Jul 16, 2012

Stop using the same key for every lock!

Would you use the same key for every lock in your life? Would you hand that key out to every company you ever interact with? Now imagine that making copies of keys are free and instantaneous, storage of the keys with nearly every company is unsafe, and the keys can be used remotely even from other countries. Do you see the insanity of reusing passwords yet? Friends don't let friends reuse passwords. 

In the past week LastPass disabled nearly a thousand LastPass accounts due to users reusing their LastPass master password with Yahoo Voices and Billabong, both of which were hacked and had public releases of username and the associated passwords. 

All the disabled users broke all rules for protecting themselves, the three most important being:
  1. Never use your LastPass master password for any site or purpose.  Your master password is very important.  Treat it as such.
  2. Use LastPass to generate random passwords for every site you use. That way when these sites are hacked you get to laugh about it instead of stress and scramble. LastPass provides a security check to help you validate this.
  3. Utilize the (free) multifactor security options LastPass provides.
We know it's tempting to reuse passwords, that's why we built LastPass. Using LastPass you can get the convenience of a single password (your LastPass master password) without the security problems created when you actually reuse passwords.

Multifactor is your second line of defense, it allows your master password to be compromised without your account being compromised. LastPass provides two free and four Premium options. You can also trust your devices and your computers so you're only prompted for them when you use a new computer.  This allows the convenience you love with the security on top. We'd recommend Google Authenticator (free) or Yubikey (Premium).

While LastPass is doing its best to protect people when we see these public releases, there are many more sites that are hacked that aren't exposed. If you're reusing passwords invest a few hours today to prevent days of heart ache when the next site is hacked.  

Reusing passwords?  Not even once.

42 comments:

  1. I have over 200+ accounts all over the internet with random generate password from LastPass and of course I'm using YubiKey :)

    ReplyDelete
  2. "In the past week LastPass disabled nearly a thousand LastPass accounts due to users reusing their LastPass master password with Yahoo Voices and Billabong"

    proactively? Or at the users request? Can you explain what you mean by this?

    ReplyDelete
    Replies
    1. Proactively -- we took the exposed passwords and checked them against our customers. Some customers were using the same password in the leak for the LastPass account.

      Delete
    2. My guess, Matt (and please, for the love of all that is holy, let this be true), is that LastPass took the Username(email)/Password combos that were leaked, and used that combination to check against LastPass users.

      In other words, once they had the list of email/password combos, they could see if any of the email addresses held LastPass accounts. From there, they could use the email/password combo to see if it was a valid LastPass password.

      In other words, all they had to do was what anybody who had access to the credentials would do. Try them and see if they work. They would never actually need to know what your password is to check against it -- they just have to know that it works when they try it.

      Delete
    3. Thanks for doing this. Above and beyond the call of duty, as always!

      Delete
  3. How did LastPass determine that users' master passwords were also being used for their Yahoo! accounts? I thought the architecture of LastPass prevented exactly this sort of discovery?

    ReplyDelete
    Replies
    1. The Yahoo (and other) account leaks included the password, we checked that password against their LastPass account unfortunately finding that the users in question used the same password for both their LastPass account and for their 3rd party account which was leaked. Yes these people were not really clear on the concept of LastPass, but we do our best to protect them.

      Delete
    2. joe, what do u mean when u say "we checked that password against their LastPass account unfortunately finding that the users in question used the same password for both their LastPass account and for their 3rd party account"

      does this mean u can see the said passwords ?

      ajay

      Delete
  4. Christiaan, that was exactly my question. I'd sure like an answer to this.

    ReplyDelete
  5. I don't use LastPass because it "locks" me - once I start using it and migrate all passwords from the browser's password storage to LastPass storage it's very hard to revert back to the browser's password storage (In case I decide I don't want to use LastPass anymore). Why is that? Why not use the browsers own password storage and just SYNC the damn passwords?
    This is the kind of corporate locking I hate.
    At least the last time I decided to give LP a try it worked that way. I don't suppose it changed.
    The old Xmarks ruled - it was able to sync everything without messing with your data. But now... not cool.

