I wrote a FB-note for my buddies regarding these tools and the leak. I see a lot of bad advice on HN as well, so I should probably paste how I see it here as well:<p>1. DO NOT check whether or not your password was compromised via services like leakedin.org. If you've used LinkedIn, it was stolen. They only RELEASED around 6 million passwords, though LinkedIn has 161 million users. Odds are, your password is not found from the publicized list. There's very little reason to assume, that those password-hashes were the only ones out there...<p>By using such services, you just guarantee that your password-hash ends up in a web-server log to be stolen or outright to a hash-dictionary. Especially since most of us are stupid and recycle passwords from other services, you'll just intentionally leak your weak password to a 3rd party.<p>(Besides, leakedin.org DOES leak that information to a third party. They use an analytic tool, getclicky.com, which commits your search parameters back home every time you do a page reload/search.)<p>2. As far as we know, LinkedIn HAS NOT DISCOVERED HOW THE ATTACK WAS MADE NOR BLOCKED THE VULNERABILITY. So even though we've all been clever and changed our passwords before any damages were done, the new one might as well have been leaked already. This is especially bad, if the new password is a recycled password as well. So if you lost your LinkedIn & Gmail -password before and replaced it with your FB-password... Congratulations! Odds are that you lost your FB-password as well.<p>Also, change your password again once LinkedIn has given a statement of fixing the vulnerability. If they don't... Well, sell your NYSE:LNKD.<p>3. For every leak we know of, there's dozens of leaks we don't. Assume that your password gets stolen. Don't recycle them. Use a Password Manager (I use 1Password, there are others, cheaper and free ones, though. Don't know how good they are.) and/or a system such as passphrases or <a href="http://safeandsavvy.f-secure.com/2010/03/15/how-to-create-and-remember-strong-passwords/" rel="nofollow">http://safeandsavvy.f-secure.com/2010/03/15/how-to-create-an...</a> .<p>4. People can do pretty evil things with your data and by being able to impersonate you. Your account can be used to scam people (you might not want legal trouble), to blackmail you, to spy on you and your neighbors or even for performing crimes. E.g. Money laundering.<p>(<a href="https://www.facebook.com/notes/eetu-korhonen/about-the-linkedin-thing/10150925856481878" rel="nofollow">https://www.facebook.com/notes/eetu-korhonen/about-the-linke...</a>)
I think LinkedIn handled this very badly: <a href="http://blog.jgc.org/2012/06/dont-be-reckless-with-other-peoples.html" rel="nofollow">http://blog.jgc.org/2012/06/dont-be-reckless-with-other-peop...</a>
This is great fun to play with.. Some of the most amazing stupid passwords you can imagine are in here. Including things like qazwsx or 1q2w3e4r etc. Lot's of "keyboard patterns" etc.<p>Maybe major sites should use these sorts of lists as black lists for passwords?<p>Of course the sad thing is then someone gets pissed while registering and will just click away because the first 20 passwords they thought up are already in there. :)<p>It's a fine balance and one that's not going to die anytime soon.
I can't understand the rationale behind tricking people into thinking this is secure.<p>- A list of (partial) hashes was released<p>- People start setting up websites where you can compute your hash, this is already a bit dubious<p>- Now people start setting up websitse where you can check if your password was stolen, effectively sending them a copy of your hash to make sure they got it...<p>It would not surprise me if one of those tools turn out to also send your unhashed password along.
LastPass is an excellent service to manage your passwords. Their Firefox add-on is amazing. If you are not the paranoid-type (i.e. not scared to put your passwords in a 3rd party cloud) then I strongly recommend LastPass. Their browser add-ons are free and their mobile apps a mere 1$.
Same functionality as <a href="http://leakedin.org/" rel="nofollow">http://leakedin.org/</a> ?<p><a href="http://news.ycombinator.com/item?id=4075347" rel="nofollow">http://news.ycombinator.com/item?id=4075347</a>
I think the story here is: company that offers a password vault product thinks it's a good idea to encourage users to enter their passwords in third-party websites.
I've been using LastPass for years and their service is great, so I decided to trust this service too. Apparently (if the published list is complete) my (old) password hash was not hacked :-)
What's interesting is that virtually every single number spelled out from "eleven" to "onehundred" is used as a password.<p>I've also noticed celebrities are really common, such as "parishilton", "michaeljackson", or "jamescameron".