Last.FM and eHarmony have been confirmed this week that they too, like LinkedIn, have been breached and leaked millions of passwords. But that’s not the only thing that concerns me. In the linked PC Magazine article, there are two links to check and see if your password has been compromised: http://lastpass.com/linkedin and http://lastpass.com/eharmony. When you go to these site, you are prompted to enter your password for LinkedIn or eHarmony. What could go wrong?
First off, if you have never heard of Lastpass, you may not know that they are a reputable company and would likely not do anything mean with your password. The argument is that you are only giving them your password, not your username, so what’s the harm? Even if they wanted to do something bad, they couldn’t. Right?
Thanks to tracking cookies and other potentially nefarious web technologies, it is possible, even trivial, to determine your username to a given website. This is how sites like Facebook and Doubleclick track you when you go to various places around the web. Have you ever visited a non-Facebook website that had a Facebook “Like” button on it, maybe a list of your friends who already “Liked” that page? That means that the page knows who you are. Using this same technology, any “give me (only) your password” page can easily deduce your username and password. I suspect it would be fairly trivial to then automatically use said username/password combo to crack your account and pick a new password, and you are instantly compromised.
In short, if you want to know if your password has been compromised, don’t bother – just change it.
In fact, just change it.