    ReplyDelete
    Replies
    1. LastPass doesn't "lock you in" like that and we never have! We're against that practice too. Have you looked at LastPass Icon -> Tools -> Export? You can export to CSV, and can export right back into all the browsers that support it (IE and Firefox).

      Delete
    2. Yeah, and how many browsers can import passwords from CSV?
      I know what's the point of this. It's main point is not security.
      It's to prevent us from using LastPass in combination with other password sync tools.
      Sorry for the trolling, but LastPass is just too corporate for me - luring me to use the free desktop versions, and then pay for the mobile...

      Delete
    3. You missed the part about LastPass exporting directly back into the browsers that support that.

      Delete
    4. @Anonymous. I prefer to use LastPass over any browser's password storage, for two reasons - LastPass is much more secure, and I can access my passwords from any computer or device.

      As for being too corporate for luring use with a free desktop version, and then asking to pay for the mobile? LastPass is a bargain at only $12/year. I don't know of any similar service that provides so much for so little.

      Delete
    5. And you also missed the part where you don't have to disable the built in password store so you will have it stored both places (browser and lastpass).

      Delete
    6. As I understand it, the browsers store passwords as plaintext, rendering them unsafe, and defeating the purpose of using Lastpass.

      Delete
    7. Wow, the ignorance and blind stupidity of "Anonymous July 16, 2012 12:02 PM" is absolutely stunning. You should at least RTFM, as it appears you have never even installed LP or used it for 2 minutes.

      Providing an amazing service for free but then charging the wallet-breaking price of $1 a month (3.3 pennies a day!) for access to an optional - yet totally worth it - feature that is completely unnecessary to make the free service work. You corporate b@stards.

      Delete
  6. @Joe Siegrist how do you know that their master passwords are the same as the leaked plain-text yahoo passwords?
    Aren't the master passwords encrypted? How do you know them? I thought LastPass staff can't find out our real passwords!
    Does it mean that LastPass can view and know my undencrypted passwords?!

    ReplyDelete
    Replies
    1. No, I imagine they just compared the hashes. Once you have a password, it's fairly easy to check if the hash matches.

      Delete
    2. When another service has their usernames and passwords leaked we can run that list against our database by essentially doing the same PBKDF2-SHA2 hashing that you do to create a login hash when you login. Further we have our own PBKDF2 rounds on the server which we must also work through. This is very expensive for us computationally but the security benefit makes it worth while.

      Why are we doing this? Because we fear someone else might do the exact same thing with a leaked list of usernames and passwords.

      Delete
    3. This comment has been removed by the author.

      Delete
    4. But isn't the salts used during hashing unique to each user ? or are the salt values kept common across users ?

      Delete
    5. Think about it: if someone gave you a username and a password, couldn't you check to see if that was a valid Lastpass account simply by trying to log in? Then couldn't Lastpass themselves do the same thing? Hashes and salts have nothing to do with this. It's computationally hard to *guess* a password, but it's not computationally hard to test one when you know it already.

      Delete
  7. I just hope you guy figure something out for Windows 8 (Metro). I will not, can not, live without Lastpass!

    ReplyDelete
  8. stop telling me what to do!

    ReplyDelete
  9. Since LP doesn't work for everything and even some web sites, how can one avoid reusing passwords occasionally? Phrase Express is very good at placing any text anywhere, literally. When LP fails to do what I need, PE is my backup via hotkeys. The problem is there are only so many keys available so I tend to use only a few number keys so they're not so hard to remember. Not the best solution perhaps but the odds are in my favor, for now. Can LP offer a better alternative, maybe, but not for free.

    ReplyDelete
  10. My biggest problem necessitating some duplicate passwords is logging in with iPhone & iPad apps, such as the Amozon app. I either must use a password that I can remember or open my Last Pass vault in the browser and look the password up. Is there a solution to this?

