X

Do yourself a favor, don't check if your password was leaked. Ever.

Don't check if your password was leaked on some random Web site, simply change it.

Jason Cipriani Contributing Writer, ZDNet
Jason Cipriani is based out of beautiful Colorado and has been covering mobile technology news and reviewing the latest gadgets for the last six years. His work can also be found on sister site CNET in the How To section, as well as across several more online publications.
See full bio
Jason Cipriani
2 min read

Earlier today rumors started sweeping across the Internet that LinkedIn account passwords had been leaked online. A few hours later, LinkedIn confirmed that the rumors were true; millions of account passwords had been compromised and posted online.

Screenshot by Jason Cipriani/CNET

Almost just as fast as the story started spreading, a link to LeakedIn.org was being passed around as a way to check if your password was leaked in the security breach. To figure out if you're affected, LeakedIn requires you to enter your account password. Your password is then converted to its SHA-1 equivalent and then is compared to the list of leaked passwords.

A red light means your password appears on the list, a green light means you are in the clear. At least, in theory.

Before you jump at the chance to check your password, ask yourself if it's really a good idea to enter your password on some random Web site. The answer should be an unequivocal no. You have no idea what is really being done with the information you enter.

In the case of LeakedIn, when you enter your password on the site, JavaScript is used to convert your password to SHA-1, all done locally, before cross-referencing your password. This post over on ZDNet details the process a bit more, and may help put your mind at ease should you decide to enter your password.

Instead, do yourself a favor, don't check to see if your password was leaked. Don't pass go. Don't collect $200. Go directly to your account settings and change your password, just to be safe. If you use that same password on more than just your LinkedIn account, go and change those account passwords as well.

LinkedIn has stated the passwords for accounts associated with the leak have been invalidated. A series of e-mails will be sent to those members affected with further explanation of what steps need to be taken.

I'm sure LeakedIn was built with every honest intention of helping fellow LinkedIn users. However good-willed its foundation may be, stay clear. It's good practice and good ol' technology common sense.

Updated June 6, 2012 to include information about how LeakedIn handles your password.