LinkedIn, HashedOut

Linked-“Be great at what you do”-In, bringing you modern social networking with worse password protection than 1970s UNIX. Not only did LinkedIn avoid a robust, well-known password hashing scheme like PBKDF2, they didn’t even salt the passwords. Something FreeBSD programmers have been doing for years.

It also appears some users are confused as to what constitutes a good password. Length? Characters? Punctuation? Phrases? An unbelievable number of users went for length, but couldn’t be bothered hitting the shift key, space bar, or one of those numbers above qwerty. I sat down for 20 minutes with shasum and grep — and my bookshelf for inspiration — to hand-hack some possible passwords.

grep `echo -n myownpassword | shasum | cut -c6-40` SHA1.txt

The grep/shasum trick works on Unix-like command lines. John the Ripper is the usual tool for password cracking without entering the super assembly of GPU customization. And if someone tells you to use node.js instead of Perl, Python, Ruby, or that grep command because a non-blocking IO is faster…just walk away. Walk. Away. Your brain will thank you.

Anyway, I love sci-fi and fantasy as much as the next person. I still run an RPG on a weekly basis; there’s no dust on my polyhedrals. Speaking of RPGs. I started the guesswork with 1st Edition AD&D terms only to strike out after a dozen tries, but your 2nd edition references aren’t bad:

waterdeep — Under Mountain was awesome, unlike your password.

menzoberranzan — Yeah, mister dual-scimitars shows up in the list, too. This single-handedly killed the Ranger class for me. (Er, not before I had about three Rangers with dual longswords; ’cause that was totally different…)

No one seems to have taken “1stEditionAD&D”. Maybe that’ll be my new password. 14 characters, a number, a symbol, what’s not to love? Aside from retroactive revelation?

tardis — Come on, that’s not even eight characters. Would tombaker or jonpertwee approve? I don’t think so. But no Wiliam Hartnell? Have you no sense of history? Even for a timelord?

doctorwho — Longer, but…um…we just covered this.

badwolf — Cool, some Jack Harkness fans out there, but still not eight characters.

torchwood — Love the show, but your anagram improves nothing.

kar120c — I’m glad there’s a Prisoner fan out there. It was a cool series with a mind-blowingly bizarre, pontificating, intriguing ending that demands discussion. However, not only is that password short, it even shows up in my book (upcoming edition, too). I should find out who it was and send them a signed copy.

itsatrap — Seriously? You chose a cliched, meme-inducing movie quote that short? And you couldn’t be bothered with an exclamation point at the end? At least you chose a line from the best of the three movies. (No, the last three aren’t worth considering. And, yes, they’re the “last” three because it’s only an “e” away from “least.”)

myprecious — Not anymore.

onering — Onering? While you were out onering your oner a password cracker was cracking your comprehension of LotR. By the way, hackers have also read earthsea, theshining and darktower. Hey, they’ve got good taste.

I adore the Dune books. Dune is in the top list of my favorite books. Just this week I offered a nice quote from the Bene Gesserit. Seems I’m not the only fan:

benegesserit — Don’t they have some other quotes? Something about fear?

fearisthemindkiller — Heh, even the hackers hadn’t cracked that one yet. Referencing The Litany Against Fear would have been a nice move except that if “fear is the mind killer” then “obvious is the password.”

entersandman, blackened, dyerseve — What are you going to do when you run out of Metallica tracks? Use megadeath? It’s almost sadbuttrue. And jethrotull beat them at the Grammy’s. So, there.

loveiskind — Love is patient, love is kind, hackers aren’t stupid, passwords they find.

h4xx0r — No, you’re not.

notmypassword — Actually, it is. At least you didn’t choose a 14-character secretpassword. That would just be dumb.

stevejobs — Now how is he going to change his password?

Comments on this post are only open to users with strong passwords. Please place your password at the beginning of the comment so we know you didn’t choose something as pop-culturally obvious that I can figure it out in 20 minutes.

2 thoughts on “LinkedIn, HashedOut”

Comments are closed.