Sep 19, 2008

After Yahoo Email Debacle, Sarah Palin Needs Lastpass

"Rather than some automated tool or complex virus, Google and Wikipedia searches appear to have been the weapons used to knock down the walls guarding [Sarah Palin's] e-mail," according to this eWeek item.

Most people are vulnerable to the type of attack that compromised Palin's email account, as Markus Jakobsson wrote recently in IT World, "...almost all of us reuse what we may think of as “meta passwords” – the information used to reset passwords..."

Every three months about 1.5% of Yahoo's 250 million email account holders forget or lose their email login or password. This creates tens of millions of password email reset/recovery requests per year, according to this research report. This translates into a lot of wasted time in password recovery purgatory (at best) or opportunities for privacy problems and online fraud (at worst).

The password security and password recovery process is vulnerable to several different types of attacks:

1) Phishing attacks - where someone mimics a trusted website usually by sending an email directing you to a "fake site." There they get you to enter in personal information/ data like passwords/credit card information or social security numbers or "meta password data" like birthdays or mother's maiden name, name of your first pet. The phisher captures this information and uses it be assume your identity and either access your sensitive accounts or creates new accounts in your name.

Lastpass protection: They protect against phishing attacks by verifying that every site you log into is the actual website you're trying to enter. When you attempt to log-in to a website using Lastpass, the password manager will highlight login/form fill fields and offer auto login only to confirmed, legitimate website where you have an account. You’ll see the Lastpass icon and highlighted fields and know it is safe to proceed.

2) Brute force attacks - where someone methodically applies password combinations in an attempt to guess your password. One popular variation of this theme is a dictionary attack where weak passwords are uncovered by simply probing your password by testing it against the words in a dictionary.

Lastpass protection: They make creating, using and remembering strong passwords simple. Most people, myself included, make it too easy for brute force attacks to be successful because we use weak passwords (that are easier to remember than strong, complex ones) and reuse these weak passwords across different sites (meaning if one password is stolen/compromised, many of my sites are vulnerable). Lastpass makes it easy to use strong and unique passwords for every website. I use Lastpass to auto generate strong passwords for me and remember these passwords for me so I don’t have to.

3) "Meta password" attacks (a.k.a. mother's maiden name and other common password retrieval challenges). Under this increasingly common scenario, someone collects your personal information via Facebook, public record searches, ect. They use that information to figure out what they need to reset my account password and access my information.

Lastpass help: The password manager enables me to change the way I answer these “meta password” questions. Basically, I can offer less personal information. Gone are the days where I enter in simple answers, now I auto generate strong password-like answers to questions like mother’s maiden name and my elementary school? I use the password generator to make up “junk” answers and save these answers in the “edit site information” notes section with each new account. Because Lastpass auto logs me in to websites I no longer have to use the meta password data to reset passwords. If I were to need to access the meta question answers, that info is securely saved and accessed from my Lastpass portal page.

Because Lastpass does password management differently, they sync all my information across platforms and machines and I can still access all my account information, log-into my websites without uploading any sensitive information to their servers.

So, unlike many password managers, Lastpass doesn’t require too much “trust “from me. It saves all my sensitive information and encrypts it locally on my machine. They don’t have access to any of my information, it doesn’t get saved onto their servers, it remains secure, encrypted and on my computer.

It’s probably time for all of us including Sarah Palin to rethink our online information management and make life easier and safer with a password manager like Lastpass.