LinkedIn Hashdump and Passwords

LINKEDIN HASHDUMP AND PASSWORDS

Unless you have been living under a rock (not judging, just that you may not get wireless there) you should have heard about the 2012 LinkedIn data leak. The hacker has released about 6.5 million hashes. So, to start things off, the hashdump is here. Ok, go ahead and unzip that. What you will see is that the dump has 6,458,020 entries. Now somethings you will notice when inspecting this file:

The hashes are SHA1, unsalted
There are no repeated hashes. Probablt means that this list was already sorted and optimized for cracking by the hacker
There are a bunch of hashes starting with 00000. Current thinking is that these are the ones already cracked by the hacker and they are trying to mask those hashes.

So first things... WTF LinkedIn!!! Agreed and moving on...

Once you have unzipped the zip file, you will want to sort the list into masked and unmasked hashes. Being a linux CLI snob I would suggest something like:

> cat ./combo_not.txt | grep -E "^00000" > masked.lst > cat ./combo_not.txt | grep -vE "^00000" > unmasked.lst

Now the reason for doing this is you are going to download hashcat (homepage here), but the special version is the one you want (see here). The reason you want this special version is because it has a tweaked MD5 variant specifically aimed at those masked hashes. You see, even with the first 5 characters masked the SHA1 hash is pretty much unique, and with the mask being all "0", it makes it even easier to tell which are masked. So if you take a look at those 2 seperated lists youwill see there are 3,521,180 masked entries and 2,936,840 unmasked entries. When you use hashcat, use "-m 150" for the masked hashes and "-m 100" for the unmasked hashes.

Now none of this is that new, but I think this list is very important since this is an actual verified list of user passwords. Not a dictionary of "could be" but a list of "has been". This means from a reuse point of view it is very useful. For that reason I am putting up the list of hashes I have already cracked. I do not have a dedicated cracking rig or GPU's or Amazon or such, this is just little old me plugging away at the list. Get it here. (link now updated as below)

That list is a snapshot of where I am in the cracking process, specifically:

masked (150) = 2746578 of 3521180 / 78% done (774602 left) unmasked (100) = 852784 of 2936840 / 29% done (2084056 left) total = 3599362 of 6458020 / 55% done

So if you have not started cracking the linkedin hashes, using that list will get you to where I am at least. I am still working away at it and as I get significant updates I will post those updated lists.Grab the files and have fun.

Update - 9 September 2012
Ok, I have made some large gains:

masked (150) = 3108522 of 3521180 / 88% done (412658 left) unmasked (100) = 1647836 of 2936840 / 56% done (1289004 left) total = 4756358 of 6458020 / 73% done

The updated dictionary is here, and the specific non-standard rules that have worked for me is here.

Update - 20 September 2012
Ok, I have gotten past 80% cracked, so here is the latest dictionary and dictionary analysis. The exact figures are:

masked (150) = 3274239 of 3521180 / 92% done (246941 left) unmasked (100) = 2022350 of 2936840 / 68% done (914490 left) total = 5296589 of 6548020 / 82% done

Now before I get into the analysis of the passwords, I browsed through them for interest's sake. Now I know we often say these bad passwords are chosen by users who do not know about good passwords, but is that always true? hmmmm...

# grep -iE "cissp" ./linked.dic 1amcissp! Cisa+cissp cisacissp cissp02 Cissp1 Cissp@1 Cissp10kn cissp@123 Cissp1804 cissp@2001 cissp2004 cissp2007 Cissp2008! cissp2008 Cissp@2009 cissp2c4 cissp324324 cissp53176 cisspg1ac cisspgiac Cisspin2010 cissplinkedin cisspnitro cisspwmn iwbacissp2

Come on guys! You of all the users should know better. Now lastly the password analysis (thanks to "pipal"):

