LinkedIn Revisited – Full 2012 Hash Dump Analysis

As you may know, a “full” dump of email addresses and password
hashes for the Linkedin.com attack that occured in 2012 has
become available. Here at KoreLogic, we got our hands on the list and
started to gather some statistics on it using our
Password Recovery Service (PRS).
The following analysis assumes the hash dump is real; due to the valid email
addresses and confirming some of our own accounts’ data from back then, we
believe that it is real.

What we know so far:

It contains 164,590,819 unique email addresses.

It contains 177,500,189 unsalted SHA1 password hashes. Note that this
is a larger number than the amount of email addresses.

It contains 61,829,207 unique hashes. This means there
are duplicates, and this is good for password researchers
because it allows us to come up with statistics of how often
certain passwords are used.

As of Thursday May 19 14:09 EDT 2016, we’ve cracked 65% of the lists,
after about two hours work on our private distributed cracking grid.
Approximately 41,500,000 plain-text hashes have been recovered so
far. There are literally thousands of new cracks coming in every
minute, so the numbers are a bit rough.

The most common password hashes are:

Number | Hash 
1135936 7c4a8d09ca3762af61e59520943dc26494f8941b
 207488 7728240c80b6bfd450849405e8500d6d207783b6
 188380 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
 149916 f7c3bc1d808e04732adf679965ccc34ca7ae3441
  95854 7c222fb2927d828af22f592134e8932480637c0d
  85515 3d4f2bf07dc1be38b20cd6e46949a1071f9d0e3d
  75780 20eabe5d64b0e216796e834f52d61fd0b70332fc
  51969 dd5fef9c1c1da1394d6d34b248c51be2ad740840
  51870 b1b3773a05c0ed0176787a4f1574ff0075f7521e
  51535 8d6e34f987851aa599257d3831a1af040886842f
  49235 c984aed014aec7623a54f0591da07a85fd4b762d
  41449 6367c48dd193d56ea7b0baad25b19455e529f5ee
  35919 d8cd10b920dcbdb5163ca0185e402357bc27c265
  34440 1411678a0b9e25ee2f7c8b2f7ac92b6a74b3f9c5
  32879 601f1889667efaebb33b8c12572835da3f027f78
  32289 ff539c96a2ed9f72a47a5e1c7d59e143ba1fba94
  30972 019db0bfd5f85951cb46e4452e9642858c004155
  30923 01b307acba4f54f55aafc33bb06bbbf6ca803e9a
  28928 775bb961b81da1ca49217a48e533c832c337154a
  28705 17b9e1c64588c7fa6419b4d29dc1f4426279ba01

These values crack to:

Number | Hash                                   | Plaintext
1135936 7c4a8d09ca3762af61e59520943dc26494f8941b 123456
 207488 7728240c80b6bfd450849405e8500d6d207783b6 linkedin
 188380 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 password
 149916 f7c3bc1d808e04732adf679965ccc34ca7ae3441 123456789
  95854 7c222fb2927d828af22f592134e8932480637c0d 12345678
  85515 3d4f2bf07dc1be38b20cd6e46949a1071f9d0e3d 111111
  75780 20eabe5d64b0e216796e834f52d61fd0b70332fc 1234567
  51969 dd5fef9c1c1da1394d6d34b248c51be2ad740840 654321
  51870 b1b3773a05c0ed0176787a4f1574ff0075f7521e qwerty
  51535 8d6e34f987851aa599257d3831a1af040886842f sunshine
  49235 c984aed014aec7623a54f0591da07a85fd4b762d 000000
  41449 6367c48dd193d56ea7b0baad25b19455e529f5ee abc123
  35919 d8cd10b920dcbdb5163ca0185e402357bc27c265 charlie
  34440 1411678a0b9e25ee2f7c8b2f7ac92b6a74b3f9c5 666666
  32879 601f1889667efaebb33b8c12572835da3f027f78 123123
  32289 ff539c96a2ed9f72a47a5e1c7d59e143ba1fba94 linked
  30972 019db0bfd5f85951cb46e4452e9642858c004155 maggie
  30923 01b307acba4f54f55aafc33bb06bbbf6ca803e9a 1234567890
  28928 775bb961b81da1ca49217a48e533c832c337154a princess
  28705 17b9e1c64588c7fa6419b4d29dc1f4426279ba01 michael

