Reports of 6.5 million LinkedIn password hashes being leaked for certain users went out this Wednesday. Users are both concerned and apprehensive about the fact that whether they are a victim as well.
With the amount of personal and professional information available on this platform, the growing concern led '
LeakedIn' to emerge. A New York based web developer has come out with a web app '
LeakedIn' that allows users to check whether their LinkedIn password has been compromised. All one needs to do, is enter their password in a dialog box and it then converts it into its corresponding cryptographic representation using the SHA-1 algorithm, which was stored by LinkedIn. Matching your password hash with the leaked hashes, it tells you whether your password has been comprised or not. It does that conversion in the browser using JavaScript and does not transmit the password elsewhere, wrote one of LeakedIn's developers, Chris Shiflett, on his blog.
The issue in hand is the fact that whether the leaked passwords has been 'cracked' as well. Not all of the hashes in the list have been converted to original passwords yet, but hackers are likely to be working on it. The number of characters in your password would determine the amount of time the 'cracking' would require.
This massive leak of passwords is an effect of LinkedIn using unsalted hashes. Salting is a process that involves inserting random characters into the hash that make it more difficult for people trying a brute-force attack.
LinkedIn on its official blog has responded to the fears mentioning customer security as its primary concern and stating that all the users whose passwords have been compromised would soon receive an email asking them for a password reset. These emails will not have direct links for password reset, but will include a multi-step process to verify the user. LinkedIn also states that it would now be working on 'salting' its password hashes. This enormous breach has brought extreme disappointment amidst the users.
Editor's note: You should change your LinkedIn password
before you use LeakedIn and then enter your
old password to see if your password was leaked. We do not recommend sharing your current LinkedIn (or any other) password with any third-party website.