Thursday, 7 June 2012

My LinkedIn Password

This morning as I read news on my mobile phone, I was alarmed by the news that 6.5 million LinkedIn user passwords were stolen. Some say 8 million, but according to my count it is exactly 6458020 SHA-1 hashed passwords contained in the file.

According to the news article, the culprit seems to be LinkedIn iOS app which collects passwords and sends them back to the servers without users’ knowledge.  Although I am not a fan boy of anything Apple and don’t use LinkedIn on my wife’s iPhone, I still scrambled to change all my online passwords first thing this morning, knowing that cracking passwords is extremely simple to do (not necessarily easy, but simple). When I was a freshman in Uni, I stumbled upon a cracker, which was essentially a Unix shell script plus some rules and dictionary files. I tried it on the password file (those were the days before shadow was made mandatory), within the first few seconds a dozen also passwords were revealed (out of a list of only couple of hundred).

Only after I changed all my passwords, then I caught my breath to start investigating whether my password was stolen. I found some comprehensive instructions on checking that in this blog. However, I couldn’t be bothered to learn the syntax of how to use openssl. So I dusted off my good old Eclipse Indigo and decided to write a few lines of Java to SHA-1 hash my password. I borrowed the source code from here. The code I used is listed below:

import java.security.MessageDigest;

public class HashMyWord {

	/**
	 * @param args
	 */
	public static void main(String[] args) throws Exception {
		String password = "password";
		 
        MessageDigest md = MessageDigest.getInstance("SHA-1");
        md.update(password.getBytes());
 
        byte byteData[] = md.digest();
 
        StringBuffer sb = new StringBuffer();
        for (int i = 0; i < byteData.length; i++) {
         sb.append(Integer.toString((byteData[i] & 0xff) + 0x100, 16).substring(1));
        }
 
        System.out.println("Hex format : " + sb.toString());
}
Luckily, my password was not among the stolen ones.