As you may have probably already heard, yesterday, a hacker posted about 6.5 million unsalted SHA-1 password hashes taken from social networking website, LinkedIn online. I won’t post the list here, but if you want to see it for yourself, just google it. It’s there. After downloading and wanting to do some analysis, I wrote a really simple python script that creates a hash for a given password and then searches for it in the list.
More of the Same
Security firm Sophos tested the popular passwords used by the Conficker worm and found that all but two were used in the LinkedIn dump. I had similar results when I tested a list of passwords banned by twitter.com. All but ONE, ‘access14’, of the 370 common twitter passwords is not among the LinkedIn list. (One caveat: LinkedIn does not allow passwords shorter than 6 characters so anything shorter than that was ignored.) You can see the full results for the Twitter list here. Likewise, all of the so-called Most Popular Passwords of 2011 appear in the dump.
Your Favorite Sports Team…is Not a Good Password
After seeing terms like ‘redsox’ and ‘lakers’ frequently in the twitter list, I decided to check the dump against popular US sports teams names. The list includes (I think) every team in the NFL, NBA, NHL and MLB. Initially, it seemed that all but one -(Arizona) ‘diamondbacks’ – was in the list. But upon further review, the alternate name ‘dbacks’ appears. So I’m calling it all teams. Click here for full sports teams results
Popular Names are Popular Passwords
Using the Social Security Administration’s List of the 20 Most Popular Baby Names is another clean sweep. All appear in the dump. Full Popular Names Results Here
Bold Face Names
It’s not really a surprise that people use their own name or the name of someone close to them as a password. But what about someone they (presumably) don’t know? I compiled a list of famous folks using TwitterCounter, Most Famous People of All Time List and lists of frequently searched for celebs on popular search engines. These results were more mixed. A little over half were used as passwords. The full results are here Some notes:
Your Job and your Password Suck
I also found some passwords that seem LinkedIn-specific. You probably won’t see these on any other popular password lists… HERE Warning: Profanity.
Edit2: Rapid7 did a really good analysis of pattern frequency in the found hashes here