Yesterday, LinkedIn confirmed that millions of LinkedIn users passwords have been compromised. Later, LastPass’s and LeakedIn websites offered tools to enter your LinkedIn password to find out if it had been compromised. Why bother! Just change your password! It would take less of your time than going to one of these websites....and you should be changing your password regularly anyway.
I agree with Jim Bliss comment to article "How to Check If Your LinkedIn Password Was Stolen" on mashable.com:
Why LastPass’s and LeakedIn’s password checking tools (above) are really not a good idea:
1) They only check a subset of the leaked passwords. Therefore, even
if you get a ‘clear’ result this can not be relied upon as there are
many leaked passwords that are not checked against.
2) Recommending users to enter their passwords into third party sites
is asking for trouble, desensitizing users to the problems of phishing.
3) Sooner or later (if not already) a site will spring up claiming to
check passwords only to store them for nefarious use (yes, without a
corresponding username / email address it is arguably less problematic;
however, it would still be useful data for a cracker enabling them to
hash the captured password and see if there’s a match and, bingo, you’ve
done their work for them).
Far better advice, IMO, is to ignore the checking tools and just change your password.
Checking with these tools provides no security or assurance whatsoever.
Why LastPass’s and LeakedIn’s password checking tools (above) are really not a good idea:
1) They only check a subset of the leaked passwords. Therefore, even if you get a ‘clear’ result this can not be relied upon as there are many leaked passwords that are not checked against.
2) Recommending users to enter their passwords into third party sites is asking for trouble, desensitizing users to the problems of phishing.
3) Sooner or later (if not already) a site will spring up claiming to check passwords only to store them for nefarious use (yes, without a corresponding username / email address it is arguably less problematic; however, it would still be useful data for a cracker enabling them to hash the captured password and see if there’s a match and, bingo, you’ve done their work for them).
Far better advice, IMO, is to ignore the checking tools and just change your password.
Checking with these tools provides no security or assurance whatsoever.