Wednesday, June 06, 2012

Has your LinkedIn password been cracked?

This is a brief tutorial for Mac users on determining if your LinkedIn password was involved in the recent breach. I wrote this because the instructions online, such as they are, are mainly targeted at Linux users, and Mac OS X, while similar to Linux in some ways, doesn't have have the same built-in utilities. I've also tried to make these instructions usable by people who are only semi-technical. (If you know your way around *nix command lines, you'll probably have a few short-cuts.)

I'm just going to skip the background and suggest you read this or any number of other news stories.

What's noteworthy is that if you look around the net, you can find the file that contains the stolen hashes. Actually, there are several files. I believe the original one is called combo_not.txt. There are at least two others. One is called SHA1.txt and appears to be an alternative, but not quite as long (240 megs vs. 258 megs for combo_not.txt). The other is C_dwdm6msha1.out and it is interesting in that it contains hashes along with original passwords, separated by colons. It appears to be the result of a collective effort to guess passwords based on the hashes.

The first two files don't list actual passwords, but they do appear to indicate which hashes had been backed-engineered at the time of their release. Any hash in those files which begins with a string of five zeroes is actually not a complete hash, but one where the first five characters have been replaced with "00000", apparently to mark it as one that's been "cracked".

So given these three files, we'd obviously like to know if our LinkedIn password has been cracked. For that matter, even if it hasn't been cracked, we'd like to know if its hash is in the list, because that means it could be cracked eventually. It also means that, possibly, someone else is using the same password and our password isn't as unique as we thought it was. If we're using that password on multiple websites, we might want to start changing it.

One way to do this would be to search for the password in C_dwdm6msha1.out. But this would only tell us if the password is in the small subset which has been guessed "after the fact". We'd really like to calculate the hash of our password and then search for that. (Though we'd want to bear in mind that the first five characters of the hash may have been replaced by zeroes.)

There are several websites that will calculate a hash for us. But why would we want to enter our secret password into a website that might be capturing it for future use? (Granted, any site could be doing this--one reason why you want to use different passwords on different sites, or at least not use the password to your bank account when you sign up for sharkwrestling.com.) Let's calculate our own hash and automatically search for it in the three files.

Doing this is pretty easy with a Mac. Just put all three files into the same folder. Then use a text editor like vi or TextWrangler to create a file in the same folder. Call the file checkhash.sh and copy & paste this text into it:


#! /bin/bash

BASEDIR=$(dirname "$0")
cd "$BASEDIR"
echo -n 'Enter password to check: '
read -s password
echo
grep `echo -n $password | openssl sha1 | cut -c15-49` \
combo_not.txt SHA1.txt C_dwdm6msha1.out 

If you don't have all three files, leave out the name of the file(s) you're missing. Also, if you want to see your password when you enter it into the checker, remove the -s after the word read.

Now save checkhash.sh. (Remember, you need to save it in the same folder as the three hash files.)

The next thing you have to do is open the program Terminal which is contained in Applications > Utilities on your computer. At the prompt, type chmod +x but don't hit the return key yet. Instead, drag and drop the icon for checkhash.sh directly onto the Terminal window. Now hit the Return key. You've just created an executable shell script.

You'll also run the script from Terminal. Just drag and drop checkhash.sh onto the Terminal window and hit Return. You'll be prompted for the password you want to check. Enter it and hit Return again. After a moment or two, if the password's hash appears in any of the three files, you'll see some output. If the hash isn't in any of the files, you'll be returned to the shell prompt without any output. For example

[Pats-iMac:~] patf% /Users/patf/Documents/linkedin\ hashes/checkhash.sh
Enter password to check: 
combo_not.txt:0000034a83cbfb625391d2e897c5163400413b6b
SHA1.txt:0000034a83cbfb625391d2e897c5163400413b6b
[Pats-iMac:~] patf%

This means the password (in this case, "justify") generates a hash found in both combo_not.txt and SHA1.txt. Since the hash starts with five zeroes, the password was guessed before the public release of the hashes. Let's try another.

[Pats-iMac:~] patf% /Users/patf/Downloads/linkedin\ hashes/checkhash.sh
Enter password to check: 
combo_not.txt:377c4fcc9201ed3ac5684a9a6a75210905016779
C_dwdm6msha1.out:377c4fcc9201ed3ac5684a9a6a75210905016779:izzemm89
[Pats-iMac:~] patf%

This time the password's hash appeared in combo_not.txt and C_dwdm6msha1.out. The password hadn't been guessed initially (no leading zeroes), but it was cracked later. As you can see, the password was "izzemm89".

When you're done, you can just close the Terminal window and quit Terminal.

Tip: if you're using Linux, you probably know enough about the command line that you don't need a full tutorial. But instead of using openssl sha1 in your script, you'll want to use sha1sum, and then instead of cut -c15-49, you'll want cut -c6-40.