On Jun 14, 2012, at 12:00 AM, V G wrote:

> They weren't encrypted. They were 160-bit unsalted SHA-1 hashes.

An SHA-1 hash of something is usually considered 'encrypted', especially si=
nce the opposite of "encrypted" is usually "plaintext."  In theory, hashed =
is better than encrypted, because you can't decrypt a hash.

In fact, it's pretty likely that a lot of people would consider a published=
 list of SHA1 hashes to be "no a problem" (just like it used to be consider=
ed ok that the unix passwd file was world readable.)  Linked-in seems to ha=
ve been guilty of this.

They're wrong, of course.  Computers have gotten too fast.  A modern off-th=
e-shelf computer can apparently calculate about 2billion SHA1 hashes per se=
cond, making brute-force attacks on poor (short, and/or present-in-a-dictio=
nary) passwords quite feasible.

Reasonable-looking semi-technical discussion here:
http://erratasec.blogspot.com/2012/06/confirmed-linkedin-6mil-password-dump=
..html

BillW


--=20
http://www.piclist.com PIC/SX FAQ & list archive
View/change your membership options at
http://mailman.mit.edu/mailman/listinfo/piclist
.