Sep 19, 2008

After Yahoo Email Debacle, Sarah Palin Needs Lastpass

"Rather than some automated tool or complex virus, Google and Wikipedia searches appear to have been the weapons used to knock down the walls guarding [Sarah Palin's] e-mail," according to this eWeek item.

Most people are vulnerable to the type of attack that compromised Palin's email account, as Markus Jakobsson wrote recently in IT World, "...almost all of us reuse what we may think of as “meta passwords” – the information used to reset passwords..."

Every three months about 1.5% of Yahoo's 250 million email account holders forget or lose their email login or password. This creates tens of millions of password email reset/recovery requests per year, according to this research report. This translates into a lot of wasted time in password recovery purgatory (at best) or opportunities for privacy problems and online fraud (at worst).

The password security and password recovery process is vulnerable to several different types of attacks:

1) Phishing attacks - where someone mimics a trusted website usually by sending an email directing you to a "fake site." There they get you to enter in personal information/ data like passwords/credit card information or social security numbers or "meta password data" like birthdays or mother's maiden name, name of your first pet. The phisher captures this information and uses it be assume your identity and either access your sensitive accounts or creates new accounts in your name.

Lastpass protection: They protect against phishing attacks by verifying that every site you log into is the actual website you're trying to enter. When you attempt to log-in to a website using Lastpass, the password manager will highlight login/form fill fields and offer auto login only to confirmed, legitimate website where you have an account. You’ll see the Lastpass icon and highlighted fields and know it is safe to proceed.

2) Brute force attacks - where someone methodically applies password combinations in an attempt to guess your password. One popular variation of this theme is a dictionary attack where weak passwords are uncovered by simply probing your password by testing it against the words in a dictionary.

Lastpass protection: They make creating, using and remembering strong passwords simple. Most people, myself included, make it too easy for brute force attacks to be successful because we use weak passwords (that are easier to remember than strong, complex ones) and reuse these weak passwords across different sites (meaning if one password is stolen/compromised, many of my sites are vulnerable). Lastpass makes it easy to use strong and unique passwords for every website. I use Lastpass to auto generate strong passwords for me and remember these passwords for me so I don’t have to.

3) "Meta password" attacks (a.k.a. mother's maiden name and other common password retrieval challenges). Under this increasingly common scenario, someone collects your personal information via Facebook, public record searches, ect. They use that information to figure out what they need to reset my account password and access my information.

Lastpass help: The password manager enables me to change the way I answer these “meta password” questions. Basically, I can offer less personal information. Gone are the days where I enter in simple answers, now I auto generate strong password-like answers to questions like mother’s maiden name and my elementary school? I use the password generator to make up “junk” answers and save these answers in the “edit site information” notes section with each new account. Because Lastpass auto logs me in to websites I no longer have to use the meta password data to reset passwords. If I were to need to access the meta question answers, that info is securely saved and accessed from my Lastpass portal page.

Because Lastpass does password management differently, they sync all my information across platforms and machines and I can still access all my account information, log-into my websites without uploading any sensitive information to their servers.

So, unlike many password managers, Lastpass doesn’t require too much “trust “from me. It saves all my sensitive information and encrypts it locally on my machine. They don’t have access to any of my information, it doesn’t get saved onto their servers, it remains secure, encrypted and on my computer.

It’s probably time for all of us including Sarah Palin to rethink our online information management and make life easier and safer with a password manager like Lastpass.

5 comments:

  1. I don't understand when you say, "Lastpass doesn’t ... have access to any of my information, it doesn’t get saved onto their servers".
    - I get the first part: that you don’t have "access" to any of my information, because it's encrypted and you don't have my Lastpass-login password. That seems to be the real point. However, saying that you don't save my info on your servers seems untrue, since you make my "passwords accessible online, ... from virtually anywhere, anytime" (as your home page says).
    - Can you clarify this?

    ReplyDelete
  2. It sounds like some word play, but overall I think for the most part, it's more true in meaning than not.

    I think they mean that your encrypted data is on their servers, but it's gibberish and completely meaningless to them without your password...and you're the only person who has that password.

    ReplyDelete
  3. I had this same question and asked the Lastpass team for a non-jargon explanation and got this from Bob:

    Neither your site specific passwords or your Lastpass password ever leaves your computer. Your site-specific passwords are encrypted locally converted from passwords with value into encoded string of characters with no intrinsic value.

    For example if your use Lastpass to store your password for Amazon.com and your password for Amazon is "Amazn1" Lastpass converts "amazn1" into an encrypted string: encrypted string that has been encoded: YpCEhki/Bbs3l1eFsRpWSQ==

    Lastpass stores this encrypted string. It is completely meaningless to us or anyone else without the key. The key is created from your master Lastpass password. and your log-in Your username+password combination is hashed in 2 ways:
    1) To create your password hash that is sent to us for authentication
    2) To create your encryption key which is never sent to us

    For example your the password hash might look like:
    5dff3ab77d45983d9c3005435da0ac
    eb13db373ef5cd829dda196da402160aba

    This is a one way hash and there is no way for us to get the original string. We also create your key that we use for encrypting/decrypting your data locally. This is never sent to us. It looks similar in structure (same length, character set [0-9, a-f] used) to the hash above, but is different.

    When you log into Lastpass from a foreign computer, the user enters his/her Lastpass username and passsword into the website. Both the authentication hash and the encryption key are generated from these. Javascript (running locally on the computer) performs the hashing. Then the computer make a request to our servers to authenticate and pull down their encrypted data. Again, locally (in javascript) we perform the decryption of the data with their key.

    Once you log off a foreign computer, Lastpass instructs the browser not to cache the page. Most browsers don't save https pages anyway. But even if the browser did cache the page, it is dynamically generated via javascript, so without the username/password combination to decrypt the data, the data is meaningless.

    ReplyDelete
  4. Loved LastPass!
    I'm giving up from Roboform!

    ReplyDelete
  5. I wanted to give up RoboForm, but LastPass won't fill the username at Amazon.com. That was one of the first sites I tried. If that doesn't work, well I'll wait for RoboForm to get their act together for the Chrome add-on.

    ReplyDelete