Displaced Geek

UPDATE:So, I didn’t know it when this was posted, but LastPass put up a site to check your LinkedIn password, and another one for the eHarmony breach.

So unless you’ve been sleeping under a digital rock for the last twelve hours, by now you know LinkedIn had at least 6million password hashes snatched right out from under their noses.

There are plenty of places on the net where people smarter than I am will walk you through exactly what this means, and even more (arguably) smart people will try to scare the crap out of you, so if that’s what you’re looking for, you can go somewhere else.

I decided to post this because while I thought I’d find myself once again checking a hash list to see how likely it was that my password had been compromised, instead I found that I was suddenly unable to remember my LinkedIn password in the first place! To be more accurate, I knew I’d be able to get it within 3 or 4 tries, as I use the now (in)famous ‘Correct Horse Battery Staple‘ method. Nevertheless, with the how often these dumps hit the internet, and how often they seem to be for sites I frequent, I found myself taking my own advice:

If you’re going to do something more than once,script it!

And I came up with this:

#!/bin/bash
#check hashlist for password
echo "usage: pw algorithm hashlist"
echo "eg ./checkfor Password123$ md5 ./hashlist.txt"
case $2 in
	"md5")
	md5hash=`echo -n $1|md5sum`
    md5hash=${md5hash:0:32}
	echo "Checking for $2 hash of $1 ($md5hash) in $3..."
	awk "/$md5hash/" $3
	;;
	"sha1")
	sha1hash=`echo -n $1|sha1sum`
	sha1hash=${sha1hash:0:40}
	echo "Checking for $2 hash of $1 ($sha1hash) in $3..."
	awk "/$sha1hash/" $3
	;;
esac

Of course, I then realized that despite my best efforts, not only would many people I know never bother to check or change their passwords, they may even be tempted to plug them into one of the phishing sites claiming to check their passwords for them which will undoubtedly pop up pretty soon, if they haven’t already. So I compiled a quick list of common passwords I know are in use by friends & family (yes, I can probably guess your password, get over it), polished up that script up there to handle a wordlist…

#!/bin/bash
#check password list against hashlist
if [ -z "$3" ]         # VERY quick & dirty input checking
then
     echo "usage: checkfor ./pwlist.txt (md5|sha1) ./hashlist.txt"
     exit
fi
if [ "$1" == "?" ] #copy & past makes for easy redundancy!
then
     echo "usage: checkfor ./pwlist.txt (md5|sha1) ./hashlist.txt"
     exit
fi
while read line;
do 
if [ "$2" == md5 ]; then
     md5hash=`echo -n $line|md5sum`
     md5hash=${md5hash:0:32}
     echo "Checking for $2 hash of $line ($md5hash) in $3..."
     echo "$line" `awk "/$md5hash/{n++}; END { print n+0 }" $3`  >> ./rawresults.txt
     awk '$2 != "0"' ./rawresults.txt >> ./cleanresults.txt
     rm ./rawresults.txt
fi
if [ "$2" == sha1 ]; then
     sha1hash=`echo -n $line|sha1sum`
     sha1hash=${sha1hash:0:40}
     echo "Checking for $2 hash of $line ($sha1hash) in $3..." 
     echo "$line" `awk "/$sha1hash/{n++}; END { print n+0 }" $3`  >> ./rawresults.txt
     awk '$2 != "0"' ./rawresults.txt >> ./cleanresults.txt
     rm ./rawresults.txt
fi
done < $1

…and let it run. Thankfully, I only ended up matching some common passwords that I fully expected to match, given that they’re probably used by lots of people. (eg the sha1 of linkedinpassword is d2ffdbdb71a0e55324fa51949a145dc001ed53dc, and yes, it’s in there)

So if I don’t know you in real life, and you run linux, snatch a copy of the hashdump, and run the above script against it using your password. Or you could take even less time and just change your password. 😉

Happy scripting!