Worried that your LinkedIn password may be a part of the nearly 6.5 million compromised on Wednesday? Password management firm LastPass has released a secure tool to see if your password was among the stolen.
News first surfaced about the security breach after a Russian hacker said he stole 6,458,020 encrypted LinkedIn passwords and posted them online (without usernames) to prove his feat. The breach comes on the heels of news that LinkedIn's iOS app potentially violates user privacy by sending detailed calendar entries to its servers.
LinkedIn confirmed that some passwords had become compromised and said it would contact affected users with details on how to change their password.
Although usernames associated with the passwords were not released, the passwords themselves will surely be used to help reverse-engineer other cryptography systems. We also expect to see these passwords added to dictionary lists of programs that attempt to break into various accounts.
In other words if you're a LinkedIn user, no matter how strong your password seemed it's a good idea to go ahead and change it.
How This Works
If you're a cynical web user when it comes to privacy and security of course you are, right? then you're probably asking yourself whether or not a site where you type in your password to see if it's been compromised could possibly be legit. But the folks at LastPass ensure that the tool is safe and does not store passwords.
Here's how it works: After typing your LinkedIn password into LastPass's tool, the service computes its SHA-1 hash and sends the result to LastPass.com. It then searches the list of 6.5 million leaked password hashes.
"All that's communicated to LastPass is the hash Äî the result of the one-way function performed on the password that a user enters in that box," a LastPass spokesperson told Mashable. "So let's say you enter 'password1.' You enter it and the tool performs the hashing algorithm. The hash is then sent to LastPass, and if a match is found in the database (of the 6.46 million leaked hashes) on our end, we report back a message saying that your password was compromised."
The spokesperson also noted that the hashes are not stored on its servers: "We don't store the hash on our end. We only perform the check and then delete it."
Brooklyn developer Chris Shiflett created a near-identical tool called LeakedIn that appears to operate in the exact same way. On his blog, Shiflett discussed how he built the tool to find out his own password was leaked (and subsequently cracked).
Change Your Password
If your password is among the millions stolen, you should not only change it as soon as possible but also update other accounts you have that use the same password.
If you aren't already using a password management tool it's time to start considering one. Tools such as LastPass and 1Password are invaluable in helping users create and manage unique, secure passwords.
Has your password been compromised? Let us know in the comments.
Christina Warren contributed to the reporting on this story.