Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I quickly wrote a script to do this locally, not the most efficient, but I'm at work ;)

https://github.com/hungtruong/LinkedIn-Password-Checker



Thank you. Worked for me as well...

I wonder what kind of bonkers executive at LI decided it would not be a good idea to do a sweeping wipe of all passwords on their systems...

    for user in users:
      force_pw_reset(user);

    def force_pw_reset(user):
      user.pw = rand;
      user.sendResetEmail();
(note to LI: this isn't real code; don't use)


Now just send phising emails with fake reset links to your targets at the same time. Password reset should be enforced at first login.


Ah yes, didn't consider that...you are correct--reset should be forced on login.

Though I doubt any of the above will happen. Wouldn't want the user to be inconvenienced now would we?


Wait till it gets more publicity.


What is standard practice for a situation like if the users lost access to the email account they signed up with?

A large forum I post on was hacked recently and - after voluntarily shutting their site down for a month - they required password resets. If users did not have access to the email address they signed up with and couldn't otherwise verify their identity, they were not allowed to get their account back.

Unsurprisingly, post counts are down site-wide and the owners have reported a > 25% decrease in traffic.


You can ask for previous passwords, if there are any payments involved you can ask for the transaction ids, obviously if you have secret questions or verified mobile you can ask for that.

Of course all of those things can be used to gain access to the account by attacker, without actually knowing the password. See recent Cloudflare incident. Google will notify you about the recovery attempt, monitor for activity, and delay it for at least a week or so. So the attacker just have to wait till you go on offline vacation ;)

Really though, for something as low key as a forum you’re entirely justified to offer recovery only via email. The email providers already offer all those alternative recovery options. And of course you should prefer OpenID to avoid the issue altogether.

> Unsurprisingly, post counts are down site-wide and the owners have reported a > 25% decrease in traffic.

That’s because they took the site down for a month!


The problem isn't really your LinkedIn password ... I mean, someone could mess up your profile, send embarrassing messages and so on, but many many people will have used the same password for amazon, apple, paypal and other financial things, or used the same password for an email account which can be used to "recover" the password for one of those things.


True, password re-use is a big problem.

Though, think of how much easier it would be to social-engineer a target were you to have full access to their LI account.


  $ cat combo_not.txt | grep `printf linkedintrouble | sha1sum`
  3ac85868a20c977661a12f770f0d116f87c74831
  $ cat combo_not.txt | grep `printf nathanlinkedin | sha1sum`
  a4d28368130ad555c77ec6a4dd18b8977ac0f589
  $ cat combo_not.txt | grep `printf mypassword | sha1sum`
  $ cat combo_not.txt | grep `printf yourpassword | sha1sum`
  $


printf linkedintrouble |openssl sha1|grep -f - combo_not.txt


This doesn't work, because:

  $ printf linkedintrouble | openssl sha1
  (stdin)= 3ac85868a20c977661a12f770f0d116f87c74831
The leading '(stdin)=' messes the pattern being fed to 'grep'.

Yes, I've read http://partmaps.org/era/unix/award.html#cat . The output of sha1sum already contains a trailing '-' which is something I wanted to feed into 'grep' using command substitution, so that 'grep' can now just accept the input stream from 'stdin'. Now, how do you feed the input to grep via 'stdin' if you don't want to use 'cat'?


BTW, the commands involving 'openssl' can be fixed in this manner.

  $ printf linkedintrouble | openssl sha1 | cut -c10- | grep -f - combo_not.txt 
  3ac85868a20c977661a12f770f0d116f87c74831


does your grep have an -f option?

   printf linkedintrouble |sha1sum |sed 's/ .*//' |grep -f - combo_not.txt


If you look where we started ( http://news.ycombinator.com/item?id=4076559 ), I'm not trying to feed the regex pattern to grep via stdin, but I'm trying to feed the input stream to be searched for the pattern to grep via stdin.


I wrote one in Perl as well. I wasn't going to bother uploading it, but I might as well.

https://github.com/rpicard/misc-perl/tree/master/linkedin-pa...


That works pretty well. And yes, my password is in there.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: