So far 3,427,202 passwords have cracked from LinkedIn List Almost 50%Its been about 24 hours - The longest? a 29 letter sentence from Bible
— KoreLogic(@CrackMeIfYouCan) June 6, 2012
If you would like to safely check to see if your password was included in the Linkedin compromise, you can download the file "combo_not.txt". I believe it is probably still being hosted in a few places but you'll probably have to do a bit of searching to find it.
I threw together a PowerShell function for others to check to see if their passwords were included. It is horribly slow and could definitely be improved, but I don't think it will be useful for long. I really don't like the idea of utilizing any online look-up services (despite the obvious speed benefit from storing the data in a true database) because of the obvious social-engineering implications.
A special version of Hashcat was released to handle the zeroed hashes which paired with a large dictionary is very effective:
The Hashcat syntax can be tricky, but there is a lot of great documentation out there.
Next, I reran the same dictionary with a mangle rule in John which got quite a few of the longer passwords due to the 15 character limitation imposed by CudaHashcat. There are lots of usage guides and cheat-sheets out there for John.
The final result was over 3 million hashes cracked in less than 24 hours. KoreLogic has been able to crack 4.92 million in just a few days so it seems that very few of the original passwords are safe:
Over 4.92 million cracked on Linked in. Im somewhat impressed by some of them. 14 digit number passwords are rare in USA.
— KoreLogic(@CrackMeIfYouCan) June 11, 2012
I recommend using the publicity around these major breaches to remind your managers, users, friends and family about passwords. The following is what I try to stress, but there are certainly lots of other great ideas on how to improve password security:
1. Never reuse passwords between web sites or systems.
2. Change your passwords as often as its reasonable.
3. Choose longer passwords such as (complex) passphrases to increase the difficulty of cracking.
4. Have a plan to quickly and securely change your passwords if they become compromised.
5. Consider a common password manager for web sites.
Finally, since there aren't public details as to how Linkedin was compromised, its safe to assume that they are still compromised or could be again. Take that into consideration when you are planning on how to change your passwords. Even if Linkedin takes steps to properly salt the hashes, its not unreasonable to think that they could be quickly cracked again.
***Update 16 June 2012***
Changed the name of the function to be inline with the PowerShell way. Changed the way to the password is read in to be more secure as requested by the first comment below.