Thursday, June 7, 2012

The LastPass LinkedIn Password Checker


LastPass has put up a web page for users to check to see if their LinkedIn password was one of the ones whose has was leaked. As you know if you read my blog “Dumb, Dumb, and Dumber, I don’t think it’s a good idea to give someone else your LinkedIn password. The catch here is that LastPass, in case you don’t know, is a password management program. In other words, you already trust them with all of your passwords, so why not type in your LinkedIn password on their web site? Let’s add one more item to this discussion, LastPass got it right in that the web page uses SSL, the hash of the password is encrypted when it is sent over the web.

It may seem logical that there is no problem, but this is not the case. To start with, you don’t trust LastPass to know your passwords, you trust them to provide a program that helps you to manage your passwords. LastPass is not supposed to know any of your passwords other than the master password that allows you to access your passwords. I will concede that this is a very fine distinction, but if LastPass does not honor that explicit trust then they cannot be trusted. I do believe that LastPass is legitimate and does not access your passwords.

Here is the reason why you still do not enter your password, even at the trusted, properly implemented LastPass.com website. The reason is because you do not need to make an exception to The Two Rules You Damned Well Better Know and if you do it for no good reason because you think it is safe, you’ll probably do it for something that seems like a good reason, but is really a phishing attack.

In the case of LinkedIn, we know that 6.5 million password hashes were leaked, we don’t know if more were accessed and not leaked. Change your password. It doesn’t matter what a web site tells you, change the password to be safe!!! Now, since you need to change it anyway, why do you need to know if someone thinks it may or may not have been compromised? I know, the same reason I entered mine in…. curiosity. I only used my LinkedIn password in one place and I changed it BEFORE I checked to see if it had been leaked, so it was not my password when I entered it! I would never give anyone a password I was using or planned to ever use again at any time.

©2012 Randy Abrams - Independent Security Analyst

No comments:

Post a Comment