Um, that's not the way it works... If they have the hash, they can reverse it with enough effort (read: rainbow tables or brute force).
However, if you change your password, the has changes. In fact, for some cipher systems, one of the design goals that a change of one character in the encrypted text should produce a change in 50% of the characters of the resulting ciphertext. Thus, changing your password in this case is a particularly good thing. What's more problematic is that they (LinkedIn) are reported not to have use a salt for their password hashing. If true, that's a very stupid mistake that will make reversing the password hashes much easier. See, for instance, this: http://en.wikipedia.org/wiki/Salt_%28cryptography%29 On Wed, Jun 6, 2012 at 11:28 AM, Heaton, Joseph@DFG <[email protected]> wrote: > What I had heard from my security guy was that what was hacked was the hash > for the encryption. So, doesn’t really matter what you change to until > Linkedin changes the hash itself. Anyone hear if they’ve done that? > > > > Joe Heaton > > ITB – Windows Server Support > > > > From: David Lum [mailto:[email protected]] > Sent: Wednesday, June 06, 2012 10:52 AM > To: Heaton, Joseph@DFG; NT System Admin Issues > > > Subject: RE: 6.5 Million Encrypted LinkedIn Passwords Leaked Online [REPORT] > > > > Hmm…good point. However they would have to re-break in to get the changed > passwords wouldn’t they? Of course if they got in once it might be trivial > for another go. > > > > From: Kennedy, Jim [mailto:[email protected]] > Sent: Wednesday, June 06, 2012 10:24 AM > To: NT System Admin Issues > Subject: RE: 6.5 Million Encrypted LinkedIn Passwords Leaked Online [REPORT] > > > > Something to keep in mind here. Linkedin is still investigating. So that > means they have not found the problem……so the exploit that was used to get > the passwords before everyone changed them is still usable. Only now lots > more people know about it. > > > > From: David Lum [mailto:[email protected]] > Sent: Wednesday, June 06, 2012 10:29 AM > To: NT System Admin Issues > Subject: RE: 6.5 Million Encrypted LinkedIn Passwords Leaked Online [REPORT] > > > > Done. Thank you sir! > > > > From: Andrew S. Baker [mailto:[email protected]] > Sent: Wednesday, June 06, 2012 7:06 AM > To: NT System Admin Issues > Subject: 6.5 Million Encrypted LinkedIn Passwords Leaked Online [REPORT] > > > > http://mashable.com/2012/06/06/6-5-million-linkedin-passwords/ > > > > Even though this report has not yet been validated (at the time of my > posting), I would highly recommend that you change your LinkedIn password > now. If you were using that same password on another internet site, now > would be a great time to choose a separate password for that site (and other > sites) and use a password manager like Password Corral, PassKeep or LastPass > to manage them. > > > > -ASB: http://XeeMe.com/AndrewBaker > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
