The way I tested to see if my password was in the list was to first generate a SHA-1 hash of my password, then I searched in the file "combo_not.txt" that I downloaded from the Internet containing the 6 million password hashes. I found a match.
Many of the hashes have their first few digits zeroed out (as described in this ycombinator post) as shown in the this excerpt from the file:
... 000000a9da36caf22886a0203caa29e7d2631174 000000a9d9ccfdca4d241e44d415c15dba0b4c28 000000a9298b1bfc8d1237d6f3995b2d2625ce3a 000000a92ee7725afdcac707d22e2333531f9e51 000000a92dbec5cff02bfa678a0f7a78b6a46573 323300a988286c019e2dcc3100b355557257f632 923b00a9574dd89143cde9db87871890a1082bc2 3c4400a900d31c9634e355e18975f8cfe710ab7d 354b00a96d36f0c48d0c286b29120f8409e3bde1 405700a93eac557d85d2f1347db8f9a312557fc8 ...This means instead of searching for the complete SHA-1 output, you want to search for just the later part of the hash. People think that this means that the hacker has already cracked any passwords that have been zeroed out this way, which means that if you see zeroes in your matching password, then your password is already stolen.
Also note that if your password is long enough (like greater than 15 characters) and complex enough, then it's still probably safe. A 15 character SHA-1 password composed of upper/lower case with symbols and digits is too large for "brute-force" and "rainbow tables". However, if you've composed it of dictionary words, then it could fall to a "mutated dictionary" attack. Update: the following link is a pointer to a download of the file, which by the time you read this, is almost certainly been removed https://disk.yandex.net/disk/public/?hash=pCAcIfV7wxXCL/YPhObEEH5u5PKPlp%2BmuGtgOEptAS4%3D Update: This is a sorted list of unique passwords. Thus, if 50 people use the password "password", it'll only show up once in this list. Which it does. The password of "password" is hashed using SHA-1 to "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8", which appears as "000001e4c9b93f3f0682250b6cf8331b7ee68fd8" in this list. Update: Where do these passwords come from? The answer is the: the cracking underground. When hackers break into a network and steal the encrypted passwords, they crack as many as they can, and then exchange the dumps with their friends. Each hacker uses different tools, uses different dictionaries, and so on. Thus, once they've exhausted your their techniques, another hacker is still likely to be able to crack many more passwords. Update: It took me only a couple minutes to verify that this hack is real, yet LinkedIn has not been able to:
Our team continues to investigate, but at this time, we're still unable to confirm that any security breach has occurred. Stay tuned here.— LinkedIn (@LinkedIn) June 6, 2012
This reflects poorly on the trustworthiness of LinkedIn. It's proper that you make such a comment before you know what's going on, but they've had hours to verify this, we should've gotten an update by now. Update: How fast can hackers crack passwords? The answer "2 billion per second" using the Radeon HD 7970 (the latest top-of-the-line graphics processor). Each letter of a password has 100 combinations (UPPER, lower, d1g1ts, $ymbols). A 5 letter password therefore has 100 x 100 x 100 x 100 x 100 or 10 billion combinations, meaning it can be cracked in 5 seconds. A 6 letter password has 100 times that, or 500 seconds. A 7 letter password has 100 times that, or 50,000 seconds, or 13 hours. An 8 character password is roughly 57 days. A 9 character password is 100 times that, about 15 years. In other words, if your password was 7 letters, the hacker has already cracked it, but if it's 9 letters, it's too difficult to crack with brute force. Update: A site http://leakedin.org will check this for you. They claim to has the password in the browser (like I do above), then check the database. I don't know if this is true -- but since you are going to change your password regardless, maybe it doesn't matter. Update: What does password cracking look like? I started the "hashcat" tool to examine the file. It looks like this:
I'm using the latest Radeon HD 7970 graphics card. Note that I'm only getting a cracking rate of 400-million passwords/second, while the 7970 can actually do 2-billion/second. That's because I'm doing "multi-hash" cracking, testing each hash against the entire original list of 6.5 million hashes. That lookup takes longer than calculating the hash in the first place. I can dramatically increase hashing speed by first removing all the easily cracked passwords from the list, making it smaller, and hence making lookups faster.