by Randy Abrams – Security Consultant
LastPass has put up a web page for users to check to see if their LinkedIn password was one of the ones whose has was leaked. As you know if you read my blog “Dumb, Dumb, and Dumber“, I don’t think it’s a good idea to give someone else your LinkedIn password. The catch here is that LastPass, in case you don’t know, is a password management program. In other words, you already trust them with all of your passwords, so why not type in your LinkedIn password on their web site? Let’s add one more item to this discussion, LastPass got it right in that the web page uses SSL, the hash of the password is encrypted when it is sent over the web.
It may seem logical that there is no problem, but this is not the case. To start with, you don’t trust LastPass to know your passwords, you trust them to provide a program that helps you to manage your passwords. LastPass is not supposed to know any of your passwords other than the master password that allows you to access your passwords. I will concede that this is a very fine distinction, but if LastPass does not honor that explicit trust then they cannot be trusted. I do believe that LastPass is legitimate and does not access your passwords.
Here is the reason why you still do not enter your password, even at the trusted, properly implemented LastPass.com website. The reason is because you do not need to make an exception to The Two Rules You Damned Well Better Know and if you do it for no good reason because you think it is safe, you’ll probably do it for something that seems like a good reason, but is really a phishing attack.
In the case of LinkedIn, we know that 6.5 million password hashes were leaked, we don’t know if more were accessed and not leaked. Change your password. It doesn’t matter what a web site tells you, change the password to be safe!!! Now, since you need to change it anyway, why do you need to know if someone thinks it may or may not have been compromised? I know, the same reason I entered mine in…. curiosity. I only used my LinkedIn password in one place and I changed it BEFORE I checked to see if it had been leaked, so it was not my password when I entered it! I would never give anyone a password I was using or planned to ever use again at any time.
©2012 Randy Abrams – Independent Security Analyst
Our Take: Randy makes a lot of sense here – before we even finished reading about the original LinkedIn leak, we had changed our password – to a VERY strong password – which means 30+ characters, and only used on LinkedIn – no other sites at all. As usual, our password contained a mixture of UPPER and lower-case letter, numbers, punctuation and/or special characters, and none of our names or strings of consecutive numbers. A very good example of a password that might be hard to guess would be “LisTenHereLinKeDiNpl3@sekEEpTh1sPasswordS@fe!!!” – but it might be hard to remember, so only use this kind of password if you have a password manager tool! 😉