Worried that your LinkedIn password may be a part of the nearly 6.5 million compromised on Wednesday? Password management firm LastPass has released a secure tool to see if your password was among the stolen.
News first surfaced about the security breach after a Russian hacker said he stole 6,458,020 encrypted LinkedIn passwords and posted them online (without usernames) to prove his feat. The breach comes on the heels of news that LinkedIn’s iOS app potentially violates user privacy by sending detailed calendar entries to its servers.
LinkedIn confirmed that some passwords had become compromised and said it would contact affected users with details on how to change their password.
Although usernames associated with the passwords were not released, the passwords themselves will surely be used to help reverse-engineer other cryptography systems. We also expect to see these passwords added to dictionary lists of programs that attempt to break into various accounts.
In other words — if you’re a LinkedIn user, no matter how strong your password seemed — it’s a good idea to go ahead and change it.
How This Works
If you’re a cynical web user when it comes to privacy and security — of course you are, right? — then you’re probably asking yourself whether or not a site where you type in your password to see if it’s been compromised could possibly be legit. But the folks at LastPass ensure that the tool is safe and does not store passwords.
Here’s how it works: After typing your LinkedIn password into LastPass’s tool, the service computes its SHA-1 hash and sends the result to LastPass.com. It then searches the list of 6.5 million leaked password hashes.
Check Your Linkedin Password Stolen or Not: https://lastpass.com/linkedin/
Wait a Minute, Why Is This Tool Safe?
You already changed your password, right? You no longer use that old password anywhere else, right? If not please make sure you do that first. The above tool asks you to enter your LinkedIn password, and then computes its SHA-1 hash and sends the result to LastPass.com to search the list of 6.5 million leaked password hashes. A hash is a mathematical function that is simple to perform in one direction, but very difficult to reverse. Meaning, the tool will convert your password into a series of characters in such a way that it will be very difficult to re-construct your original password.
Only the hash of your password will be sent to LastPass.com's servers, not your actual password. This hash will not be stored or logged at all. Please view source the page if you're technically inclined.
Note that if you used a simple password, such as one based on dictionary words, then it might be possible to reconstruct your original password. This is what all of the concern is about: the hashes of simple passwords can be easily reconstructed to reveal the original actual password.
“All that’s communicated to LastPass is the hash ‚Äî the result of the one-way function performed on the password that a user enters in that box,” a LastPass spokesperson told Mashable. “So let’s say you enter ‘password1.’ You enter it and the tool performs the hashing algorithm. The hash is then sent to LastPass, and if a match is found in the database (of the 6.46 million leaked hashes) on our end, we report back a message saying that your password was compromised.”
The spokesperson also noted that the hashes are not stored on its servers: “We don’t store the hash on our end. We only perform the check and then delete it.”
Brooklyn developer Chris Shiflett created a near-identical tool called LeakedIn that appears to operate in the exact same way. On his blog, Shiflett discussed how he built the tool to find out his own password was leaked (and subsequently cracked).
Change Your Password
If your password is among the millions stolen, you should not only change it as soon as possible but also update other accounts you have that use the same password.
If you aren’t already using a password management tool — it’s time to start considering one. Tools such as LastPass and 1Password are invaluable in helping users create and manage unique, secure passwords.
No comments:
Post a Comment