Last year’s highly publicized Yahoo and LinkedIn breaches exposed millions of users’ passwords to the public and saw them for sale on the dark web.
Researchers at behavioral firewall company Preempt have analyzed the leaked LinkedIn passwords to find out how many were weak before the breach occurred.
The findings show that 35 percent of leaked LinkedIn passwords — over 63 and a half million — were already known from previous password dictionaries, making them vulnerable to cracking offline by reference to a word list of known or previously used passwords. In addition 65 percent could be easily cracked with brute force using standard off-the-shelf cracking hardware.
All of this means conventional techniques of using upper and lowercase characters, symbols and digits (ULSD) to create passwords are less effective. Partly because users re-use passwords, but also because they rotate them — by adding digits to the end for example.
Anyone using the same password for Linkedin as they do for their work or other account is vulnerable within these other accounts. Unfortunately, many users don’t make that connection. Knowing LinkedIn was breached, they just change their LinkedIn password, not realizing that if they are using that same password elsewhere, they are actually exposed in all of those places as well. For IT security teams, this is an extra vulnerability they have to deal with.
According to the research, 10 character low-complexity passwords — where only the length is enforced — can be cracked in under a day using standard hardware. Medium complexity passwords with common ULSD patterns, for example a leading capital and trailing number, can be cracked in less than a week. High complexity passwords not using common patterns can take up to a month to crack.
The company is launching a free Preempt Inspector tool to help organizations measure their password health. The tool combines password hashes from major breaches, along with a dictionary of compromised credentials, and weak passwords, to reveal at-risk user accounts.
“Recent breaches such as those at Yahoo and LinkedIn exposed millions of passwords signaling a significant risk to those users and their companies as users too often use the same passwords for work and personal accounts and often times don’t know their passwords have been stolen in the first place. Furthermore, password rules, which many enterprises employ, can allow users to create weak passwords that can easily be cracked,” says Ajit Sancheti, CEO and co-founder of Preempt. “The Preempt Inspector application identifies such weak passwords and ensures organizations are not at risk because of another company’s breach, putting account password security posture at the security team’s fingertips.”
You can find out more about the LinkedIn password analysis on the Preempt blog.
Image Credit: Africa Studio / Shutterstock