

LastPass - LinkedIn Password Checker - dous
https://lastpass.com/linkedin/

======
Eeko
I wrote a FB-note for my buddies regarding these tools and the leak. I see a
lot of bad advice on HN as well, so I should probably paste how I see it here
as well:

1\. DO NOT check whether or not your password was compromised via services
like leakedin.org. If you've used LinkedIn, it was stolen. They only RELEASED
around 6 million passwords, though LinkedIn has 161 million users. Odds are,
your password is not found from the publicized list. There's very little
reason to assume, that those password-hashes were the only ones out there...

By using such services, you just guarantee that your password-hash ends up in
a web-server log to be stolen or outright to a hash-dictionary. Especially
since most of us are stupid and recycle passwords from other services, you'll
just intentionally leak your weak password to a 3rd party.

(Besides, leakedin.org DOES leak that information to a third party. They use
an analytic tool, getclicky.com, which commits your search parameters back
home every time you do a page reload/search.)

2\. As far as we know, LinkedIn HAS NOT DISCOVERED HOW THE ATTACK WAS MADE NOR
BLOCKED THE VULNERABILITY. So even though we've all been clever and changed
our passwords before any damages were done, the new one might as well have
been leaked already. This is especially bad, if the new password is a recycled
password as well. So if you lost your LinkedIn & Gmail -password before and
replaced it with your FB-password... Congratulations! Odds are that you lost
your FB-password as well.

Also, change your password again once LinkedIn has given a statement of fixing
the vulnerability. If they don't... Well, sell your NYSE:LNKD.

3\. For every leak we know of, there's dozens of leaks we don't. Assume that
your password gets stolen. Don't recycle them. Use a Password Manager (I use
1Password, there are others, cheaper and free ones, though. Don't know how
good they are.) and/or a system such as passphrases or
[http://safeandsavvy.f-secure.com/2010/03/15/how-to-create-
an...](http://safeandsavvy.f-secure.com/2010/03/15/how-to-create-and-remember-
strong-passwords/) .

4\. People can do pretty evil things with your data and by being able to
impersonate you. Your account can be used to scam people (you might not want
legal trouble), to blackmail you, to spy on you and your neighbors or even for
performing crimes. E.g. Money laundering.

([https://www.facebook.com/notes/eetu-korhonen/about-the-
linke...](https://www.facebook.com/notes/eetu-korhonen/about-the-linkedin-
thing/10150925856481878))

~~~
harshreality
Playing Devil's advocate (as in, I agree with you, site A should never under
any conditions ask people to enter their password for site B):

Lastpass does encourage visitors to that page to change their LNKD pw on LNKD
and anywhere else it might be reused. The checker form is placed below that
recommendation.

Anyone inclined to enter their (old?) LNKD pw on the Lastpass page would
probably enter it on some other "leakedin" password checker page that's less
secure. At least Lastpass tries to be trustworthy.

Regarding your point (2), I don't think it matters if the LNKD vulnerability
has not been patched. Everyone should still change their LNKD pw, because the
compromise _might_ have been temporary. I agree that Lastpass and everyone
else encouraging a LNKD password change should emphasize not to reuse
passwords, but universally, and not specific to LNKD.

~~~
Eeko
Yes. I agree that LastPass is probably a lot better than alternatives. They
kind of have their balls on the line if things go wrong.

That said, I have not dwelled to details of how LastPass handles the site
design to avoid unintended leaks, (I believe the issues with leakedin are
simply unintended mistakes rather than attempted malice) but I sure as hell
would avoid using or recommending their services should I find mishandlings of
the data within such trivial applications.

About (2), It matters in the sense, that we have to assume that all of the
sensitive data which has been leaked before will continue leaking until they
have identified the vuln. The worst thing a user can do, is to insert a
recycled password and consider the situation resolved.

Should the hacker still have the backdoor open, he'll just steal the new keys
as well. Salting helps a bit, but it's far from solving the problem.

What I'm proposing is that people should change the pw twice. First instantly
(and not recycling) and then when LNKD has confirmed that this individual
attack vector has been closed.

