Tuesday, June 12, 2012

"Lessons Learned from Cracking 2 Million LinkedIn Passwords"

This blog post on Qualys Security Labs blog, shows what someone using John The Ripper can do on a old machine.

Francois Pesce spent a little time using John The Ripper with some password dictionaries, and in the first 5 hours, he cracked 1.4 million of the ~6.458 million passwords in the data base.

That is over 21% in 5 hours on an old machine that was using CPU for the work, instead of a newer machine using more efficient GPU cracking.

GPU (Graphics Processing Unit/Graphics Card) are not more powerful than the CPU (Central Processing Unit) in your computer, but they are optimized for different types of work.

And with modern software GPU's work a lot better for password cracking.

If you want an analogy, or even if you don't, you can think of CPU & GPU like a Race Car and a Semi, they both might have similar horsepower, but they lot of differences in transmissions, gearing, torque, etc because they are designed for different types of driving.

If you want to learn more about CPU's & GPU's in connection to password cracking, read the excellent article "Password cracking, mining, and GPUs".

Back to Francois Pesce's password hacking, one he cracked the first 1.4 million passwords, he was able to use those passwords to fine tune his password cracking.

Part of the reason this works is that people tend to follow patterns, and lot of people still rely on passwords they can remember, so they tend to follow similar decision trees when they chose a password.

So with that tweaking, and some additional refinement after the first pass with the passwords already cracked, he got another 572 thousand passwords, bringing the total to ~1.972 million cracked passwords from the total ~6.458 million.

That works out to about 30.5%, and those were all done with Dictionary attack, not brute forcing!

So read Pesce's "Lessons Learned from Crakcing 2 Million Linkedln Passwords"

If that leaves you wondering about passwords, read my post "Steve Gibson's Haystacks & Needles (Understanding Passwords)" which covers the basic of good passwords in a clear way.

If you read these article you will realize you should use a password keeper!  That is only way to reliably and securely keep very many long & strong passwords.

Resources at bottom for finding a good password keeper, below I recommend a few.

For paid ones I like mSecure, that is what I have my family members using.

For free I believe Strip Lite is good, their website http://getstrip.com/ or iTunes.

Another free one I might suggest is KeePass, I have heard good things about it, and have a friend that uses it.

Stay Safe,


See Also:

No comments:

Post a Comment