Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Mine was not in the list. I had a non-dictionary password with letters and numbers, 8 characters, and it was at least several months old.

(If we can collect enough data points of whose passwords are on it or not, how old they are, and how complex the password was, we should be able to narrow down a potential date range for the list and the odds that the compromised list is full or partial.)



You're confusing "not on the list" with "not in the hacker's possession".


Don't all the hashes listed have "c3dxxxxx" at the end. They to me, at a glance, look like a partial.

Head:

    00000fac2ec84586f9f5221a05c0e9acc3d2e670
    0000022c7caab3ac515777b611af73afc3d2ee50
    deb46f052152cfed79e3b96f51e52b82c3d2ee8e
    00000dc7cc04ea056cc8162a4cbd65aec3d2f0eb
    00000a2c4f4b579fc778e4910518a48ec3d2f111
    b3344eaec4585720ca23b338e58449e4c3d2f628
    674db9e37ace89b77401fa2bfe456144c3d2f708
Tail:

    00000e585039977da2b9c4f28fc418b8c3d2d599
    a0cad23ffd750e306bd7be8cc695d2e6c3d2d67b
    d338c29d3918574f256fc0be597d2ee0c3d2d891
    00000ad7316592e01ce0aab1cc4339b1c3d2de0d
    00000c682336158bfcd57edfe4fab7acc3d2de28
    00000d77a7b62838c5f721b30e6ee8ecc3d2deb9
    00000def8fc887cd8e910823e98ae509c3d2dedc


No, just a bunch at the top and at the bottom. Just 1570 out of the 6 million. (I did: grep 'c3d.....$' SHA1.txt |wc -l)

It's not clear to me how the file was sorted. Anyone have any ideas?


Not necessarily. There are two possibilities we can analyze:

1. "not on the list" means "not in the hacker's possession". In other words, the compromised list is partial.

2. "not on the list" means hacker already has cracked it and didn't post for help.

Learning more about the kinds of passwords not on the list could help us determine which scenario is more likely. (If lots of complex passwords are not on the list, that is evidence the compromised list is partial. If only simple passwords or passwords of a certain pattern are not on the list, that is evidence the compromised list is complete and passwords that were already cracked were not posted.)


As I understand it they zeroed out the start of the hashes they've already cracked (that's the speculation). I'm assuming that's being checked for server side?

According to LI they started salting at some point. Simple hashing obviously won't match in that case but I guess the crackers have the salts so they can do the leg work themselves.

Annoyingly LI say that they've invalidated passwords on compromised accounts but I can see that's not the case. My password hash is in the list (random 20 char pw) but they didn't deactivate my password (I've obviously changed it now).


Exactly, because the hacker only posted the passwords he neede d help with.


My password of vhuwirbqr83fh83f was also not on the list


My autogenerated password was not on the list. It was generated back in late 2010.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: