 AM. Reason : nm it has Suhosin but CRYPT_BLOWFISH==0

6/11/2012 10:33:02 AM

lewisje
All American
9196 Posts
user info
edit post

o lookie, scrypt is available for Python: http://pypi.python.org/pypi/scrypt/0.5.4
and Haskell: http://hackage.haskell.org/package/scrypt-0.3.2
and Windows Phone 7 and Silverlight 3-5: http://www.nuget.org/packages/DH.Scrypt.dll

6/11/2012 11:07:38 AM

BobbyDigital
Thots and Prayers
41777 Posts
user info
edit post

I'll just take this opportunity to repost this classic and informative XKCD

6/11/2012 11:18:42 AM

Arab13
Art Vandelay
45180 Posts
user info
edit post

Very true.

6/11/2012 11:37:09 AM

Ernie
All American
45943 Posts
user info
edit post

lewisje has a lot of acronyms and links

He must be very smart

6/11/2012 11:44:51 AM

quagmire02
All American
44225 Posts
user info
edit post

Quote :
"wasn't salted"

it's stuff like this that continues to amaze me

6/11/2012 2:15:51 PM

lewisje
All American
9196 Posts
user info
edit post

^indeed, and you'd think that a site used by, among others, security professionals to network would have figured out the sort of thing that is built into Zen Cart and phpBB

^^most of those initialisms (okay, SHA is an acronym) are in common use...
PHP - PHP: Hypertext Parser, the most common server-side scripting language on the Web: http://php.net/
CGI - Common Gateway Interface, the means by which a Web server can send certain files (like .php files) off to server-side executables (like the php program) for processing, before sending the output to the user
FTP - File Transfer Protocol, a simple protocol for sending files between a local computer and a remote server
SHA - Secure Hash Algorithm, one of a series of cryptographic hash algorithms approved by NIST (the National Institute of Standards and Technology) for ensuring the integrity of data transmission; the original was quickly shown to be flawed, the next (SHA-1) took longer to show any weakness, and although the SHA-2 suite has no known efficiently-exploitable weaknesses, NIST isn't waiting around for one to show up and has already announced a competition, to be completed sometime this year, for an even more secure hash suite to be denoted "SHA-3"
XOR - In the picture although not in my previous posts ITT, "eXclusive OR" can be thought of as the bitwise addition modulo 2 (addition of binary numbers without carry), or the logical operator that returns "true" if and only if the two operands have different truth values; for the purpose of cryptography, it's the former.
HMAC - Hash-based Message Authentication Code, usually used in TLS (Transport-Layer Security, f.k.a. SSL or "Secure Sockets Layer") to provide confirmation of integrity via the hashing and authenticity via the use of that shared key, in a way that prevents an attacker from determining the key itself, but also usable as a more convoluted variant of a salted hash for storing passwords
MD5 - Message Digest 5, an algorithm developed by Ron Rivest, who also co-developed the RSA (Rivest-Shamir-Adleman) encryption algorithm; after it was discovered to be vulnerable, he developed MD6 and briefly submitted it to the first round of the aforementioned NIST competition, and he also developed the RC4 encryption cipher ("Rivest Cipher 4," used in WEP, "Wired Equivalent Privacy," and also found to be insecure) and co-developed its latest successor RC6, which is patented by his firm, RSA Security
also RSA was first thout up by a guy named Cocks (lol) but he had to keep it under wraps because he worked for a British intelligence agency

^^^The comic was about making a password that is tough to crack for those who don't have access to the hash, not about using a hashing method that is resistant to cracking; however, for hashes that are either unsalted or salted with a common salt, more-common passwords are more vulnerable to rainbow tables.

[Edited on June 11, 2012 at 2:58 PM. Reason : also GNU's Not Unix lol

6/11/2012 2:53:02 PM

Ernie
All American
45943 Posts
user info
edit post

Quote :
"PHP - P Hypertext Parser,"


Wrong, motherfucker.

It's not that I don't know what these mean. I use many of these technologies on a daily basis. It's just that you sound like an absolute turd trying shove way too much lingo into every sentence.

[Edited on June 11, 2012 at 2:57 PM. Reason : ]

6/11/2012 2:55:12 PM

lewisje
All American
9196 Posts
user info
edit post

I used those terms to describe my thoughts in a concise manner; it's much better than "that doohickey thurr" or vague language like "an even stronger hash," and it's not like I'm using intentionally flashy language like a typical "Web 2.0 SEO viral monetization ninja" to cover up the lack of substantive content.

6/11/2012 3:03:18 PM

Ernie
All American
45943 Posts
user info
edit post

Still a turd

[Edited on June 11, 2012 at 3:13 PM. Reason : Usually it's obvious that you barely have even a shallow understanding of the technology when you po]

[Edited on June 11, 2012 at 3:13 PM. Reason : st shit like "WinMerge4Lyfe"]

6/11/2012 3:12:13 PM

EuroTitToss
All American
4790 Posts
user info
edit post

holy fuck

6/11/2012 3:28:26 PM

lewisje
All American
9196 Posts
user info
edit post

^^I was trying to be funny; the real reason I use that free merge program is that it is free.

[Edited on June 11, 2012 at 5:35 PM. Reason : Now if there were a free three-way comparison tool for Windows...

6/11/2012 5:35:01 PM

 Message Boards » The Lounge » LinkedIn passwords hacked Page [1]  
go to top | |
Admin Options : move topic | lock topic

© 2024 by The Wolf Web - All Rights Reserved.
The material located at this site is not endorsed, sponsored or provided by or on behalf of North Carolina State University.
Powered by CrazyWeb v2.39 - our disclaimer.