    ReplyDelete
    Replies
    1. I use the Lastpass app, then log in, find the site I need and choose "Copy Password", then paste it into whatever app I want to use. Only slightly annoying, not so bad.

      Delete
    2. That's what I'd like to avoid. I'd sign up for the pro version if it would alleviate this situation.

      Delete
    3. If you use the last pass browser and you have auto fill ticked you don't have to cut and paste. Only if you use a different browser. Which sometimes you do have to do due to functionality. But you could try using the lastpass browser with autofill on Amazon url.

      Delete
    4. You didn't read my post. I am not going to their website, but using their iOS app.

      Delete
    5. Drop the iDrone and get yourself an Android, which will allow you to use your phone like a big boy. Uncle Steve says his phone is too pretty to allow it to be used all willynilly and stuff.

      Delete
  11. I assume that you only ran the check against people whose login was an @yahoo address, and not against your entire database? Otherwise you've just locked out users who did nothing wrong.

    For example, if Alice's Yahoo! password and Bob's LastPass password are both "swordfish1", you mustn't lock Bob's account!

    Good move, by the way. LastPass is an obvious target for attacks after big leaks like this one. I wonder if you raise a warning or prevent users from setting passwords in their LastPass account where those passwords match their master password? Would be easy to do and would probably catch 75% of these naughty users *before* the disaster happens!

    ReplyDelete
  12. I assume that you only ran the check against people whose login was an @yahoo address, and not against your entire database? Otherwise you've just locked out users who did nothing wrong.

    For example, if Alice's Yahoo! password and Bob's LastPass password are both "swordfish1", you mustn't lock Bob's account!

    Good move, by the way. LastPass is an obvious target for attacks after big leaks like this one. I wonder if you raise a warning or prevent users from setting passwords in their LastPass account where those passwords match their master password? Would be easy to do and would probably catch 75% of these naughty users *before* the disaster happens!

    ReplyDelete
  13. Let me pose a challenging question - to my understanding, lastpass encrypts information on local machine and cannot unlock master password, right?
    Respectfully, how on earth can accounts then be disabled given that master password was used elsewhere, yes, I appreciate the security lastpass offers, but this leads to the question?

    ReplyDelete
    Replies
    1. @Antoine -- LastPass stores a "Login Hash" against your account to verify you've entered the correct username + password to allow download of your encrypted data. This Login Hash is created by doing X (typically 500) rounds of PBKDF2-SHA2, then what LastPass stores is further salted and PBKDF2-SHA2 hashed many more times.

      What we're doing here is taking the usernames and passwords that were released, running through the same (expensive) algorithms to come up with a login hash, if the login hash matches your account's actual login hash, it means you used the same password and we lock your account.

      If you use a solid password you're certainly safe, everyone impacted here used the same password on multiple sites -- while LastPass is safe from brute forcing most websites are not.

      Delete
    2. @Joe, Thanks for response, makes sense and much appreciated.

      Delete
  14. I am a firm believer in using the same key for every lock! I can't keep up with all those other keys and what if I lose it? Now at least I only have to get one key remade...

    ReplyDelete
  15. I just installed lastpass in mozille and ...

    All my already stored passwords were gone.

    Thanks very much, how do i follow on now,
    no password, no way to get to de different sites,....

    ReplyDelete
    Replies
    1. Please try logging out and back in to the LastPass browser addon. If you see any ongoing issues, please report them to the support team here: https://lastpass.com/supportticket.php and we will take a closer look with you.

      Delete
  16. It surprise and shocks me how many people are happy to divulge their passwords if you simply ask for it. People should treat their passwords like PIN numbers and not divulge them to anyone.

    ReplyDelete
  17. Wow amazing article.Multifactor is your second line of defense, it allows your master password to be compromised without your account being compromised. LastPass provides two free and four premium options.

    ReplyDelete