Print

Print
This isn't a list for typical users, and to be blunt it's our jobs to determine which of these utility sites are useful for our users and which are not. It's certainly worth considering offering this link to users as a way to see if their password was part of the leak. I'm simply instructing my users to change their LinkedIn passwords whether or not they were leaked as a precaution which means I have no need to share the link with my group; however, it's a useful tool and is exactly what it claims to be.

----
Jack Kramer
Manager of Information Technology
Communications and Brand Strategy
Michigan State University
w: 517-884-1231 / c: 248-635-4955

From: Dennis Boone <[log in to unmask]>
Reply-To: Dennis Boone <[log in to unmask]>
Date: Wednesday, June 13, 2012 4:41 PM
To: "[log in to unmask]" <[log in to unmask]>
Subject: Re: [MSUNAG] LinkedIn Password hacked.

> I posted the password "asdf" to their form. I then watched the AJAX
> request (which because it happens client side is unencrypted before
> transmission) ... and you know what they are sending to their servers?
> THE HASHED PASSWORD. It's not like it's hard to SHA1 a string in
> JavaScript.

> So the send the hash to the server, check the list of "known bad hashes"
> (which is what the hackers have published) and tell you if your password
> hash matches a known compromised hash.

Yup.  And the typical user isn't equipped to do any of that research, so
they can't know that.

> It's really about as safe as you can possibly imagine and a great tool.
> Yes, we should be careful about inputting passwords onto strange sites,
> but you should also do your due diligence and check if the site might
> actually be legit.

My point is exactly "we should be careful about inputting passwords onto
strange sites".  Given the ability of the typical user to actually
analyze the site, or for that matter evaluate the trustworthiness of the
site operator's staff, there's exactly one way to "be careful".

But of course I'm just pissing into the wind.

De