How Not to Be Mark Zuckerberg About Your Passwords
A group of hijackers known as OurMine, possibly from Saudi Arabia, briefly took over Facebook chairman and CEO Mark Zuckerberg's Twitter and Pinterest accounts yesterday (June 5).
It turns out Zuckerberg was one of the 165 million LinkedIn members whose login credentials were in a recently leaked data dump dating from 2012. He apparently had reused his LinkedIn password - "dadada," according to the group that took over his Twitter account - across multiple accounts, and had never changed them.
Zuckerberg's mistake is one that too many people make. They pick a easy-to-remember password, and use it for more than one account. Fortunately, it's simple to be smarter than Mark Zuckerberg about online passwords.
WATCH: Passwords Suck! New Tech Provides Better Security
Zuckerberg's "dadada" password wasn't stored as plaintext in the leaked LinkedIn database, but instead as a one-way hash created by running the password through a mathematical algorithm. The result is a string of characters that is theoretically impossible to reverse. In this case, "dadada" becomes "0f158e648228a19cab5f23acfd6c36f716a702a9".
The problem is that LinkedIn was lazy. It used the SHA-1 hash algorithm, which by 2012 was well understood to be vulnerable to reversing. Worse, LinkedIn didn't take any extra steps that would have strengthened the security, such as hashing the hash or "salting" the hash with extra characters. (Both are common practice, and LinkedIn began salting its hashes soon after the 2012 data breach.)
This made it easy for OurMine and any other bored ne'er–do–wells to reverse Mark Zuckerberg's password. Just search "reverse SHA-1" and you'll see there are plenty of options out there. Plug "0f158e648228a19cab5f23acfd6c36f716a702a9" into one and you'll get "dadada."