Feb 3, 2012

Resolutions with LastPass: #8 Generate OTPs to Use on Untrusted Computers

Logging in from a hotel computer while on vacation? Checking your email from an Internet cafe? Need to briefly use LastPass on a library or university computer? Then you should generate some One Time Passwords and carry them with you!

If you need to access your LastPass data while away from a trusted device, but are hesitant to do so because of potential keyloggers, LastPass provides One Time Passwords (OTPs) as one option for securely logging in to your account.

One Time Passwords are temporary passwords that grant one-time access to your LastPass vault. Once an OTP is used, it can never be used again. The OTP also prevents your master password from being stolen by keylogging software because you don't need to enter it when logging in with an OTP.

While you still have access to a trusted computer, go to the OTP management page: https://lastpass.com/otp.php to generate and print your OTPs. You must also be logged into the LastPass browser addon to manage your OTPs. From this page, you will see links to Add a New One Time Password, Clear All OTPs, or Print your OTPs:

To add OTPs to your list, click the "Add" link. Once you've generated a few OTPs, you can click the "Print" link to carry your OTPs in your wallet, or a copy of them can be carried with you on a portable USB thumb drive.

When you're ready to login to LastPass from an insecure computer, you can revisit the OTP management page to login with one of the OTPs on your list:

Even if the OTP is captured by malware, the password will not allow access to your account in subsequent attempts because it expires after you login with it once.

If you know you'll need to login to LastPass on an insecure computer, be prepared by generating and printing some OTPs!

Best,
The LastPass Team





Have a LastPass tip of your own? Or a feature or question you'd like us to cover? We'd love to hear your thoughts at press@lastpass.com.

51 comments:

  1. Why don't you write them in Base64? In my experience, it's almost impossible to correctly type that long HEX numbers. As the result, I have to keep the piece of paper with the OTPs in front of me for a very long time.

    ReplyDelete
    Replies
    1. yes, you can even publish that piece of paper in the NYTimes, it is a ONE TIME pass

      Delete
  2. Brilliant idea. I keep mine on an unsynchronized note-taking app on my phone; I label them such that no thief, should they ever acquire my phone, will know what they are.

    Ahh, the sweet life of foiling bad dude(tte)s!

    ReplyDelete
  3. Doesn't using the LastPass Screen Keyboard prevent Keylogging also? 9+WhaT AM i MISSING?

    ReplyDelete
    Replies
    1. Good point! I'd like someone to answer this question if possible. Is there any way scammers could bypass the security of someone using a virtual keyboard to click on the letters of their password??

      Delete
    2. I would say using an OTP is a bit safer than using screen keyboard because your master password is never entered and therefore can never be captured.

      Delete
    3. They could potentially have a trojan that has a screen capture feature. Even if it's unlikely, it's possible and a risk. However, never entering your master password makes it pretty hard for them to capture it. :P

      Delete
    4. MaTachi's response is correct - in theory there could be malware with a screen capture feature, which could potentially still see the data you're entering on the virtual keyboard. The OTP ensures that even if it's captured someone can't gain unauthorized access with it since it expires immediately, and the master password is never entered so it can't be captured in any form.

      Delete
    5. There are pieces of malware that get into the browser and can read anything filled in by whatever method - virtual keyboard or not. The problem is, that with such a malware your entire password database can be compromised, because it can be read from the browser's memory while in unencrypted form (after you logged in by whatever means). That's a reason to avoid logging in on untrusted computers altogether.

      Delete
  4. The password length would be an issue for me. If I went the USB flash drive option and did a copy-n-paste would that defeat the extra security OTP offers?

    ReplyDelete
    Replies
    1. This comment has been removed by the author.

      Delete
    2. No, since you can only use the OTP one single time. Even if malware captures it, it won't be usable after you have used it one time. And since you never type in your real master password, they won't be able to login on your account.

      Delete
  5. Great feature! Didn't know this existed, and I have sometimes been afraid of loging in on untrusted computers.

    ReplyDelete
  6. Is this needed if we use Google Authenticator when logging into a new machine?

    ReplyDelete
    Replies
    1. This comment has been removed by the author.

      Delete
    2. It's not "needed" per se, and Google Authenticator does serve as a second form of authentication so if your master password were compromised by malware you would still prevent them from accessing your account because they won't have access to the Google Auth codes. If you want to remove the (remote) possibility that your master password could be captured, though, we'd recommend using an OTP.

      Delete
  7. I didn't know of this either... Shouldn't this be part of the "tools" section of the browser plugin and/or in the "more" section of the Vault?

    I'm definitely using this.

    ReplyDelete
    Replies
    1. Thanks for the feedback, we'll look at making the feature more accessible.

      Delete
  8. My main concern about un-trusted computers and LastPass is that opening my LastPass Vault on an un-trusted computer would expose the contents of the vault (that is, anything in the vault which itself does not require re-entering the Master password [or another one-time password]) could be harvested by LastPass-aware malware on the computer. It's not about screen captures or keyloggers, it's the worry of the vault itself being open in an insecure place.

    ReplyDelete
    Replies
    1. Plz comment somebody. I`m worried with that too.

      Delete
    2. Yes, I would think a "man-in-the-browser" attack would be far more likely on an insecure system. How does LastPass protect against that? (Or from similar malware on your own system for that matter - can the whole vault be read once you log in to lastpass or is that somehow protected?) If this is exploitable, it seems like a high value target...

      Delete
    3. Thanks for the questions. We use HTTPS for all requests, so it's a non-issue.

      Delete
    4. Amber, I think HTTPS doesn't help too much here, as the browser memory can be freely read by the malware. Then again, I can't think of anything that can protect you if a malware is already in the browser - it is already too late. This is probably not much of an issue at the moment, but as LastPass gains more popularity, it's something that might be seen more often.

      As a general rule, I avoid logging in to anything important from untrusted computers. That includes LastPass, bank accout, accounts that have my billing info, primary mail account, etc.

      Delete
    5. Jay, Boyan : you are correct, but with some additional clarifications.

      I think Amber read your statement as 'man in the middle' attack -- ie: a network sniffer.
      In which case, HTTPS does safegaurd you against that (provided that the browser is using trusted non-modified certificates).

      For the 'man in the browser' type attack.
      We try to do things as sensibly as we can. We only decrypt your data on a need basis, and only store the decryption key in a single place in memory. Yes, if someone were able to dump your browser's memory footprint and obtain the contents of your vault it is conceivable that they could decrypt your data, but it's certainly not easy, and there are much easier targets.

      At the end of the day, you must (or LastPass must) submit credentials in plain text to end websites in order for you to log in. So, it is true that there might be a piece of malware embedded in the browser that still leaves you exposed. Security is always at a balance with convenience. If you want to be extremely secure and don't want to accept any risk whatsoever, then simply never use any untrusted PCs, period. But for many people this simply isn't an option and the question then becomes -- given that I'm going to be using an insecure computer and that I understand that I will be accepting some risk here, how best can I protect myself? In the case of LastPass you definitely want to use some form of multifactor authentication, and the less you expose the better.

      Delete
    6. Sameer, yes, I agree. It's always a balance. It's better, though, that people are aware of the risk and decide for themselves what is acceptable and what not.

      Delete
  9. A great feature... I never knew about this. I will be using this for sure....

    ReplyDelete
  10. I too would like to know the answer to Jay Libove question, once your LastPass vault has been securely opened with a OTP is there any malware that can then grab all your saved IDs, passwords, accounts, secure notes that don't require secondary master P/W entry?

    ReplyDelete
  11. It can happen,absolutely, however the information is all encrypted to a very high and cannot cannot be read and is therefore safe. Check this video out which explains how LastPass works. It's a bit slow and long, but explains very well how the info is secured.

    http://www.youtube.com/watch?v=r9Q_anb7pwg

    start watching at around 52min 45sec into the video
    hope this helps.

    ReplyDelete
  12. many thanks, I watched all the LP part of the video & they certainly do waffle on & drag it out, but I don't believe they address this issue, if you're on an infected PC in an Internet cafe say, you can log on securely with OTP etc, but once you do then the LP vault info (which I know they hold encrypted) is all accessible unencrypted on that PC you're using, so is there malware that can copy it all or even just the IDs & passwords that LP fills in for you on sites that you visit using that machine, this needs to be made clear. Also if one exported all the LP info to a pen drive & used that instead of the LP site would that be any safer? Many thanks to anyone who can clear this issue up.

    ReplyDelete
    Replies
    1. Your password should still be masked in most situations, unless you're going in to the edit menu and clicking "show". In that case, if there's malware capturing images of the screen, it's possible they could "grab" the data, but if you leave the data masked they could only "grab" the username or email address that's visible in plain text. Otherwise, the injection of LastPass data into the login fields can't be recorded by keyloggers. If you copy/paste data from LastPass to a login page, it's possible they could grab the values from the clipboard.

      The idea behind OTPs is eliminating the need to type your master password, but it's also a good idea to follow other "best security practices" with your LastPass account to minimize risks and keep your data secure. This includes enabling multifactor authentication, ensuring that you have random, unique passwords for all logins (use the LastPass Icon > Tools > Security Check to evaluate), and being mindful of where you're typing your master password. You may also want to update the passwords for those sites you used on "untrusted" computers after you're back on a "trusted" computer, and maybe even update your master password, too - if you're really paranoid like we are :).

      Delete
    2. First, if you use multifactor authentication you are making your vault *significantly* more secure.

      But if you are using an untrusted computer you are accepting some risk, period.
      Exporting the data to a pen drive *might* be less safe since you will ultimately have to reveal your secure password on the screen or copy it to your clipboard. Malware that does screen recording or clipboard capture is much more prevalent than trying to dump your entire browser's memory footprint looking for a decryption key and then using it with the correct hashing and encryption algorithms to try and decrypt your vault.

      Delete
  13. I'm currently using Sesame authentication, and it's not always easy when I'm on a foreign computer. Will a One-Time Password get me past the requirement to either use Sesame or be on a trusted computer? That would be a great way to be sure I could always access my accounts. Having OTP's is, however, another security risk as you do need to track and keep them physically secure. They're easy to reset and invalidate if you do lose them, but you have to first be aware that they've been compromised.

    ReplyDelete
    Replies
    1. Sesame is very similar like LastPass OTPs.
      At the core, both offer a 2nd factor of protection to safe guard your LastPass vault.

      Sesame is:
      - Sesame is a cross platform GUI application that can generate an unlimited number or OTPs
      - Once Sesame is used to generate an OTP, all prior Sesame generated OTPs are automatically rendered invalid
      - Sesame OTPs automatically expire after a few minutes
      - Sesame can be run from a USB drive
      - To access your vault with Sesame, you must enter:
      i) your LastPass email address
      ii) your LastPass master password
      iii) your Sesame generated OTP
      - You can gain access to your LastPass offline vault (plugin installed), or to your LastPass online vault with Sesame

      The main difference when comparing Sesame with LastPass OTPs are:
      - You must manually generate and enter LastPass OTPs
      - You do not have to enter your LastPass master password when using a LastPass OTP
      - LastPass OTPs give you access only to the LastPass online vault ie: you can't use it to log into the LastPass browser plugin.

      Delete
  14. I would appreciate it if I could create my own set of OTPs. I can generate only a random and VERY long and complex passwords now, which means I have to store these passwords somewhere. Thus, a new security risk is here. In case LastPass would allow personalized OTPs, I could simply remember them without the necessity to keep them written anywhere.

    ReplyDelete
    Replies
    1. Thanks for the feedback, Jimmy, we may look at making this more customize-able in the future.

      Delete
  15. @Amber, hi if you're a LP rep could you address the concerns in my posts above please, many thanks

    ReplyDelete
    Replies
    1. Otoh, see my comments above. Nothing can protect you if the browser is completely compromised, because it is the browser that encrypts and decrypts and shows you your data.

      Now, I am not saying that LastPass is to blame in any way. This is a general problem - there must be something you trust to begin with, and whenever you speak of web stuff, that thing is the browser.

      If people are so concerned of accessing all their accounts from anywhere, I'd rather get a good smartphone and use that. Actually, that's what I do, thanks to LastPass excellent mobile apps. Then, of course, you'll need to take care scuring your phone, but that is quite possible.

      Delete
    2. I'd like to know how to secure the phone Boyan, it seems there are a myriad of hackers out there that can compromise the mobile network and there doesn't seem to be much way of stopping it. I have decided not to use a bank acc login over my mobile, but given that I travel frequently, I'd like to be able to do so securely. Is there a way? Even using Https I still am wary

      Delete
  16. Jay Libove, CISSP, CIPP, CISMApril 13, 2012 at 11:45 AM

    SSL provides no security against man-in-the-browser (or any kind of fully compromised client machine). Thus, my concern above about using even a One Time Password to open the LastPass Vault on an untrusted computer.

    Here's a possible feature to address that:
    Allow us to set our account so that all One Time Password use requires entry of subsidiary One Time Passwords (perhaps shorter, special ones only applicable to this specific situation!) to access ANY item in the vault; or similarly allow us to generate *specific* OTPs which would turn on the "subsidiary passwords required" option; or - though this could be defeated by a LastPass-specific Man In The Browser attack - a checkbox at the LastPass authentication dialog which says "I don't trust where I am, so require subsidiary passwords for all vault accesses".

    Note, I originally thought to describe this as requiring an additional OTP entry to permit all *subsequent* vault accesses, the idea being that the first OTP entry would allow access to the first item requested from the vault. But there's a problem with that; LastPass works (quite reasonably) with the user flow of "authenticate to get access to the vault" then (go away and do other stuff, like navigate to the desired webpage) and only then after some time has passed and malware on the computer has had a chance to interrogate the LastPass vault, access the first desired item from the vault. So, a further authentication is needed to access even the first item desired from the vault. I do not view this as onerous, as we should almost never be accessing LastPass from not-fully-trusted machines anyway.

    Further thought, any item in the vault marked to require authentication before access, even today should require another new OTP to be used, regardless of whether the user is in this hypothetical "untrusted machine mode". I don't know if LastPass does already work that way, as I've never tried logging in to my vault with a OTP except once to test the principle, and that one time I did not go further to try accessing a password-required item.

    (to be continued in next post, as posts have a limit of 4096 characters, and I'm being long-winded today!)

    ReplyDelete
    Replies
    1. Jay Libove, CISSP, CIPP, CISMApril 13, 2012 at 11:46 AM

      (continued from my entry above dated Apr 13, 2012 08:45 AM)

      Here's how the flow would work:
      * I go to log in to LastPass on an untrusted computer, so I take out my OTP sheet, and log in with the first OTP.
      * At the login dialog box, EITHER I check the "I don't trust this place, always prompt me for subsidiary passwords", or the OTP I use was generated with such an option set as discussed above, or I have configured my whole account to act that way for the entire login session occurring any time I use a OTP. As a result...

      * I am now logged in to LastPass, AND for EVERY vault item which anyone or anything (including the Man In The Browser) tries to access, LastPass pops up a subsidiary authentication dialog saying "Your current session is marked as untrusted, so please enter another new OTP in order to access the requested item". This prompt would arise NO MATTER HOW data was requested from LastPass - right-click and fill a field, view anything at all in the vault, Secure Notes, malware on the computer sending synthetic key/mouse strokes to LastPass, the hand of god :-) - ANYTHING at all.

      These subsidiary OTPs could either be the next OTP of the list OTPs we already can generate using LastPass, or perhaps could be a new kind of subsidiary OTP which are
      a) shorter, as we'll be typing more of them; AND
      b) NOT usable for initial vault authentications (as they are shorter and theoretically less secure).
      They would still be one-time only, and each one usable for one single vault item access. So, I log in to LastPass in 'untrusted mode' using a (regular, long) OTP, then try to auto-fill the username and password for a webpage and I have to enter either another OTP or a subsidiary password. Then I try to access ANYTHING ELSE AT ALL - another site auto-fill, a form auto-fill, any piece of data from the vault, even re-freshing that same webpage's login dialog, and I have to enter ANOTHER (DIFFERENT) OTP or subsidiary OTP. Three OTPs used - initial vault login, first site/vault item accessed, and second site/vault item accessed.

      This way unless something injects code right in to the LastPass binary and can bypass all user interaction by LastPass after the initial authentication is performed, even though I have unlocked my vault on an untrusted computer, malware on that untrusted computer cannot interrogate LastPass to drain items out of my vault - each such interrogation by the malware (or by me) would result in another prompt from LastPass.

