The LinkedIn Hack: Understanding Why It Was So Easy to Crack the Passwords

Size: px

Start display at page:

Download "The LinkedIn Hack: Understanding Why It Was So Easy to Crack the Passwords"

Brook Nichols
6 years ago
Views:

The LinkedIn Hack: Understanding Why It Was So Easy to Crack the Passwords LinkedIn was breached in 2012 with a reported 6.5 million user accounts compromised.

1 The LinkedIn Hack: Understanding Why It Was So Easy to Crack the Passwords LinkedIn was breached in 2012 with a reported 6.5 million user accounts compromised. LinkedIn sent a request to known hacked users advising them to change their passwords. However, on May 16, 2016, 117 million LinkedIn accounts reportedly from the 2012 hack were found to be up for sale on a hacker site. LinkedIn stated that after the initial 2012 breach, they added enhanced protection, most likely adding the salt functionality to their passwords. However, if you have not changed your password since 2012, you do not have the added protection of a salted password hash. You may be asking yourself what on earth are hashing and salting and how does this all work? By

2 When creating a site that collects and stores user accounts, it is critical to ensure that passwords are properly protected. Because there are so many ways to crack passwords, including guessing (typically by using social media to figure out birthdays, pets names, favorite sports teams, etc.), dictionary attacks, and the use of rainbow tables (which we ll go into later), it is more vital than ever to employ unique salted password hashing, which is in compliance with current cybersecurity industry standards. First, let s understand how this all works. When a user first creates an account, they enter a password in plain text, such as The password 1234 is then hashed and stored in the system. Hashing is a mathematical algorithm that takes a plain text password and turns it into a set of letters and numbers. There are several methods of hashing. One method is called Secure Hash Algorithm 1 (SHA1) (which is what LinkedIn had reportedly been using at the time of the 2012 hack) where, a plain text password runs through a mathematical cryptographic algorithm, which turns and stores the text password ( 1234 ) into a set of numbers and letters that look like this: sha1: 7110eda4d09e062aa5e4a390b0a572ac0d2c0220 Therefore, the password should never be stored in the database as plain text, but rather as a stored hash. When a user logs into their account by entering their text password 1234, the hash of the password is checked against the stored hash of the password. If the hashes match, the user is allowed access. If the hash does not match, the user will not be able to gain access. When using the SHA1 method, without adding the salt, the plain text password of 1234 will always create the same hash, meaning 1234 will always hash to the following SHA1 hash value: 7110eda4d09e062aa5e4a390b0a572ac0d2c , Inspired elearning, LLC. All Rights Reserved.

3 In theory, a hacker who has stolen user accounts that use the SHA1 mathematical algorithm with non-salted hashed passwords should not be able to use the hash to get the original text password. However, the bad news is that there are ways to reconstruct the text string from the hash. If a hacker has access to a database that has a SHA1 hash dictionary that has already been converted into the password plain text string it equals, they will have easy access to the password. It would look something like this: Plain Text Password SHA1 Hash String eda4d09e062aa5e4a390b0a572ac0d2c0220 Password Tyler Myd0gH0rat10 8be3c943b1609fffbfc51aad666d0a04adf83c9d c794bd35db97c1cf0b8edc21ac218cd202f68ca7 424f6b34ac904e1d8feb8dd96338df4fad2e67f8 Figure 1 If the hacker cannot succeed in cracking passwords through brute force or by guessing the passwords, there are other methods that can be used, such as lookup tables and rainbow tables. Lookup tables provide hashes that have already been computed and stored in a password dictionary with their corresponding plain text password string such as the ones listed in Figure 1 above , Inspired elearning, LLC. All Rights Reserved.

4 Rainbow tables are lists of known hash values that equal a plain text password, somewhat like Figure 1 above. Rainbow tables work in a similar manner to Lookup tables with a few minor differences mainly that they sacrifice hash cracking speed to reduce the size of lookup tables. What is important to take away is that both lookup tables and rainbow tables have databases of plain text passwords and the exact hash string that matches each password. The reason lookup tables and rainbow tables work is because each password has been hashed exactly the same way. This means that if SHA1 has been used and two people have the password 1234, the password hash will be identical. If I go to a website such as which uses an SHA1 dictionary that has many pre-converted hashes, I can find the password I m looking for: SHA-1 conversion and SHA-1 reverse lookup Reverse a SHA-1 hash Enter a SHA-1 hash to reverse... Reverse , Inspired elearning, LLC. All Rights Reserved.

5 Next, I will enter the hash from the password 1234 : SHA-1 conversion and SHA-1 reverse lookup Reverse a SHA-1 hash 1234 X Reverse After clicking the reverse button, I come up with the hash string: SHA-1 conversion and SHA-1 reverse lookup Reverse a SHA-1 hash 7110eda4d09e062aa5e4a390b0a572ac0d2c0220 Reverse , Inspired elearning, LLC. All Rights Reserved.

6 You can also choose to reverse the hash value to get the password text string as shown below: SHA-1 reverse for 7110eda4d09e062aa5e4a390b0a572ac0d2c0220 The SHA-1 hash: 7110eda4d09e062aa5e4a390b0a572ac0d2c0220 was successfully reversed into the string: 1234 It is really that simple. I was able to get the password by simply taking a millisecond to retrieve the password from a website. Kind of scary. So what can we do? This is where salts comes in. This type of hack can be prevented by employing a unique salt that will make each plain text password converted to hash different. This way no two identical passwords will have the same hash. A salt is a unique string of bytes that is included with the password in each hash calculation. If done properly, salts make lookup tables and rainbow tables ineffective (at least at the present time). However, it is important to use salts correctly. It is crucial to use a unique salt every time a user and account/password is created and when a user changes their password. In other words, never use the same salt for each password and hash , Inspired elearning, LLC. All Rights Reserved.

7 Here s a great depiction of how the password foobar without a salt will always hash to the same hash string: Without Salting foobar encrypt fgjhdfuyre8 foobar encrypt fgjhdfuyre8 Here s the salting process and how the password foobar now has a unique hash string: With Salt foobar add salt 1AUW foobar encrypt uyfieeiruoe foobar add salt eb46 foobar encrypt fgijhdkjghryt So if both users, John and Sean, have the same SHA1 plain text password string 1234, we have established that without a unique salt, the hash will be the same. Figures on page 6: , Inspired elearning, LLC. All Rights Reserved.

8 Remember, without a salt, the hash for the password 1234 will be hashed to identical hash strings: John:7110eda4d09e062aa5e4a390b0a572ac0d2c0220 Sean:7110eda4d09e062aa5e4a390b0a572ac0d2c0220 However, by adding a unique salt each time, the hash will be different. This is a simplified example, but by going to a site like which allows you to create hashes with or without salts based on a plain text password, you can see that the hashes are different. From this site, I chose to use the password 1234 and a salt string of characters before the string: SHA1 Hash Generator With this online generator, you can calculate the SHA1 hash of a string with an optional salt value. MD5 is a hash type that follows the RFC US Secure Hash Algorithm add a salt before this string. pepper generate sha1 hash , Inspired elearning, LLC. All Rights Reserved.

9 Notice how the hash is now different for the password 1234 than it was without the salt added: SHA1 Hash Generator Result: 84b3f681fc75231dbc31a7c5103f9d4fd8f91615 However, remember to always use a different salt each time. In the next example, I again used the password string 1234 and the same salt string and once again put the salt before the string: SHA1 Hash Generator With this online generator, you can calculate the SHA1 hash of a string with an optional salt value. MD5 is a hash type that follows the RFC US Secure Hash Algorithm add a salt before this string. pepper generate sha1 hash , Inspired elearning, LLC. All Rights Reserved.

10 Notice the hash string is exactly the same as the prior example. This is because I used the same text string with the same salt in the same location: SHA1 Hash Generator Result: 84b3f681fc75231dbc31a7c5103f9d4fd8f91615 Now, what if I use the same text password and choose to use a different salt string of characters? Will this make the hash string different and unique? Let s see below: SHA1 Hash Generator With this online generator, you can calculate the SHA1 hash of a string with an optional salt value. MD5 is a hash type that follows the RFC US Secure Hash Algorithm add a salt before this string. cookies generate sha1 hash , Inspired elearning, LLC. All Rights Reserved.

11 And the result: SHA1 Hash Generator Result: addc93f0edc3a5ee27c9efea20a4 If you guessed that it would be different, you were correct. Notice that the hash string is different even though the text password 1234 is the same. This is a vital point to understand. You must always use a different salt string of characters for each and every user plain text password string, just in case two users end up entering the same password string. You now have a basic understanding of how hashing and salting work. Please use these techniques to help keep your site and user passwords better protected , Inspired elearning, LLC. All Rights Reserved.

12 Remember: Always use a strong mathematical hashing algorithm. Some research will help determine which one will work best for you. Keep in mind that cryptography keeps getting stronger. For example, there are newer hash functions that are recommended by NIST such as SHA-256, SHA- 384, SHA-512, SHA-512/224, and SHA-512/256, SHA3-224, SHA3-256, SHA3-384, and SHA3-512 and several block cipher algorithms such as AES 128, 192 and 256 bits (Advanced Encryption Standard). Always make sure your system is set up to use a unique salt string every time a user enters a text password or changes their password so that you can help thwart attacks such as lookup and rainbow tables. Make sure that you have a system set where your users must create complex passwords. (Inspired elearning offers many courses that discuss password best practices. Please find more information by going to Make sure that you follow current cybersecurity standards and require users to change their passwords on a regular basis. Have users use different passwords for all of their various accounts , Inspired elearning, LLC. All Rights Reserved.

CSCE 548 Building Secure Software Entity Authentication. Professor Lisa Luo Spring 2018

CSCE 548 Building Secure Software Entity Authentication Professor Lisa Luo Spring 2018 Previous Class Important Applications of Crypto User Authentication verify the identity based on something you know