[Owasp-natal] Confirmado hack no Linkedin

Eduardo Coelho eduardocoelholima em gmail.com
Quinta Junho 7 01:23:03 UTC 2012

É grave.

Merece um alerta, em especial para quem usa a mesma senha para diversos
serviços diferentes.

Linkedin perdeu alguns pontos. Usar hash sem salt, veio? Serio? =/


Eduardo Coelho Lima
>> eduardocoelholima em gmail.com

2012/6/6 Noilson Caio <caiogore em gmail.com>

> é isso mesmo.
> LinkedIn has confirmed<http://blog.linkedin.com/2012/06/06/linkedin-member-passwords-compromised/>that some of the password hashes that were posted
> online<http://nakedsecurity.sophos.com/2012/06/06/millions-of-linkedin-passwords-reportedly-leaked-take-action-now/>do match users of its service. They have also stated that passwords that
> are reset will now be stored in salted hashed format.
> What is a salt? It is a string that is added to your password before it is
> cryptographically hashed. What does this accomplish? It means that password
> lists cannot be pre-computed based on dictionary attacks or similar
> techniques.
> [image: Password hash with salt example]
> This is an important factor is slowing down people trying to brute force
> passwords. It buys time and unfortunately the hashes published from
> LinkedIn did not contain a salt.
> [image: 60% of LinkedIn passwords cracked]After removing duplicate
> hashes, SophosLabs has determined there are 5.8 million unique password
> hashes in the dump, or which 3.5 million have already been brute forced.
> That means over 60% of the stolen hashes are now publicly known.
> We also did some additional testing of commonly used passwords that should
> never be used. We started with the list of passwords that the Conficker
> worm used<http://nakedsecurity.sophos.com/2009/01/16/passwords-conficker-worm/>to spread through Windows networks.
> All but two of the Conficker passwords were used by someone in the 6.5
> million user password dump. The two passwords that weren't found were
> 'mypc123' and 'ihavenopass'.
> Other passwords that we found in the dump include 'linkedin',
> 'linkedinpassword', 'p455w0rd' and 'redsox'. We even found passwords that
> suggest people should know better like 'sophos', 'mcafee', 'symantec',
> 'kaspersky', 'microsoft' and 'f-secure'.
> We will continue to keep Naked Security readers up to date with what is
> known as we learn more.
> It is critical that LinkedIn investigate this to determine if email
> addresses and other information was also taken by the thieves which could
> put the victims at additional risk from this attack.
> *Special thanks to Beth Jones and Richard Wang from SophosLabs for their
> hard work and assistance with this post.*
> --
> Noilson Caio Teixeira de Araújo
> Linux Professional Institute Certification  2 - LPI000182893
> Novell Certified Linux Administrator (CLA) - 10111916
> Novell Data Center Technical Specialist
> http://ncaio.ithub.com.br
> http://br.linkedin.com/in/ncaio
> http://www.commandlinefu.com/commands/by/ncaio
> http://www.dicas-l.com.br/autores/noilsoncaioteixeiradearaujo.php
> _______________________________________________
> Owasp-natal mailing list
> Owasp-natal em lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-natal
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: <http://lists.owasp.org/pipermail/owasp-natal/attachments/20120606/7027ac64/attachment-0001.html>

More information about the Owasp-natal mailing list