You must know by now that 6.5 millions unsalted SHA-1 hashed passwords have been stolen from LinkedIn database, and it looks likely that the usernames were compromised too.
So you already changed your password, right? If you didn’t, do it now.
But even if you did change your password over the past two days, hackers had about two weeks to crack the stolen digested passwords. That gives plenty of time to attempt accessing other accounts related to a breached LinkedIn account with the same password –come on, admit it, you do reuse the same password for multiple sites, don’t you?
At the time I downloaded the stolen 6,458,020 passwords, there were 3,521,276 of them already cracked –that’s 54% of them!
Here is how to check whether your password has been stolen and possibly cracked in 3 steps.
Step 2 – Compute the SHA-1 hash of your password. You can use an on-line utility. Or if you do not want to send your password in clear to some website (I would not), you can use some application on your laptop.
- MAC OS: echo <password> | shasum
- Linux: echo <password> | sha1sum
- Windows: use this link.
- Online: many sites available.
Step 3 – Look up your hash in the list. Make sure to omit the first 5 hexadecimal characters. This is because the first 5 characters have been overwritten with zeros when the digest has been cracked.
If that makes you feel better (or not), I found the password of a few people that asked me to check. And they were cracked. Go ahead. Try yourself.
And if your password has been cracked, I would recommend not reuse that password ever again for any other site –how easy is it for a hacker who broke into your LinkedIn account to check whether the same password allows her access to the emails, Twitter, Facebook, or other services you listed on your LinkedIn account?