 |
 |
Actually LastPass is a well-known and respected security tool, so I would actually trust them not to compromise the password. I actually tried to decipher the HTTPS session with Fiddler, but Chrome + LastPass detected a man-in-the-middle and wouldn't proceed. And because apparently some people need to be put out of their paranoia, I went ahead and just used my regular developer tools and found exactly what I suspected: I posted the password "asdf" to their form. I then watched the AJAX request (which because it happens client side is unencrypted before transmission) ... and you know what they are sending to their servers? THE HASHED PASSWORD. It's not like it's hard to SHA1 a string in JavaScript. So the send the hash to the server, check the list of "known bad hashes" (which is what the hackers have published) and tell you if your password hash matches a known compromised hash. It's really about as safe as you can possibly imagine and a great tool. Yes, we should be careful about inputting passwords onto strange sites, but you should also do your due diligence and check if the site might actually be legit. /rant Carl Bussema III Information Technologist Michigan State University Outreach & Engagement Phone: (517) 353-8977 • Fax: (517) 432-9541 [log in to unmask] On Wed, Jun 13, 2012 at 4:01 PM, Dennis Boone <[log in to unmask]> wrote: > > I found this site to check and see if your password was hacked at Linked > > In. If you watch Security Now<http://live.twit.tv/> they talked about > > this site today. > > > https://lastpass.com/linkedin/ > > If your password wasn't hacked before you put it into this site, it > certainly is after. > > De >