Password Security Catch-All Thread [2015-06-16: Update your LastPass master password]

*Legion* wrote:
Tanglebones wrote:

How would I go about finding what the hash is for my password?

$ echo -n 'my-password' | sha1sum

Or find a website that takes input and spits out the SHA1 hash of whatever you paste in.

Or you could use HashTab.

EDIT: Grepped the last half of a few password hashes to make sure, but mine's thankfully not in there.

Bonus_Eruptus wrote:
*Legion* wrote:
Tanglebones wrote:

How would I go about finding what the hash is for my password?

$ echo -n 'my-password' | sha1sum

Or find a website that takes input and spits out the SHA1 hash of whatever you paste in.

Or you could use HashTab.

EDIT: Grepped the last half of a few password hashes to make sure, but mine's thankfully not in there.

Doesn't seem like mine is, either.

Not only did I find mine but it had the 00000s.

Mine was not in there. The grouping of the hashes is strange. Why would they be sorted starting at the 33rd position?

It's a Freemason conspiracy!

Ah, we have a thread for this.

At this point I'm a total convert to password managers and unique passwords for everything.

LinkedIn not admitting anything yet, but starts offering up the boilerplate password security lecture.

EDIT: Oh, now LinkedIn admitting "some" password hashes do correspond with LinkedIn accounts.

They say that passwords set now "benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases."

Possibly that is why some people have not been able to find their hashes when searching for an unsalted SHA1 hash of their password. It could be the case that more recently set passwords are salted.

Does talking about passwords make anyone else hungry?

I didn't check my hash, since I didn't care. It was one of my strong unique KeePass passwords so I just generated another one.

$ echo -n 'my-password' | sha1s1m b4skur

Gravey wrote:

Does talking about passwords make anyone else hungry?

Corned beef- or the -brown vareity? At least I know how to season it.

The SHA1 and finding your hash stuff is all gibberish to me. Would it just be safe to make a new, long, random password via lastpass?

Quintin_Stone wrote:

I didn't check my hash, since I didn't care. It was one of my strong unique KeePass passwords so I just generated another one.

This is how password management life should be for users.

I only checked my hash out of interest in seeing if the hash list was what it claimed to be or not.

mrtomaytohead wrote:
Gravey wrote:

Does talking about passwords make anyone else hungry?

Corned beef- or the -brown vareity? At least I know how to season it.

Gravey on hash?

mrtomaytohead wrote:

The SHA1 and finding your hash stuff is all gibberish to me. Would it just be safe to make a new, long, random password via lastpass?

Take the following with a grain of salt:

My assumption is that, as long as your password was not used for anything else, the only thing that they would have access to is the data in your LinkedIn account (which, if it's connected to Facebook might be quite a bit, but still...). Making a new password would mean that anyone who stole the old password gets nothing, because you changed it. Finding your hash is mainly useful to figure out if anyone could have had access to the account, or if your particular password was compromised. As long as you didn't use the same password elsewhere you won't lose anything going forward. There's the slight chance of someone having already accessed your private data, but that's all the more reason to change your password in a hurry.

Also note that it's believed that this list is only the hard passwords, the ones the hacker couldn't decrypt himself. So if your password isn't on this list, it may because it was already blown wide open.

edit to add:

the enhanced security we just recently put in place

They didn't say how recently. I bet they didn't start doing that until after they realized they'd been compromised.

As someone on MeFi noted, this is the same company that shrieked and yelled and made everyone change passwords after the Gawker compromise. What a bunch of knuckleheads.

Malor wrote:

Also note that it's believed that this list is only the hard passwords, the ones the hacker couldn't decrypt himself. So if your password isn't on this list, it may because it was already blown wide open.

That seems unlikely, given that the SHA1 hashes for "password", "linkedin" and a lot of other softballs are among the entries on the list.

edit to add:
the enhanced security we just recently put in place

They didn't say how recently. I bet they didn't start doing that until after they realized they'd been compromised.

Quite possibly, although if it did happen beforehand, it would explain why some people don't find their hashes.

It's 6.5 mil password hashes and there are 125 mil accounts, but given how many account will have the same passwords, especially on the knucklehead end of the scale, that 6.5 million accounts for *way* more than 6.5 million users.

*Legion* wrote:
Malor wrote:

Also note that it's believed that this list is only the hard passwords, the ones the hacker couldn't decrypt himself. So if your password isn't on this list, it may because it was already blown wide open.

That seems unlikely, given that the SHA1 hashes for "password", "linkedin" and a lot of other softballs are among the entries on the list.

edit to add:
the enhanced security we just recently put in place

They didn't say how recently. I bet they didn't start doing that until after they realized they'd been compromised.

Quite possibly, although if it did happen beforehand, it would explain why some people don't find their hashes.

It's 6.5 mil password hashes and there are 125 mil accounts, but given how many account will have the same passwords, especially on the knucklehead end of the scale, that 6.5 million accounts for *way* more than 6.5 million users.

I wonder how much re-use/entropy there actually is in a password database for 125mil user accounts? How many accounts does 6.5 million hashes actually equate to?

DanB wrote:

I wonder how much re-use/entropy there actually is in a password database for 125mil user accounts? How many accounts does 6.5 million hashes actually equate to?

Depends on how many of them were "password"

Gremlin wrote:
DanB wrote:

I wonder how much re-use/entropy there actually is in a password database for 125mil user accounts? How many accounts does 6.5 million hashes actually equate to?

Depends on how many of them were "password"

Totally. Would be interesting to know the average number of accounts per hash.

Lastpass has posted sites for checking if your LinkedIn or your eHarmony passwords were among those leaked.

I love Lastpass.

According to the Lastpass page, eHarmony's passwords were hashed with MD5. *sigh*

*Legion* wrote:

Lastpass has posted sites for checking if your LinkedIn or your eHarmony passwords were among those leaked.

I love Lastpass.

According to the Lastpass page, eHarmony's passwords were hashed with MD5. *sigh*

Whoa whoa whoa now.. What's wrong with MD5?

IMAGE(http://4.bp.blogspot.com/-3VnKdHi57FQ/TrQbXm_zg3I/AAAAAAAABwU/B1a0w7z96UE/s1600/Airplane-Movie1-500x312.jpg)

*Legion* wrote:

Lastpass has posted sites for checking if your LinkedIn or your eHarmony passwords were among those leaked.

I love Lastpass.

According to the Lastpass page, eHarmony's passwords were hashed with MD5. *sigh*

I'm an awful skimmer: what's the best password keeper thing right now, preferably one that's easy to use across my desktop and other devices.

SixteenBlue wrote:
*Legion* wrote:

Lastpass has posted sites for checking if your LinkedIn or your eHarmony passwords were among those leaked.

I love Lastpass.

According to the Lastpass page, eHarmony's passwords were hashed with MD5. *sigh*

I'm an awful skimmer: what's the best password keeper thing right now, preferably one that's easy to use across my desktop and other devices.

You are the awfulest skimmer.

(It's LastPass.)

Gravey wrote:
SixteenBlue wrote:
*Legion* wrote:

Lastpass has posted sites for checking if your LinkedIn or your eHarmony passwords were among those leaked.

I love Lastpass.

According to the Lastpass page, eHarmony's passwords were hashed with MD5. *sigh*

I'm an awful skimmer: what's the best password keeper thing right now, preferably one that's easy to use across my desktop and other devices.

You are the awfulest skimmer.

(It's LastPass.)

I'm aware. To be fair I'm not even actually a skimmer, I read it, but some of the thread is old and I couldn't keep it all in my head anymore. Sometimes my brain just shuts down.

SixteenBlue wrote:

I'm an awful skimmer: what's the best password keeper thing right now, preferably one that's easy to use across my desktop and other devices.

LastPass. Provided you're OK with putting a small amount of trust in an online provider. (It is confirmed that your passwords are stored remotely as an encrypted blob, and that your key never leaves your system - these are verifiable by traffic analysis. But you are trusting that they don't suddenly become malicious and push an update to the app that changes this behavior).

If you're not OK with even this marginal level of trust in LastPass, then you can replicate the same sort of setup (storing an encrypted blob on cloud storage) with KeePass or 1Password and a Dropbox account. But in return, you lose some of the niceties that LastPass provides.

And if you refuse to even allow your encrypted blob to be stored online anywhere at all, then you can do KeePass or 1Password with an offline vault that you keep stored on a portable drive or something.

*Legion* wrote:
SixteenBlue wrote:

I'm an awful skimmer: what's the best password keeper thing right now, preferably one that's easy to use across my desktop and other devices.

LastPass. Provided you're OK with putting a small amount of trust in an online provider. (It is confirmed that your passwords are stored remotely as an encrypted blob, and that your key never leaves your system - these are verifiable by traffic analysis. But you are trusting that they don't suddenly become malicious and push an update to the app that changes this behavior).

If you're not OK with even this marginal level of trust in LastPass, then you can replicate the same sort of setup (storing an encrypted blob on cloud storage) with KeePass or 1Password and a Dropbox account. But in return, you lose some of the niceties that LastPass provides.

And if you refuse to even allow your encrypted blob to be stored online anywhere at all, then you can do KeePass or 1Password with an offline vault that you keep stored on a portable drive or something.

This is the exact breakdown I needed. Thank you very much.

LastPass it is.

*Legion* wrote:
SixteenBlue wrote:

I'm an awful skimmer: what's the best password keeper thing right now, preferably one that's easy to use across my desktop and other devices.

LastPass. Provided you're OK with putting a small amount of trust in an online provider. (It is confirmed that your passwords are stored remotely as an encrypted blob, and that your key never leaves your system - these are verifiable by traffic analysis. But you are trusting that they don't suddenly become malicious and push an update to the app that changes this behavior).

Technically you are also trusting that their closed source software is actually doing everything that they say it is doing. But yeah your summary is totally on the money.

In the middle of a yearly online security awareness training thing I have to take:

Password Advice

Your password should not be the name of your pet.

It should not be the same as the name of your pet’s vet, Brett.

It should not be the name of a famous brunette.

Or a family member who plays roulette,
Not even one who wins every bet.

If you're Romeo, don't use Juliet.

Do not use the name of anyone you have met.

It should not be the tag on your Corvette.

It should not be the registration of your private jet.

I was amused.

So it can be the name of a famous redhead?