My distrust stems from having some other entity get your password. A single point of failure, and you are trusting them to do it right, and not be compromised. So yes, there *is* an increased attack surface here: you are adding to the complexity of things and trusting that they are secure. To me, that's increasing the attack surface. I don't know what else to call it. --STeve Andre' On 06/13/12 17:05, Kramer, Jack wrote: > Are you objecting to the concept of a password manager utility or the > check site that Matt posted? I agree that password managers represent > a single point of failure, though that single point is at least easier > to protect than the many points of weak password we seem to end up > without any sort of manager; however, the LinkedIn check page they > have just compares the SHA-1 hash of any text you enter with the known > leak of SHA-1 hashes and tells you if there's a match. There really > isn't an attack surface there considering you're perfectly welcome to > download that hash leak yourself and run all the comparisons your > heart desires on it. > > ---- > Jack Kramer > Manager of Information Technology > Communications and Brand Strategy > Michigan State University > w: 517-884-1231 / c: 248-635-4955 > > From: STeve Andre' <[log in to unmask] <mailto:[log in to unmask]>> > Reply-To: STeve Andre' <[log in to unmask] <mailto:[log in to unmask]>> > Date: Wednesday, June 13, 2012 4:51 PM > To: "[log in to unmask] <mailto:[log in to unmask]>" > <[log in to unmask] <mailto:[log in to unmask]>> > Subject: Re: [MSUNAG] LinkedIn Password hacked. > > On 06/13/12 16:30, Carl Bussema III wrote: > > Actually LastPass is a well-known and respected security tool, > so I > would actually trust them not to compromise the password. I > actually > tried to decipher the HTTPS session with Fiddler, but Chrome + > LastPass detected a man-in-the-middle and wouldn't proceed. > > And because apparently some people need to be put out of their > paranoia, I went ahead and just used my regular developer > tools and > found exactly what I suspected: > > I posted the password "asdf" to their form. I then watched the > AJAX > request (which because it happens client side is unencrypted > before > transmission) ... and you know what they are sending to their > servers? > THE HASHED PASSWORD. It's not like it's hard to SHA1 a string > in JavaScript. > > So the send the hash to the server, check the list of "known bad > hashes" (which is what the hackers have published) and tell > you if > your password hash matches a known compromised hash. > > It's really about as safe as you can possibly imagine and a great > tool. Yes, we should be careful about inputting passwords onto > strange > sites, but you should also do your due diligence and check if > the site > might actually be legit. > > /rant > > > Passwords are about as fragile a thing as there is today: users > pick and display idiot pw's, and system (often) have bad security > measures in place which don't really work. > > LastPass is likely an up-front honest entity, but that isn't the > reason > why they shouldn't be used. Trusting another entity with your pw > increases the attack surface of the product you are testing. As > good as LastPass is, your are now trusting them to be really secure. > That they throw away the string you enter is good, but that means > that vandals know just where to look if they were trying to break > that system. > > This is a philosophical thing. Minimizing the places on the net that > have pw's is a good thing. > > --STeve Andre' >