March 13, 2017
Last year, LinkedIn suffered a massive data breach where millions of passwords were leaked, and it seems that out of the entire trove of data, 35% of users were using weak passwords to begin with, while other 65% were using passwords that can be cracked.
Researchers at behavioral firewall company Preempt wanted to know how many LinkedIn accounts were weak prior to the data breach. Unfortunately, the numbers were surprising to the researchers, and not in a good way. In fact, 35% of the leaked LinkedIn passwords were already known from previous password dictionaries, which made them vulnerable from the start. Then, the other 65% of them can be easily cracked with brute force by using standard, off-the-shelf cracking hardware.
“Any person that used the same password for Linkedin as they did for their work account (or other account), is currently vulnerable within these other accounts. Unfortunately, there are many users that don’t make that connection. Their LinkedIn account was breached, so they just change their LinkedIn password, not realizing that if they are using that same password elsewhere, they are actually exposed in all of those places as well. For IT security teams, this is an unknown vulnerability they have to deal with,” researchers explain.
Even the most complex passwords could be cracked
So, the folks from Preempt compared how many passwords in LinkedIn’s password dump were already known from previous password dictionaries that had been established. They found that over 63.5 million used previously known passwords. No matter how complex these passwords are, if they’re already in some online database, they can be cracked quite easily.
Then, they looked at the other pile of data and found that those too can be easily cracked. They created three password models – low complexity, where only password lenght rules are enforced, medium complexity, where users have common ULSD patterns in their passwords (initial character is capitalized, last letter is a digit), and high complexity, where users are aware not to use common ULSD patterns.
Those low complexity passwords were cracked in less than a day, the medium ones in less than a week, and the high complexity ones in less than a month.
In short, researchers believe that password complexity rules just aren’t working because sometimes the keys people choose for their accounts can meet up all the rules, but still be weak due to password dictionaries online. Then, passwords are not as strong as they could be because people reuse them for multiple accounts.
There’s also the fact that people often use the same password patterns other do, making them easy to crack.
What’s the solution to this issue? Well, people should use longer passwords, of at least 10 characters. They should also make sure they don’t share passwords with other employees within the organizations they work for or with other cloud services.