3875 posts Community Moderator
  • Weekly Top Seller
  • Moderator
  • Tuts+ Instructor
  • Netherlands
+10 more
Joost
Moderator
says

Perhaps I’m being a paranoid parrot (seeing as even Envato notes recommends a similar checker by LastPass ), but..


Haha, but really – there shouldn’t be much concern – they don’t have your email so there’s not much risk.

How do you know? Is it very likely that whoever posted those hashes also has a list of email addresses, and the owner of leakedin.org could be anyone.


If you have a strong password it’ll take a very long time to crack – I’d say very little risk even if they were storing the SHA -1 hash you submitted.

Whoever owns this site could be getting quite a nice rainbow table of people checking if their passwords, factoring out password length as a security measure ;)

Rule of thumb: never ever ever ever enter your password anywhere but in the login form of the site you’re using it for. I realise the source of LeakedIn.org looks very trustworthy and clear, with their hashIt() in the on-submit and all, but I hardly believe I’m capable of spotting every Javascript trickery he could pull to still have the cleartext password. Heck, you would have to check if he actually implemented SHA1 correctly (which would mean you’d be hashing it yourself anyway). Also, I doubt everyone who filled in their password there actually read the source.

EDIT : Using a network sniffer one can indeed verify that LeakedIn.org only sends out hashes. Still, never enter your password anywhere but where it’s ment to go.

203 posts
  • 6 Years of Membership
  • Affiliate Level 2
  • Author Level 3
  • Canada
+4 more
iLochie
says

EDIT : Using a network sniffer one can indeed verify that LeakedIn.org only sends out hashes. Still, never enter your password anywhere but where it’s ment to go.
This is definitely a good rule of thumb, I suppose I shouldn’t be advertising “yeah enter your password it’ll be fine.” But the story is that the emails were retained, but the passwords were distributed in a file so people can generate brute force lists (I guess.) Chrome’s got a built in network sniffer that’ll tell you about all incoming and outgoing traffic – specifically the XHR request I mentioned previously are the ones called after the page loads – generally AJAX . I assumed for the most part that this wouldn’t be very dangerous, but again it’s always smart to keep your passwords to their respective domains.
R3GeneralDesigns
R3GeneralDesigns Recent Posts Threads Started
103 posts
  • 3 Years of Membership
  • Author Level 4
  • Collector Level 1
  • Exclusive Author
+2 more
R3GeneralDesigns
says

And this problems will increase while people continue using mobile phones and social networking…

3875 posts Community Moderator
  • Weekly Top Seller
  • Moderator
  • Tuts+ Instructor
  • Netherlands
+10 more
Joost
Moderator
says

And this problems will increase while people continue using mobile phones and social networking…

Mobile phones seem to have nothing to do with this leak, and other than provide a target, neither does social networking. ;) It seems to have been a serversided leak.

I do agree with you on the point that these attacks are ever increasing – more and more of our lifes take place online, making it more and more an area of interest for those with criminal intent.

8176 posts
  • Author Level 6
  • Trendsetter
  • Weekly Top Seller
  • Community Superstar
+8 more
doru
says

hope that military virus has nothing to do with this. If someone gets his hand on that then bye internet. Also last fm seem to have the same problems

by
by
by
by
by
by