I made something almost the same (including name!), except all check is done in browser:<p><a href="http://crackedin.s3-website-us-east-1.amazonaws.com/" rel="nofollow">http://crackedin.s3-website-us-east-1.amazonaws.com/</a><p>And it's hosted on S3 so it is faster :)
I quickly wrote a script to do this locally, not the most efficient, but I'm at work ;)<p><a href="https://github.com/hungtruong/LinkedIn-Password-Checker" rel="nofollow">https://github.com/hungtruong/LinkedIn-Password-Checker</a>
How about submitting the hashes over https, at the very least somebody could be sniffing the traffic from your site and gathering the hash list for themselves..
Tangencially related to some of the comments in this thread.<p>Amahi (my startup) started experiencing lots of spamming accounts a little while ago. We started using blacklists and some heuristics to detect the spammers. Then we logged the attempts.<p>Some interesting things emerge.<p>* The vast majority of them have "super123" as the password
* The vast majority use emails from china (163.com, qq.com, etc.)
* They try twice in a row if the first attempt fails
* They try regularly<p>The suspicion is that they then sell these accounts in bulk for later action. We have seen them have these accounts sitting idle, with occasional logins to check if they still work. Then later they pounce, posting spam links, etc.<p>The level of sophistication of all this is rather troublesome ...
Mine was not in the list. I had a non-dictionary password with letters and numbers, 8 characters, and it was at least several months old.<p>(If we can collect enough data points of whose passwords are on it or not, how old they are, and how complex the password was, we should be able to narrow down a potential date range for the list and the odds that the compromised list is full or partial.)
"Your password was leaked and cracked. Sorry, friend."<p>Well that's lovely. Just changed my LinkedIn password so hopefully no one had a chance to take advantage of that. Luckily I very recently switched to a new password scheme so my other accounts should be secure too.
Brilliant. Next time I want someone's password I'll create a page similar to this ("check if your password was leaked!") and pretend to spam my entire contact list while my target is really the only person receiving it.<p>No seriously, how in the world can we trust this website with our password? They don't even claim to keep your password a secret. For all we know this is a follow-up scam to extend the 6.5mil hacked hashes.<p>Having a very quick glance at the HTML source, it seems they hash it before it's sent to the site to check, but it easily might have been a scam. Or turn into one with a probability of 1 in 10, that still gets them many passwords while remaining to be trusted.
Good news, the following passwords where not leaked:<p><pre><code> password
asdfasdf (whew!)
linkedinpassword
</code></pre>
The following were:<p><pre><code> password1
password$
linkedin
a1a1a1a1
drowssap
12345678</code></pre>
I think the much bigger risk here is password re-use, think if some CEO used the same password for their website/email?<p>Also, torrent: <a href="http://www.seedpeer.me/download/linkedin_hashes/ad1e93a1aee28165daab22945b29352ec7518c71" rel="nofollow">http://www.seedpeer.me/download/linkedin_hashes/ad1e93a1aee2...</a>
I wish I could down vote or delete this article. Regardless of the creator's intentions, there are a lot of non-techie people on HN (like one of my co-workers) who used this site to check their linkedin password. It reinforces fatal security habits.
Oh.. Didn't know anyone already made this - i also made a tool, but it doesn't send your whole hash over the wire (only the last 4 chars). <a href="http://olemartin.org/linkedin-passwords/" rel="nofollow">http://olemartin.org/linkedin-passwords/</a>
I'm really enjoying testing completely silly passwords against the leaks.<p>'pooppants' is a confirmed hit. "World's Largest Professional Network". I like to imagine some suit with a cigar logging into look for new hires with that one.
Even if this is a completely trusted and secure site, <i>why</i> would you not use SSL for something like this?<p>Transport layer security is a serious issue, especially for people prone to password reuse.
If your hash is not on that list, it's bad news. There are indications that the hacker published only the hashes he needed help with. The others were more easily decoded.
It is helpful to have a unique password for each meaningful service you use. That way the black-hats can't compromise your other accounts using the same password.
My (previous) password was randomly generated, and it was on this list. Fortunately I had already changed it when I read about the breach earlier on Wednesday.
huh, I have a linked in account that I don't check often and my password was on that list. Luckily it was specific to linkedin. I don't believe this is just a small percentage of users. Oh and I never received an email like the blog states (<a href="http://blog.linkedin.com/2012/06/06/linkedin-member-passwords-compromised/" rel="nofollow">http://blog.linkedin.com/2012/06/06/linkedin-member-password...</a>)... odd...
I'm wondering about the legality of this. If you take an (assumed) stolen dump of sensitive data and turn it into a webservice, could you get in trouble?
You should add a note on the page that lets people know that checking a password takes a minute or two.<p>EDIT: Actually never mind, seems like it's much faster now.
yipes - apparently that site sends up an unsalted sha1 of your password. If leaked unsalted sha1s are worth being worried about, then typing your password into this site is just as bad as the original leak
Sorry, I don't mean to be harsh, but this concept is pretty much dead on arrival.<p><i>"Check if your hash is still private and secure by sending us your hash."</i><p>Well, even if the hash <i>was</i> secure, it isn't now!<p>(Unless you:<p>O get the whole database into the client<p>O ask the user to:<p>o reload the URL in PRIVATE browsing mode<p>o DISCONNECT from the network<p>o test the results with javascript<p>o close the whole browser<p>o reopen the browser<p>o finally, clear flash cookies (how do I even do that?)<p>o Only then reconnect to the network<p>All to prevent you from either reading the results afterward or, as regards instructions to disconnect from the network, somehow changing or making a mistake in the javascript, perhaps after we or others have verified and ok'd it.)<p>If the only answer to the objection against giving you the hash is that you don't ask for the username, you might as well ask for the password plaintext.<p>Sorry, the concept is pretty much dead on arrival.<p>Still, way to ship. (or 'nice shipping.' Should be our secret handshake :). Good luck on the next concept.