The most common patterns used in the passwords are follows:

?d = Digit [0-9]
?s = “Special Character” +_)*(&^%$#@!~`-=[]{}|;’:”,./? …etc.
?l = Lower case letter [a-z]
?u = Upper case letter [A-Z]

Number | Pattern
2464867  ?l?l?l?l?l?l?l?l   Example: linkedin
1779914  ?l?l?l?l?l?l?d?d   Example: linked12
1587439  ?l?l?l?l?d?d?d?d   Example: link2012
1529419  ?l?l?l?l?l?l       Example: linked
1528570  ?l?l?l?l?l?l?l     Example: linkedi
1355705  ?l?l?l?l?l?l?l?l?l Example: alinkedin
1348523  ?d?d?d?d?d?d?d?d
1074171  ?l?l?l?l?l?d?d?d?d
 981506  ?l?l?l?l?l?l?l?l?l?l
 819347  ?l?l?l?d?d?d?d
 792420  ?l?l?l?l?l?l?l?d?d
 781385  ?d?d?d?d?d?d?d
 736751  ?l?l?l?l?l?l?d?d?d?d
 723709  ?l?l?l?l?l?d?d
 692358  ?l?l?l?l?l?d?d?d
 690550  ?d?d?d?d?d?d
 653163  ?l?l?l?l?l?l?l?d
 581292  ?l?l?l?l?l?l?l?l?l?l?l
 536369  ?l?l?l?l?l?l?d?d?d
 530968  ?l?l?l?l?l?l?l?l?d?d
 494565  ?l?l?l?l?d?d
 491480  ?l?l?d?d?d?d

The most common “base words” used in the passwords are shown below.
These are calculated by taking all the recovered passwords, removing
all special characters and digits, and then sorting the results. This
was the initial technique used by KoreLogic in 2012 to determine that
the set of ~6.5 million hashes found on a Russian message board was in
fact from LinkedIn.com (which now appears to have been only a subset of
this larger leak).

Number | Base word
  29883 linkedin    Examples: linkedin1 linkedin2012 linkedin! 
  26194 link        Examples: link2012 2012link !!link!!
  21731 love
  19721 ever
  15574 linked
  14156 life
  11674 alex
  10773 mike
  10566 pass
   9540 john
   9176 blue
   8937 june
   8338 jack
   8006 july
   7305 home
   7205 star
   7094 password
   7005 angel

Update: May 19 15:53 EDT 2016

Here is a list of the most common domains used by the accounts in the dump.
No real surprises here.

Number | Domain Name 
32865035 gmail.com
24018467 hotmail.com
20361246 yahoo.com
4268015  aol.com
1977483  comcast.net
1427168  yahoo.co.in
1333354  msn.com
1039135  sbcglobal.net
1036522  rediffmail.com
 992936  yahoo.fr
 913406  yahoo.co.uk
 843158  live.com
 839735  yahoo.com.br
 748001  hotmail.co.uk
 740473  verizon.net
 574117  hotmail.fr
 549022  yahoo.com
 528635  ymail.com
 528040  cox.net
 509047  bellsouth.net
 503271  libero.it
 478587  att.net
 428930  yahoo.es
 406492  btinternet.com

Update: May 19 17:00 EDT 2016

42,691,862 unique passwords recovered so far; 69% of the unique
hashes have cracked at this point.

Of the total 177,500,189 non-unique hashes leaked, there are
143,914,964 password hashes cracked, 33,585,225 left.
That represents 81.07% of all LinkedIn.com users in the dump.

More updates to follow …

For more of KoreLogic’s talks about password recovery, check out the
following videos of KoreLogic employee, and founder of PRS, Rick
Redman:
Your Password Complexity Requirements are Worthless – OWASP AppSecUSA 2014
Cracking Corporate Passwords: Why Your Password Policy Sucks


Original URL: http://feedproxy.google.com/~r/feedsapi/BwPx/~3/ByEj2T3SEn4/linkedin_passwords_2016

Original article

Comments are closed.

Proudly powered by WordPress | Theme: Baskerville 2 by Anders Noren.

Up ↑

%d bloggers like this: