linkedin = leaked out

Linkedin is now not only a place to expand your professional network, but also a prime location to meet Russian hackers.  As of this afternoon Linkedin confirmed that 6.5m passwords were compromised and placed in a password dump (no longer available).  Obviously now would be a good time to change your password (Update: eHarmony and Last.fm have been hacked as well).

User beware- the collateral damage from this hack extends further than just one website, mainly because Linkedin was using "unsalted" SHA-1 hashes.  So what, right?  Well ignoring the fact that SHA-1 was "broken" back on February 15, 2005 (note: always be kind to hackers around Valentines Day, just in case), let's take a look at how a hash works.  

In simplest terms, a hash takes a data string of any length and places it into a fixed length of data which is then saved as your password in some random database (i.e. the password "thedudeabides" has a 40 character SHA1 hash of 07fb682a4c2ced5e68ff458229d52a483f96f6fa)).  The idea here being that no one, even hackers, could get any use out of this 40 digit hash.  

And what's this "unsalted" nonsense?  Salt adds a little flavor to your security.  Salt is a random string of text (i.e. "U&@*$#VC") that is added to every hash, which is then in turn re-hashed for additional security.  It's a very simple and effective security measure.  To put it another way, using SHA-1 is like leaving a light on when you leave your house, whereas using an unsalted hash is like leaving the gas on- you're playing with fire.

Many of the 6.5M password have been cracked.  If you are the lucky winner of a cracked password, then I would recommend changing it everywhere you use it.  There are two ways to check:  either use javascript to gernerate your SHA1 hash ( php -r 'echo sha1("your password") . "\n";'  ) and then query it again the stolen password database.... or if you are normal human being, use the app found here (http://leakedin.org/) to see if your password was stolen and/or cracked.