Category Archives: General

Password Perversity and LinkedIn’s Lost List

Posted on by

Yesterday, we all awoke to discover the urgent need to change our LinkedIn passwords.  A file containing millions of “hashed” passwords was stolen by hackers and then posted on the Internet.

At this point, the real extent of the damage is unclear.  The file which was posted contains passwords, but no user names, so it is useless as-is for any nefarious purpose.  It was also not a complete list of passwords.  Those two omissions leave us wondering what more, if anything, the hackers have: do they have the complete list of all passwords with associated users?  Or did they just find something embarrassing to LinkedIn but with no real value to wrongdoers?

Perhaps those questions will be answered over time, but it was clear that everyone needed to change their LinkedIn password immediately.  That much is common knowledge.

Because the list has “hashed” password (more about that in a minute), it’s not possible to see the actual passwords people used:

But it is nonetheless possible to check to see if a password you know is in the file.

A quick technical diversion: LinkedIn, like most web applications, does not store your actual password on their system.  So then, the question is, how can they tell if you’ve entered it correctly? The answer is that they compute a sort of score for your password, called a hash, and store that.  If the score they saved of your password matches the score of the password you are entering, they let you in.

For a very simple hash function, consider the following.  let’s say you assign every letter of the alphabet a number, starting at 1 for A and ending at 26 for Z.  When someone enters a password, you add up the numbers for the letters.  A password of ABC gets a score of 1+2+3=6.  So they store 6 in their database.  Now, if you enter ABD as your password later, the software adds the letters up, and since 1+2+4=7, there’s no match.  

Now, imagine you, like the hackers, have stolen this file containing all the scores. Just by knowing the saved password is 6 it doesn’t automatically give you ABC.  However — and this is the important part — if you know the score is 6, you can invent a password — for example “EA” — that has the same score (since 5+1=6).  If you were to use EA as a password in this (fictional) scenario, LinkedIn would say your password matches and let you in!

The actual formula used is far more sophisticated, and, as you can see by the sample printout of the leaked passwords, the results are far more complicated.  But, in theory, the two approaches are exactly the same. And, so, with some effort, if the hackers wanted to break into an account, they could generate a fake password that gets the same score as yours without ever knowing your real password.  It doesn’t matter, the fake one will work as well.

As an alternative, the hackers could try a list of common words.  Some people have very simple passwords, and a list of words (called a “dictionary attack”) will uncover some significant number of passwords.  Some hackers even keep a list of pre-hashed dictionary words around (called a “rainbow table”, in non-obvious naming), so it’s faster for them to check common passwords.

Still, how do you know if your LinkedIn password was in the file — when all you know is your actual password? You will have to score your password (or “hash” it as it is really known) and look for that value in the file.  Two big obstacles for most people: figuring out how to compute the hash of their password and then getting a copy of the leaked file to see if your hashed password is in it.

Fortunately, a reputable software vendor who sells password management software (which is a really good idea to use) has built a web site where you can see if your password is in the LinkedIn file.  Their web site is at:

https://lastpass.com/linkedin/

Just because your password is not in the file, should you not find it, does not mean you are safe.  You should assume the hackers have more than they have given out publicly and that they really do have your hashed password.

Once you’ve checked for your password, you could call it a day and move on.

Or, if you have a strange curiosity like I do, you can see that this password file presents an interesting opportunity for a little research into what people use for passwords.  

First, a word about ethics: the file has passwords, but no users.  There is no way you can break into someone’s account using this file (but we presume the hackers know more and could break into people’s accounts, so that’s not a reason to be complacent).  The passwords are completely anonymous.  We have no way of knowing whose passwords these are.  Also, the password file is now out in the open, so looking at it does not represent a subsequent unethical hacking.

With that observation, let me point out that when you visit that web site to check your password, you can invent any password you want and see if it was used.

For example, those of you with a political bent will find that “romney” was used by somebody as a password, but “obama” never was.  “clinton” was used, but “bush” wasn’t.  There’s nothing you can really conclude from that, however.  This is just password voyeurism.

Where it does show some insights into humanity, perhaps, is when you try out phrases that are more personal nature.  Just about anything you can think of (or, I should be more precise, anything I can think of — perhaps my horizons are not broad enough) is in there as a password.  On the plus side, there are plenty of inspiring religious terms I found. “jesussaves” and “john316” (Tebow? That you?). That makes me feel some faith in humanity. On the minus side, well,  I don’t want to repeat some of the more salacious passwords I tried, but HL Mencken was right.  Whatever level of depravity I have, LinkedIn users showed me I’m just an amateur.  I’m pretty sure that I’m out of my depth here and that my imagination pales in comparison to the collective perversity of 6.5 million people.

So give it a whirl if you like.  It’s a kind of “hot or not” of passwords. Again, I want to point out the ethics of this are pretty clear — you are not hacking anyone’s account by doing this.  You are not decrypting everyone’s passwords.  You are not discovering something private about a person.  You are just looking at anonymous information and seeing if passwords you can concoct have been used.  

If you can draw any conclusions from the password file, it is only that a lot of people hate their passwords.  And, yes, somebody used “ihatepasswords” a password.

War on Caterpillars? Is the RNC in Wonderland?

Posted on by

There you are, working as the social media manager at a construction equipment manufacturer, and suddenly your name shows up all over the place on Twitter:

Caterpillar becomes a more popular term on Twitter

Click on chart to enlarge

Backhoe explode? Bad lawsuit?

Nope, the head of the Republican National Committee has compared women to caterpillars and presumably not the ones that run on diesel…

Caterpillar from Alice in Wonderland

Sure, start a war on caterpillars because they smoke? That’s not very Republican…

Since not many caterpillars are on twitter, I think it’s safe to say that there’s a building anger among women (and gentlemen of honor) at the remark.

Both caterpillars and women can be forgiven for thinking they’ve landed in a bad republican wonderland.  Hmmmm … Santorum as the red queen?  Romney as the march hare? He does seem a bit like that, you’d have to admit.

 

Twitter turns to the race between Romney and Obama. Or does it?

Posted on by

With Romney’s wins in the three primaries this week, he has moved from being the favored  candidate to the presumptive winner.  And, recognizing that, Mitt’s turned his attention to Obama.  Santorum who? Newt what?

So has Twitter made the big turn with him? Or is Twitter even paying attention to him yet?  I set out to see how Obama and Romney are doing in the Twitterverse.  I reviewed nearly 200,000 recent tweets — all of which occurred after the primaries and the anointing of Mitt.

Let’s start with the most interesting — how’s Romney’s presence on Twitter compare to the President’s?

Tweets mentioning Romney vs. Obama

Click to see larger image

Romney’s way behind the President in Twitter mentions by over 3 to 1!  Even if half of the Obama mentions are just conservatives complaining about the President, it still means that Obama is the focus of the race, not Romney.  That can’t be good.

How does Romney do against his primary competition? After all, since he’s been anointed the winner, mentions of Santorum and Gingrich must be non-existent, right?

Romeny vs. the other GOP candidates

Click on chart to enlarge

This one is looking much better for Mitt: his GOP competitors are not being mentioned in the same tweets as he is much any more.

So if attention is moving away from the other GOP contenders, it must be switching to discussion of possible VP picks.  Who’s twitter most excited about?

Possible VP picks for Romney, as mentioned by Twitter

Click on image to enlarge

Looks like Romney and Ryan are all the talk these days! We’ll see how that changes over time as the Wisconsin primary — Paul Ryan’s home state — fades into history.

Let’s look at what hashtags has everyone excited in the Romney and Obama tweets:

Romney

Obama
Total Uses Hashtag total hashtag
2540 #Romney 9098 #tcot
1738 #tcot 7032 #Obama
926 #GOP 2551 #p2
846 #newbedon 2033 #teaparty
758 #p2 1858 #gop
616 #mitt2012 1590 #tlot
476 #teaparty 980 #obama2012
366 #Santorum 955 #OBAMArevivingSOPA
286 #news 921 #scotus
264 #tlot 916 #news
262 #WithNewt 850 #ocra
248 #Politics 769 #SGP
202 #ronpaul 686 #progress
193 #gop2012 614 #JOBSAct
182 #mittromney 541 #Politics
174 #Romney’s 532 #Obama’s
166 #OWS 531 #Obamacare
166 #Mitt 394 #USA
162 #edshow 381 #CNN
144 #250gas 380 #vettheprez
125 #pagop 355 #twisters
122 #waronwomen 346 #jobs
113 #PA 332 #OWS
112 #2012 328 #WorldBank
98 #maddow 327 #NOI
98 #tiot 280 #TPP
88 #Newt 278 #NOBAMA
82 #LenoMono 277 #withNewt
81 #pennsylvania 266 #trayvon
80 #FAIL 265 #newbedon

It’s interesting to see #tcot at the top of the Obama tags, since that’s Top Conservatives on Twitter. I have to assume that a lot of the tweets just on the topic of Obama are not favorable ones.  Or maybe they’re liberals sticking their tongues out at conservatives? That’s a question for another day.

One thing I’m always interested in is what software people are using to post their tweets.  Here’s the top 10 clients (and their % of usage) for people who tweeted about Romney and Obama:

Obama Romney
27% Web 21% Web
12% Tweet Button 7% TweetDeck
9% Twitterfeed 7% Twitterfeed
6% Twitter for iPhone 7% Tweet Button
5% Tweetdeck 4% Twitter for iPhone
3% Hootsuite 3% HootSuite
3% Twitter for Android 2% dlvr.it
2% dlvr.it 2% Twitter for Android
2% Twitter for Blackberry 1% Facebook
2% Echofon 1% Twitter for Blackberry

Not a lot of difference.  The 3% who are using Hootsuite have more than a casual interest in the topic since they’re using professional grade software.  The 5% to 7% who are using TweetDeck are “semi-pro” — you have to be at least a bit serious about Twitter to use it.  And I find it interesting that the iPhone gets used twice as often as Android … one thing both democrats and republicans agree upon, it seems, is that the iPhone is better than Android!

It’s interesting to see what words are most associated with Romney and Obama.  Here’s the top 30 (minus stop words):

Words about Romney Words about Obama
total word total word
31700 romney 120901 obama
12498 mitt 23053 president
4078 romney’s 13637 obama’s
3685 santorum 8717 barack
2576 will 7710 court
2274 pennsylvania 6845 act
1857 gop 6353 michelle
1855 new 6180 one
1819 women 6090 will
1666 poll 5986 years
1662 video 5881 jobs
1572 like 5670 marijuana
1465 just 5641 white
1430 republican 5343 house
1320 says 5287 supreme
1267 now 5284 signs
1224 paul 5270 use
1215 campaign 5149 get
1214 one 5014 known
1207 win 4880 cocaine
1166 can 4857 teen
1050 election 4672 like
1029 rick 4455 law
1019 president 4335 budget
1006 get 4268 now
984 see 4060 set
975 primary 3972 just
962 time 3942 women
956 take 3481 rules
954 vote 3199 today

It appears that Pennsylvania is still holding out hope for Santorum.

The strong showing of marijuana and cocaine in Obama’s list can be attributed almost single handedly to one tweet that got retweeted 4004 times:

‘RT @WhatTheFFacts: In his teen years, Obama has been known to use marijuana and cocaine.’

And countless other times in mild variations.  To be clear, this topic was raised before the last election as well, as “has been known” really means “was mentioned by him in his autobiography written in 1995.”  So the excitement the tweet has now is, well, about 17 years too late…

Net net … Romeny needs to excite his followers to talk about him, not Obama, because in November, “Not Obama” will not appear on the ballot!

Rick Santorum’s Tweet Volume Explodes From Primary Wins

Posted on by

Watching the volume of tweets about each of the three GOP candidates yesterday (Ron Paul didn’t really expend an effort), it’s fun to see how Rick Santorum’s tweet volume exploded as it became clear he won Alabama and Mississippi:

He had been running slightly better than Mitt all day and then boom, at the end of the day, tweets about him took off!  Poor Newt is stuck in third on twitter, even if he came in second in the polls…

The GOP Primary Race in the Twitterverse

Posted on by

The weekend was a busy time for the GOP contenders in real life — and in the Twitterverse.  Here’s a breakdown of the mentions each candidate got:

The GOP Race from the view of Twitter

We can see that Mitt has a slight advantage over Rick Santorum, with Newt in third and Ron Paul in distant fourth (I thought the Ron Paul supporters were more vocal than that?)

The top 20 hashtags mentioned in the posts are:

hashtag  total
#tcot  13,726
#Santorum  9,384
#Romney  9,014
#250gas  8,251
#withNewt  8,038
#Newt  6,475
#GOP  5,560
#teaparty  4,732
#AL  4,694
#MS  4,459
#RonPaul  4,000
#OBAMA  2,624
#Gingrich  2,359
#tlot  2,166
#MSGOP  2,086
#ALGop  2,085
#GOP2012  2,009
#KS  1,983
#p2  1,904
#mitt2012  1,662

#tcot is for “top conservatives on twitter”.  Interesting that the #Santorum hash tag gets slightly more play than the #Romney one does!