“12345? That’s the stupidest combination I’ve ever heard in my life. That’s the kind of thing an idiot would have on his luggage.”
Or, apparently, on LinkedIn. You’ve probably heard about the 8 million passwords leaked from LinkedIn and a dating site (likely eHarmony) that appeared on the Internet today. 12345 itself wasn’t used, but that’s only because LinkedIn requires passwords to be at least six characters. 123456, 1234567, and 12345678 were all leaked, as were the usual contenders for worst passwords such as, well, “password.”
Every single member of the list of the 25 worst passwords of 2011 was leaked, along with others such as “ihatemyjob,” “fuckmylife,” “nobama,” and “iwantanewjob.” At least one unhappy job hunter apparently used “linkedinblows.” Even the password “strongpassword” was leaked and cracked.
How do we know all this? The passwords were leaked in the form of cryptographic hashes, not all of which were deciphered by hackers. Shortly after the leak, a site called “LeakedIn” popped up to help users figure out if their passwords were leaked and/or cracked. While it’s assumed that hackers have the usernames associated with the 8 million passwords, they were not released publicly.
If you type a password into LeakedIn’s search box, you’ll be told whether it was leaked and cracked. In some cases, you’ll be told a password was leaked but not yet cracked. The site uses JavaScript to hash your passwords and then checks the hashed version against the leaked password lists. Hashes that have been cracked were prepended with “00000” by the people who run the site to tell them apart from those not cracked by hackers yet.
Loading comments...