------
jgrahamc
I think LinkedIn handled this very badly: [http://blog.jgc.org/2012/06/dont-
be-reckless-with-other-peop...](http://blog.jgc.org/2012/06/dont-be-reckless-
with-other-peoples.html)

------
kator
This is great fun to play with.. Some of the most amazing stupid passwords you
can imagine are in here. Including things like qazwsx or 1q2w3e4r etc. Lot's
of "keyboard patterns" etc.

Maybe major sites should use these sorts of lists as black lists for
passwords?

Of course the sad thing is then someone gets pissed while registering and will
just click away because the first 20 passwords they thought up are already in
there. :)

It's a fine balance and one that's not going to die anytime soon.

~~~
kator
Has anyone thought of doing a keyboard heatmap for this list? It seems to me
there are a lot of these "muscle memory" like passwords in here where people
use the keyboard pattern as the password basically.

------
lucb1e
I can't understand the rationale behind tricking people into thinking this is
secure.

\- A list of (partial) hashes was released

\- People start setting up websites where you can compute your hash, this is
already a bit dubious

\- Now people start setting up websitse where you can check if your password
was stolen, effectively sending them a copy of your hash to make sure they got
it...

It would not surprise me if one of those tools turn out to also send your
unhashed password along.

~~~
route66
More than that it "educates" people that entering their password into some web
form other than the original login page is ok. Because the site says so.

~~~
lucb1e
Indeed, also a very good point.

------
superxor
LastPass is an excellent service to manage your passwords. Their Firefox add-
on is amazing. If you are not the paranoid-type (i.e. not scared to put your
passwords in a 3rd party cloud) then I strongly recommend LastPass. Their
browser add-ons are free and their mobile apps a mere 1$.

~~~
josephb
LastPass don't store your passwords per se. Your passwords are SHA256 hashed
locally.

I love their system, but I think LastPass don't do a good enough job of
explaining the security behind the system to those who are a bit more
skeptical.

------
51Cards
Same functionality as <http://leakedin.org/> ?

<http://news.ycombinator.com/item?id=4075347>

~~~
jcdavis
For starters, lastpass is using https, which is definitely better

~~~
pwman
https, we're not using 'GET' parameters for the hash (which is almost
certainly ending up in log files on leakedin's site). We also just came out
with a version for eHarmony's breach: <https://lastpass.com/eharmony/>

~~~
rpicard
Completely off-topic but am I the only one that has been having problems
viewing secure notes on FF 13? I can view them once every time I start Firefox
but after that they just don't pop-up.

~~~
pwman
Try the prebuild: <https://lastpass.com/dlpre>

------
kevinpet
I think the story here is: company that offers a password vault product thinks
it's a good idea to encourage users to enter their passwords in third-party
websites.

------
dewiz
I've been using LastPass for years and their service is great, so I decided to
trust this service too. Apparently (if the published list is complete) my
(old) password hash was not hacked :-)

------
Vadoff
What's interesting is that virtually every single number spelled out from
"eleven" to "onehundred" is used as a password.

I've also noticed celebrities are really common, such as "parishilton",
"michaeljackson", or "jamescameron".

------
dchest
This is useless. How do you know they released the full dump? The best
"password checker" is the one that says you to change your password.

------
ashaikh
There are some hilarious passwords listed, just keep entering combinations of
profanity to see. f __*you is there etc.

~~~
Angostura
At least they let you.

My LinkedIn password was also used for a rather old, unimportant POP account.
So I went into Viginmedia account settings to change it.

Not only does Virgin enforce a maximum password length of 10 (what?!) this
fact also lead me to discover that the company has a profanity filter on its
passwords. (Double what!?)

~~~
RossM
What a clbuttic mistake.

------
Gigel
Why nobody mentions that the hackers probably have also your username, which
on LinkedIn is a valid e-mail address ?

------
sakri
That was somewhat amusing. Somebody had "dingleberry" as their password :)

------
cheeze
Other one is prettier.

~~~
jurre
But I'm more inclined to send last pass my old password to be honest.

