I felt compelled to read up on a recent email thread on the Triangle Linux User Group list that discussed the recent LinkedIn password fiasco. While the discussion didn’t really tell me anything I didn’t already know, it did get me thinking.
I decided that LinkedIn could be cut some slack for their outdated notions of what constituted password security, because the truth is that 99.9% of us also hold outdated notions of password security. That is, the vast majority of us still believe in password security when in fact there is no such thing!
After reading a few links on the web, it dawned on me just how utterly vulnerable our passwords are to compromise. If one kid with a $1000 computer can bust 99% of passwords in a matter of days, imagine what resources on a government-scale can do! Passwords I once considered relatively safe seem laughingly simple now.
On a similar note, a sneaking suspicion I’ve had about the reason only 6.5 million hashes out of 161 million accounts were shared by the hackers might indeed be due to the other 96% of LinkedIn’s passwords being so trivially broken as not to merit the hacker’s requiring help. As computer scientist Poul-Henning Kamp said in one of the links above (emphasis mine):
The 6.5 million hashed passwords in all likelihood represent far more users than that, because everybody who chose “qwer5678” as a password shares a single entry in that file. I wouldn’t be surprised if 6.5 million was the number of unique passwords all LinkedIn users have chosen, as there is, after all, only so much imagination to go around.
As a system administrator at one of my previous employers I had access to literally thousands of networked, relatively-new computers. If I had chosen to set up a parallel-processing password-cracking tool on all these machines, even if only for a few minutes, I could’ve cracked 99.999% of passwords in seconds and no one would’ve batted an eye. There’s nothing stopping someone from doing that right now at that lab or the many thousands like it across the world.
For all practical purposes, we live in a world where secrets do not exist. This may be troubling, it may be uncomfortable, it may be hard to believe, but it’s the world we now live in.
Whatever you once thought was good enough isn’t anymore.