10 (or so) of the worst passwords exposed by the LinkedIn hack
"12345? That's the stupidest combination I've ever heard in my life. That's the kind of thing an idiot would have on his luggage."
Or, apparently, on LinkedIn. You've probably heard about the 8 million passwords leaked from LinkedIn and a dating site (likely eHarmony) that appeared on the Internet today. 12345 itself wasn't used, but that's only because LinkedIn requires passwords to be at least six characters. 123456, 1234567, and 12345678 were all leaked, as were the usual contenders for worst passwords such as, well, "password."
Every single member of the list of the 25 worst passwords of 2011 was leaked, along with others such as "ihatemyjob," "fuckmylife," "nobama," and "iwantanewjob." At least one unhappy job hunter apparently used "linkedinblows." Even the password "strongpassword" was leaked and cracked.
How do we know all this? The passwords were leaked in the form of cryptographic hashes, not all of which were deciphered by hackers. Shortly after the leak, a site called "LeakedIn" popped up to help users figure out if their passwords were leaked and/or cracked. While it's assumed that hackers have the usernames associated with the 8 million passwords, they were not released publicly.
If you type a password into LeakedIn's search box, you'll be told whether it was leaked and cracked. In some cases, you'll be told a password was leaked but not yet cracked. The site uses JavaScript to hash your passwords and then checks the hashed version against the leaked password lists. Hashes that have been cracked were prepended with "00000" by the people who run the site to tell them apart from those not cracked by hackers yet.
"linkedin" was used as a password, as well as "linkedinpassword," and "eharmony," but not "eharmonypassword."
"One of many implications of this is that there is now a (growing) list of hundreds of thousands of cracked passwords," writes website designer Chris Shiflett, who helped build LeakedIn. "You can be sure that these will be used to seed rainbow tables and will be an obvious choice for seeding a dictionary used to try to crack passwords the next time a leak happens. Even if the next leak is a bunch of salted hashes using a better algorithm, these cracked passwords will never be safe again."
If there's one positive, it's that typing awful passwords into LeakedIn and seeing what's been leaked is tremendous fun. My own LinkedIn password was leaked (OK, that's not so fun), as were others I might have conceivably used, such as "supermario," and "frodolives."
If you haven't already changed your LinkedIn password, go ahead and do that now. After you're done, feel free to search LeakedIn for a bit. What are the worst passwords you can find?