ER

Cracking party

Dear Reader,

Among the many parties happening around the world, there is a big one on cracking. Cracking passwords that is.

Do you have an account with LinkedIn.com? The “business social network”?

If you do, I highly recommend you delete it. And if you used the password from there at any other website or internet service, please change that immediately.

LinkedIn got cracked in 2012. And they kept pretty silent about it. At the time they admitted only, some 6.5 million passwords had been taken. This week we learned here, it was more like 117 million passwords. Or precisely:

164,590,819 unique email addresses
177,500,189 unsalted SHA1 password hashes

And as of now > 90 % of the passwords have been cracked already. Just 14 million to go.

Why does that matter? It means, those passwords are not save anymore. And never will be again. The algorithms used for password cracking have been trained. And whoever uses one of those passwords anywhere, is wide open.

Granted, the most popular passwords at LinkedIn were the usual bad ones: 123456, linkedin, password, 123456789, 12345678, 111111 and qwerty. And those are easily cracked. But eventually well over 95% of those passwords will be cracked. It is just a matter of time and computing power.

LinkedIn is one of the more popular websites. According to WikiPedia.:

LinkedIn is a business-oriented social networking service. Founded in December 14, 2002 and launched on May 5, 2003, it is mainly used for professional networking. As of 2015, most of the site’s revenue came from selling access to information about its users to recruiters and sales professionals.
As of October 2015, LinkedIn reported more than 400 million acquired users in more than 200 countries and territories.
LinkedIn filed for an initial public offering in January 2011 and traded its first shares on May 19, 2011, under the NYSE symbol “LNKD”.

So, here is a publicly traded company, not some small garage firm, that did not care about its users and their safety. All they care about is selling the user data. And in the process they made the internet less save for everybody.

The somewhat famous founder and current chairman Reid Hoffman, usually quite outspoken, has been very silent about the matter. Nothing on his website, nothing on his twitter account. For that he deserves our Idiot of the Day medal.

And that is why you should delete your account there. Unless we, the users, make those companies and the people feel pain, unless they lose money or go bust, security will not improve.

Stay safe,

Engine Room