(no title)
Eeko | 13 years ago
1. DO NOT check whether or not your password was compromised via services like leakedin.org. If you've used LinkedIn, it was stolen. They only RELEASED around 6 million passwords, though LinkedIn has 161 million users. Odds are, your password is not found from the publicized list. There's very little reason to assume, that those password-hashes were the only ones out there...
By using such services, you just guarantee that your password-hash ends up in a web-server log to be stolen or outright to a hash-dictionary. Especially since most of us are stupid and recycle passwords from other services, you'll just intentionally leak your weak password to a 3rd party.
(Besides, leakedin.org DOES leak that information to a third party. They use an analytic tool, getclicky.com, which commits your search parameters back home every time you do a page reload/search.)
2. As far as we know, LinkedIn HAS NOT DISCOVERED HOW THE ATTACK WAS MADE NOR BLOCKED THE VULNERABILITY. So even though we've all been clever and changed our passwords before any damages were done, the new one might as well have been leaked already. This is especially bad, if the new password is a recycled password as well. So if you lost your LinkedIn & Gmail -password before and replaced it with your FB-password... Congratulations! Odds are that you lost your FB-password as well.
Also, change your password again once LinkedIn has given a statement of fixing the vulnerability. If they don't... Well, sell your NYSE:LNKD.
3. For every leak we know of, there's dozens of leaks we don't. Assume that your password gets stolen. Don't recycle them. Use a Password Manager (I use 1Password, there are others, cheaper and free ones, though. Don't know how good they are.) and/or a system such as passphrases or http://safeandsavvy.f-secure.com/2010/03/15/how-to-create-an... .
4. People can do pretty evil things with your data and by being able to impersonate you. Your account can be used to scam people (you might not want legal trouble), to blackmail you, to spy on you and your neighbors or even for performing crimes. E.g. Money laundering.
(https://www.facebook.com/notes/eetu-korhonen/about-the-linke...)
harshreality|13 years ago
Lastpass does encourage visitors to that page to change their LNKD pw on LNKD and anywhere else it might be reused. The checker form is placed below that recommendation.
Anyone inclined to enter their (old?) LNKD pw on the Lastpass page would probably enter it on some other "leakedin" password checker page that's less secure. At least Lastpass tries to be trustworthy.
Regarding your point (2), I don't think it matters if the LNKD vulnerability has not been patched. Everyone should still change their LNKD pw, because the compromise might have been temporary. I agree that Lastpass and everyone else encouraging a LNKD password change should emphasize not to reuse passwords, but universally, and not specific to LNKD.
Eeko|13 years ago
That said, I have not dwelled to details of how LastPass handles the site design to avoid unintended leaks, (I believe the issues with leakedin are simply unintended mistakes rather than attempted malice) but I sure as hell would avoid using or recommending their services should I find mishandlings of the data within such trivial applications.
About (2), It matters in the sense, that we have to assume that all of the sensitive data which has been leaked before will continue leaking until they have identified the vuln. The worst thing a user can do, is to insert a recycled password and consider the situation resolved.
Should the hacker still have the backdoor open, he'll just steal the new keys as well. Salting helps a bit, but it's far from solving the problem.
What I'm proposing is that people should change the pw twice. First instantly (and not recycling) and then when LNKD has confirmed that this individual attack vector has been closed.
Tooluka|13 years ago