Hackers got access to the 6.5 millions users'
unsalted SHA-1 hashed password. We don't know whose accounts got compromised
and what was the level of compromise before LinkedIn triggered their incident response
process and stopped further compromise.
We still don't have information about how did the hackers manage to get hold of this data. But one thing is certain that it’s an example of absolute negligence. If basic principles of security would have been followed then hacker would not have been able to get the actual password from the hashed password as quickly as they did. They should have at least used salted hash.
So, what is Secure Hash Algorithm -1 (SHA-1): It is an algorithm (cryptographic algorithm) that converts any text/message into unique 160bits (20 bytes or 40 characters representing 20 hex values).
If your password is "MyPassw0rd" then SHA-1 will convert it to something like "e3e5cb40f7fc229ec70d50bc67072dd37ea186c7". This is the way the passwords were stored in the Linkedin database.
Ideally, there is no algorithm that could convert the hash value (like e3e5cb40f7fc229ec70d50bc67072dd37ea186c7) into the actual text (MyPassw0rd). But there is a work-around to get the actual value from the hashed value.
What if we have a huge table of pre-computed hash values and their corresponding actual value like a sample table shown below?
We still don't have information about how did the hackers manage to get hold of this data. But one thing is certain that it’s an example of absolute negligence. If basic principles of security would have been followed then hacker would not have been able to get the actual password from the hashed password as quickly as they did. They should have at least used salted hash.
So, what is Secure Hash Algorithm -1 (SHA-1): It is an algorithm (cryptographic algorithm) that converts any text/message into unique 160bits (20 bytes or 40 characters representing 20 hex values).
If your password is "MyPassw0rd" then SHA-1 will convert it to something like "e3e5cb40f7fc229ec70d50bc67072dd37ea186c7". This is the way the passwords were stored in the Linkedin database.
Ideally, there is no algorithm that could convert the hash value (like e3e5cb40f7fc229ec70d50bc67072dd37ea186c7) into the actual text (MyPassw0rd). But there is a work-around to get the actual value from the hashed value.
What if we have a huge table of pre-computed hash values and their corresponding actual value like a sample table shown below?
Hashed Password
|
Actual
Password
|
e3e5cb40f7fc229ec70d50bc67072dd37ea186c7
|
MyPassw0rd
|
e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4
|
secret
|
f4e7a8740db0b7a0bfd8e63077261475f61fc2a6
|
Secret
|
Table
-1: The highlighted column shows how did LinkedIn store our passwords.
Such huge pre-computed table is freely available to reveres
the hashed password into actual password. This table is known as Rainbow Table.
Anyone can search a huge database of pre-computed hash at http://hashlab.info/ . Even if the database does not
have an entry for a particular hashed value to get the actual password, the
known weaknesses of SHA-1 algorithm would have made hackers tasks easier to
reverse the hash value into actual value.
Anyone who follows the security best practices would never
hash the passwords without the salt.
So, what is salt? Salt is nothing but a long random number
that is added to the actual password before making the hash of the password.
That means, if two users have the same password – secretPassw0rd then it will be hashed
with two different randomly generated numbers:
- SHA-1 hash of [secretPassw0rd + 39432] = 3e2a12099ac8762414ea81874b0ef7c82a5106db
- SHA-1 hash of [secretPassw0rd + 42451] = b8c61b002cfb164a99f9421d4a805719e005c5fb
The addition of long random number makes the rainbow tables
impractical for getting the actual passwords. Disclosure of actual password
would have prevented if Linkedin would have stored their passwords with at
least SHA-256 salted hash. SHA-256 is the advanced version of SHA-1 that has
resolved the weakness SHA-1 and is more secure.
Good info Manish. Thanks
ReplyDeleteHello. I am the creator of hashlab.info =)
ReplyDeletethanks for your useful site.
Delete