Total entries = 4828004 Total unique entries = 4828004 Top 10 base words linkedin = 5576 (0.12%) link = 3135 (0.06%) linked = 2602 (0.05%) alex = 1444 (0.03%) mike = 1362 (0.03%) june = 1236 (0.03%) password = 1209 (0.03%) love = 1183 (0.02%) john = 1123 (0.02%) july = 1006 (0.02%) Password length (length ordered) 6 = 577915 (11.97%) 7 = 596908 (12.36%) 8 = 1573531 (32.59%) 9 = 841871 (17.44%) 10 = 579995 (12.01%) 11 = 298682 (6.19%) 12 = 179508 (3.72%) 13 = 89985 (1.86%) 14 = 51039 (1.06%) 15 = 24680 (0.51%) 16 = 12007 (0.25%) 17 = 960 (0.02%) 18 = 478 (0.01%) 19 = 206 (0.0%) 20 = 114 (0.0%) 21 = 53 (0.0%) 22 = 28 (0.0%) 23 = 16 (0.0%) 24 = 20 (0.0%) 25 = 6 (0.0%) 26 = 6 (0.0%) 27 = 4 (0.0%) 28 = 2 (0.0%) 29 = 2 (0.0%) 30 = 4 (0.0%) 32 = 3 (0.0%) 34 = 2 (0.0%) 36 = 3 (0.0%) 40 = 2 (0.0%) 48 = 2 (0.0%) 54 = 3 (0.0%) Password length (count ordered) 8 = 1573531 (32.59%) 9 = 841871 (17.44%) 7 = 596908 (12.36%) 10 = 579995 (12.01%) 6 = 577915 (11.97%) 11 = 298682 (6.19%) 12 = 179508 (3.72%) 13 = 89985 (1.86%) 14 = 51039 (1.06%) 15 = 24680 (0.51%) 16 = 12007 (0.25%) 17 = 960 (0.02%) 18 = 478 (0.01%) 19 = 206 (0.0%) 20 = 114 (0.0%) 21 = 53 (0.0%) 22 = 28 (0.0%) 24 = 20 (0.0%) 23 = 16 (0.0%) 26 = 6 (0.0%) 25 = 6 (0.0%) 27 = 4 (0.0%) 30 = 4 (0.0%) 54 = 3 (0.0%) 36 = 3 (0.0%) 32 = 3 (0.0%) 34 = 2 (0.0%) 48 = 2 (0.0%) 40 = 2 (0.0%) 29 = 2 (0.0%) 28 = 2 (0.0%) | | | | | | | || || ||| ||||| ||||| |||||| |||||| ||||||| |||||||||||||||||||||||||||||||||||||||||||||||||||||||| 00000000001111111111222222222233333333334444444444555555 01234567890123456789012345678901234567890123456789012345 One to six characters = 577914 (11.97%) One to eight characters = 2748351 (56.93%) More than eight characters = 2079653 (43.07%) Only lowercase alpha = 1065868 (22.08%) Only uppercase alpha = 27207 (0.56%) Only alpha = 1093075 (22.64%) Only numeric = 200998 (4.16%) First capital last symbol = 67540 (1.4%) First capital last number = 557923 (11.56%) Months january = 305 (0.01%) february = 137 (0.0%) march = 1305 (0.03%) april = 1568 (0.03%) may = 8764 (0.18%) june = 2443 (0.05%) july = 1681 (0.03%) august = 965 (0.02%) september = 229 (0.0%) october = 476 (0.01%) november = 372 (0.01%) december = 360 (0.01%) Days monday = 296 (0.01%) tuesday = 118 (0.0%) wednesday = 45 (0.0%) thursday = 59 (0.0%) friday = 325 (0.01%) saturday = 55 (0.0%) sunday = 173 (0.0%) Months (Abreviated) jan = 15108 (0.31%) feb = 2215 (0.05%) mar = 56172 (1.16%) apr = 4718 (0.1%) may = 8764 (0.18%) jun = 7386 (0.15%) jul = 9253 (0.19%) aug = 4507 (0.09%) sept = 1260 (0.03%) oct = 3450 (0.07%) nov = 5743 (0.12%) dec = 4703 (0.1%) Days (Abreviated) mon = 25941 (0.54%) tues = 180 (0.0%) wed = 1935 (0.04%) thurs = 128 (0.0%) fri = 6001 (0.12%) sat = 5302 (0.11%) sun = 10382 (0.22%) Includes years 1975 = 4134 (0.09%) 1976 = 4094 (0.08%) 1977 = 4209 (0.09%) 1978 = 4483 (0.09%) 1979 = 4358 (0.09%) 1980 = 5324 (0.11%) 1981 = 4691 (0.1%) 1982 = 4756 (0.1%) 1983 = 4130 (0.09%) 1984 = 4136 (0.09%) 1985 = 3253 (0.07%) 1986 = 2618 (0.05%) 1987 = 2154 (0.04%) 1988 = 1760 (0.04%) 1989 = 1590 (0.03%) 1990 = 1515 (0.03%) 1991 = 1416 (0.03%) 1992 = 1303 (0.03%) 1993 = 1311 (0.03%) 1994 = 1525 (0.03%) 1995 = 1797 (0.04%) 1996 = 1969 (0.04%) 1997 = 2059 (0.04%) 1998 = 2441 (0.05%) 1999 = 2885 (0.06%) 2000 = 9710 (0.2%) 2001 = 5775 (0.12%) 2002 = 5431 (0.11%) 2003 = 5349 (0.11%) 2004 = 5826 (0.12%) 2005 = 6780 (0.14%) 2006 = 7372 (0.15%) 2007 = 8792 (0.18%) 2008 = 11496 (0.24%) 2009 = 7508 (0.16%) 2010 = 10801 (0.22%) 2011 = 12783 (0.26%) 2012 = 4229 (0.09%) 2013 = 553 (0.01%) 2014 = 416 (0.01%) 2015 = 468 (0.01%) 2016 = 381 (0.01%) 2017 = 374 (0.01%) 2018 = 375 (0.01%) 2019 = 641 (0.01%) 2020 = 1604 (0.03%) Years (Top 10) 2011 = 12783 (0.26%) 2008 = 11496 (0.24%) 2010 = 10801 (0.22%) 2000 = 9710 (0.2%) 2007 = 8792 (0.18%) 2009 = 7508 (0.16%) 2006 = 7372 (0.15%) 2005 = 6780 (0.14%) 2004 = 5826 (0.12%) 2001 = 5775 (0.12%) Colours black = 2875 (0.06%) blue = 6985 (0.14%) brown = 1547 (0.03%) gray = 846 (0.02%) green = 3433 (0.07%) orange = 1065 (0.02%) pink = 2445 (0.05%) purple = 821 (0.02%) red = 18434 (0.38%) white = 1580 (0.03%) yellow = 826 (0.02%) violet = 361 (0.01%) indigo = 229 (0.0%) Single digit on the end = 545026 (11.29%) Two digits on the end = 795453 (16.48%) Three digits on the end = 290718 (6.02%) Last number 0 = 244042 (5.05%) 1 = 518436 (10.74%) 2 = 278306 (5.76%) 3 = 287714 (5.96%) 4 = 202720 (4.2%) 5 = 202908 (4.2%) 6 = 183191 (3.79%) 7 = 217718 (4.51%) 8 = 201831 (4.18%) 9 = 209177 (4.33%) | | | | | | | ||| |||| |||||| ||| |||||||||| |||||||||| |||||||||| |||||||||| |||||||||| |||||||||| 0123456789 Last digit 1 = 518436 (10.74%) 3 = 287714 (5.96%) 2 = 278306 (5.76%) 0 = 244042 (5.05%) 7 = 217718 (4.51%) 9 = 209177 (4.33%) 5 = 202908 (4.2%) 4 = 202720 (4.2%) 8 = 201831 (4.18%) 6 = 183191 (3.79%) Last 2 digits (Top 10) 23 = 87420 (1.81%) 01 = 81983 (1.7%) 11 = 71694 (1.48%) 12 = 61702 (1.28%) 00 = 55743 (1.15%) 10 = 50602 (1.05%) 07 = 41463 (0.86%) 08 = 39126 (0.81%) 99 = 36313 (0.75%) 22 = 32701 (0.68%) Last 3 digits (Top 10) 123 = 61137 (1.27%) 007 = 17676 (0.37%) 000 = 15948 (0.33%) 234 = 14526 (0.3%) 001 = 13723 (0.28%) 011 = 12475 (0.26%) 008 = 11516 (0.24%) 010 = 11467 (0.24%) 111 = 8535 (0.18%) 009 = 7831 (0.16%) Last 4 digits (Top 10) 1234 = 12776 (0.26%) 2011 = 10312 (0.21%) 2008 = 9727 (0.2%) 2010 = 8781 (0.18%) 2000 = 8259 (0.17%) 2007 = 7436 (0.15%) 2006 = 6222 (0.13%) 2009 = 6209 (0.13%) 2005 = 5616 (0.12%) 2004 = 4863 (0.1%) Last 5 digits (Top 10) 12345 = 3381 (0.07%) 23456 = 1582 (0.03%) 54321 = 485 (0.01%) 00000 = 365 (0.01%) 11111 = 322 (0.01%) 56789 = 240 (0.0%) 55555 = 239 (0.0%) 45678 = 231 (0.0%) 77777 = 228 (0.0%) 34567 = 213 (0.0%) Character sets loweralphanum: 2177086 (45.09%) loweralpha: 1065868 (22.08%) mixedalphanum: 720134 (14.92%) numeric: 200998 (4.16%) loweralphaspecialnum: 176669 (3.66%) mixedalphaspecialnum: 173359 (3.59%) mixedalpha: 120959 (2.51%) upperalphanum: 60730 (1.26%) loweralphaspecial: 53249 (1.1%) upperalpha: 27207 (0.56%) mixedalphaspecial: 24751 (0.51%) upperalphaspecialnum: 10095 (0.21%) specialnum: 3807 (0.08%) upperalphaspecial: 1653 (0.03%) special: 266 (0.01%) Character set ordering stringdigit: 1924545 (39.86%) allstring: 1214034 (25.15%) othermask: 553290 (11.46%) stringdigitstring: 475304 (9.84%) alldigit: 200998 (4.16%) digitstring: 199795 (4.14%) stringspecialdigit: 115330 (2.39%) digitstringdigit: 71770 (1.49%) stringspecialstring: 44748 (0.93%) stringspecial: 21702 (0.45%) specialstring: 3595 (0.07%) specialstringspecial: 2627 (0.05%) allspecial: 266 (0.01%) Hashcat masks (Top 10) ?l?l?l?l?l?l?l?l: 238759 (4.95%) ?l?l?l?l?l?l?d?d: 183613 (3.8%) ?l?l?l?l?l?l: 175640 (3.64%) ?l?l?l?l?l?l?l?l?l: 163643 (3.39%) ?l?l?l?l?l?l?l: 148896 (3.08%) ?l?l?l?l?l?l?l?l?l?l: 137280 (2.84%) ?l?l?l?l?d?d?d?d: 107497 (2.23%) ?d?d?d?d?d?d: 93337 (1.93%) ?l?l?l?l?l?l?l?l?l?l?l: 84669 (1.75%) ?l?l?l?l?l?l?l?d: 81490 (1.69%)

Update - 12-Dec-2012:
I have moved all new progress to a page specifically for hashdumps and cracking them. Please go there for the latest progress and dictionary.