LinkedIn had come in for heavy criticism following a major attack last week when hackers walked away with millions of user passwords and possibly account details. The company has since then hired expert external forensics to assist in-house engineers and the FBI to get all information related to the modus operandi adopted by the hackers.
In the meantime, researchers are working overtime to decode the scrambled passwords that the hackers posted in an online forum. The motive of this exercise: to understand how the hackers decoded the passwords and also to understand how strong the passwords were in the first place.
The researchers applied decoding tools such as graphical processors and brute force attack techniques to convert hashes to original passwords. While simple passwords are easy to convert, long passwords with capital letters, numbers and symbols remain difficult to convert.
One decoding method is comparing hashes with ones already decoded through other data breaches. For instance, the data breaches that affected Stratfor Global Intelligence and MilitarySingles.com, which used the same SHA-1 algorithms, generated a list of hashes, now available in the public domain. Applying such lists generated 5,000 matches in the LinkedIn hash list.
The bulk of the conversions however come through brute force attempts, which require applying text in virtually an infinite cycle of permutation and combinations. The software deployed for the purpose tries out anywhere from 700 to 800 million to 5 billion word combinations a second, and even after almost a week’s work has succeeded in decoding only about 50,000 LinkedIn hashes.
Selecting a text base for the software is at random. The researchers here made the program draw passphrase strings from famous literary work such as Charles Dicken’s “Tale of Two Cities,”, Leo Tolstoy’s “War and Peace,” and other work. After exhausting such literary work, the researchers plan to apply financial and business-related text. Another software mine Twitter for word combinations.
The difficult and time consuming nature of decoding encrypted passwords is perhaps of some solace to the victims of the attacks, especially since there are no reports as of now of any accounts having been compromised using the stolen data.