Was Your LinkedIn Password Leaked?

4545944797_ecd81c2c40 — Image credit: Shekhar Sahu on Flickr

Earlier today, news spread that LinkedIn had experienced a significant data breach with a loss of as many as 6.5 million hashed (encrypted) passwords, as many as 300,000 of which had been decrypted and posted online. (Read the ThreatLevel blog’s explanation.) Later in the day, LinkedIn confirmed that some accounts’ passwords had been compromised. And phishers are already taking advantage of the opportunity.

Chris Shiflett (not of the Foo Fighters), author of Essential PHP Security and HTTP Developer’s Handbook used the leaked data (which you can still readily find online) to create LeakedIn.org, where you can enter your password and compare it to the leaked and cracked password lists.

Although LeakedIn.org appears to genuinely be the effort of one person trying to help the many, my advice is to never drop your password (even if your username isn’t associated) into an unknown website. Just change your LinkedIn password, particularly given the company’s silence then less-than-thorough response regarding the data breach. (You may also want to wait to change your password in the event that this is an ongoing attack so as not to give the attackers another password. But that’s not so bad since you’re not using the same password in more than one place, are you?) I’ll note that while LinkedIn’s blog post says they’ll be emailing everyone whose passwords were compromised, I’m hearing people say that their (presumably unique) passwords appeared in the list without an email having yet come from LinkedIn.

What I do recommend is using LeakedIn to find examples of really terrible passwords. Remember GoogleFight? It’s like that! Try character or show names as passwords–see who makes the cut for password use and who doesn’t. For example: