More than 60-percent of the LinkedIn passwords leaked have already seen their encryption cracked, security experts say, though the business-centric social site is yet to confirm whether any users had their accounts infringed. Of the roughly 6.5m passwords in the haul, around 5.8m were unique hashes according to Sophos, and 3.5m of which have already been revealed through brute force attacks.
Part of the reason for that high percentage so soon after the leak is the format in which LinkedIn was storing the passwords. The credentials were SHA1 encrypted, but not salted: a process where an extra string is added to the password pre-encryption, so that it cannot be brute-forced via dictionary attacks.
Although salted passwords can still be cracked, it’s a longer process and that would have given LinkedIn – and users – more time to react. Although the company eventually confirmed that the password list was, indeed, authentic, and then locked down those accounts compromised, the fear is that users may have relied on the same credentials for other sites and services which could now be subject to unauthorized access.
Interestingly, Sophos also checked out whether the passwords on the list were also among those tried by the Conficker worm, finding that all but two showed up on the LinkedIn users’ list. That suggests the worm could be well equipped to break through users’ typical security.
Moving forward, LinkedIn says it will now be salting all passwords – including those of compromised users who will be forced to change their password before regaining access to their account – so as to add an extra barrier to attack.