And for the record, the LastPass tool contains the following text:
"Wait a Minute, Why Is This Tool Safe?
"You already changed your password, right? You no longer use that old
password anywhere else, right? If not please make sure you do that first."
So LastPass explicitly requests users to change all their passwords
first, and afterwards only use their tool to satisfy any curiousity
about whether their *now abandoned* password was among those whose
hash was stolen and posted. Is that so bad?
As has also been pointed out elsewhere, even if the tool does not
find the hash of your password among the leaked hashes, that does
*not* mean that your password hash has not been stolen -- maybe the
attackers simply did not post that portion of the stolen password
hash file. So, finding your password hash among the leaked hashes
confirms that your password hash was stolen, while failure to find it
among the leaked hashes confirms only that your password hash has not
been leaked yet.
Hope that helps,
-- dkm
At 6/13/2012 05:01 PM Wednesday, Kramer, Jack wrote:
>This isn't a list for typical users, and to be blunt it's our jobs
>to determine which of these utility sites are useful for our users
>and which are not. It's certainly worth considering offering this
>link to users as a way to see if their password was part of the
>leak. I'm simply instructing my users to change their LinkedIn
>passwords whether or not they were leaked as a precaution which
>means I have no need to share the link with my group; however, it's
>a useful tool and is exactly what it claims to be.
>
>----
>Jack Kramer
>Manager of Information Technology
>Communications and Brand Strategy
>Michigan State University
>w: 517-884-1231 / c: 248-635-4955
>
>From: Dennis Boone <<mailto:[log in to unmask]>[log in to unmask]>
>Reply-To: Dennis Boone <<mailto:[log in to unmask]>[log in to unmask]>
>Date: Wednesday, June 13, 2012 4:41 PM
>To: "<mailto:[log in to unmask]>[log in to unmask]"
><<mailto:[log in to unmask]>[log in to unmask]>
>Subject: Re: [MSUNAG] LinkedIn Password hacked.
>
> > I posted the password "asdf" to their form. I then watched the AJAX
> > request (which because it happens client side is unencrypted before
> > transmission) ... and you know what they are sending to their servers?
> > THE HASHED PASSWORD. It's not like it's hard to SHA1 a string in
> > JavaScript.
>
> > So the send the hash to the server, check the list of "known bad hashes"
> > (which is what the hackers have published) and tell you if your password
> > hash matches a known compromised hash.
>
>Yup. And the typical user isn't equipped to do any of that research, so
>they can't know that.
>
> > It's really about as safe as you can possibly imagine and a great tool.
> > Yes, we should be careful about inputting passwords onto strange sites,
> > but you should also do your due diligence and check if the site might
> > actually be legit.
>
>My point is exactly "we should be careful about inputting passwords onto
>strange sites". Given the ability of the typical user to actually
>analyze the site, or for that matter evaluate the trustworthiness of the
>site operator's staff, there's exactly one way to "be careful".
>
>But of course I'm just pissing into the wind.
>
>De
|