      Finally, to make this a bit more secure even against somewhat binary-aware malware, the vault probably should NOT be decrypted in memory as a result of the initial authentication, but rather the vault's encryption should be performed per-item so that the list of items can be extracted but the LastPass binary does not decrypt everything at once -- when a specific vault item is requested, then (after entering another OTP if we're in this 'untrusted' mode or the item is marked as requiring re-entry of the user's password) the specific requested item (and only that item) is decrypted and handed back to the user.

      Thoughts? Feedback? Roses? Tomatoes?

      saludos,

      Delete
    2. Hi Jay,

      Thanks for your detailed feedback and idea.
      LastPass already decrypts data only a need basis.
      Also, at the end of the day if you want to view your password or use it to be logged into a website, the password must be decrypted. It doesn't matter if we use 2 or even 10 OTPs.
      So, there is no solution that will offer *perfect* security -- it simply isn't possible.

      I definitely understand that your intent is to allow safeguarding of each item in your vault independently, so that the decryption key is simply never stored in browser memory and you only become susceptible when you enter it, and only for 1 item. We have thought of implementing this type of feature before, but feel that it will simply be way too cumbersome to be generally adopted. People have a hard enough time entering a single OTP. We have some other ideas on this matter that we hope to implement in the future though.

      Thanks.

      Delete
  17. @Boyan many thanks, I won't then be using LP at Internet cafes when traveling, the OTP give protection from key loggers but if a LP specific malware has been installed then it will steal every single ID & PW on your LP account so is not safe to use at all, I wish that LP just made this clear & OTP is a false sense of security

    ReplyDelete
    Replies
    1. You are welcome!

      I think it is still a good idea to keep a set of OTPs around just in case. I would consider the risk of LP-aware malware as pretty low for the time being, but it is a thing to keep in mind.

      I liked Jay's idea above. It is most probably a feature too complicated for the casual users, but I'd live to see something like this available for those who are prepared to use it. It is, of course just a mitigation, but a nice one.

      No matter what security LP offers, I would never use untrusted computer to access critical accounts. LP malware might be a rare or even non-existent thing, but bank Trojans are not! :)

      Delete
  18. Hi,
    I don't know where is the right place to post this and I'm no security expert, but I think using the virtual keyboard could be a lot safer regarding keyloggers if each time you clicked on a "key" the arrangement of the keys changed randomly (or at least the whole keyboard moved randomly around the screen). Another option could be for the user to hover the mouse pointer over a key and after a set amount of time LastPass would recognize this as a keystroke (this way you can also avoid click activated screen captures).

    Just my 2 cents, but I'm sure you guys thought of all this before.

    Thx,

    MA


    BTW, I'm a new user and I love your product, in fact I was going to buy the Blackberry app, but it wasn't that great. Hopefully it will be eventually.

    ReplyDelete
  19. Many thanks to Boyan and Sameer for making me aware and making me understand this a little better.

    This is how new I am: I don't even know if my questions are silly - If I use my own device (iPhone, iPad) and I use a virtual private network (VPN) and Last Pass, am I improving my chances for safety? This question may be stemming from a lack of understanding of how malware gets in the system. How does LP specific malware get in the system?

    I am a long-term (international) traveller and I have to access banking information from time to time. I understand that there is no 100% solution.

    ReplyDelete
  20. Just to add to the Anonymous June 8, 2012 8:49 PM submission - internet is accessed via public wifi or at best, via hotel password-protected wifi.

    ReplyDelete
    Replies
    1. Yes, own device + vpn + LP is probably the best solution. Password protected wifi is no more secure than open wifi, if the attacker knows the password, which is easy to assume in case of hotel wifi.

      Delete
  21. There is something I don't understand. I always thought that the content of your vault, stored on lastpass servers, can only ever be decrypted with your master password. How is it now possible to decrypt it with a OTP? And how come that password can only do it once? What am I misunderstanding?

    ReplyDelete
    Replies
    1. Unless lastpass keeps several copies of your vault, main one encrypted with your master password, then the "slave" ones, each one encrypted with one OTP. Is that how it works?

      Delete
    2. Please see this thread where we detail how we do this safely, without revealing your key to LastPass' servers:

      http://forums.lastpass.com/viewtopic.php?f=12&t=22959

      Delete
  22. why said that my site currently browsing an insecure website. Please help me why this is coming when I click on the Form Fills. My site is http://perthchauffeur.com/booking.php

    ReplyDelete