Aug 24, 2012

For the Love of Passwords: Thoughts on Ars Technica's Post & End-of-Week Link Round-ups

If you missed it, Ars Technica's Dan Goodin wrote a fascinating article this week on why passwords have never been weaker -- and crackers have never been stronger. Goodin explains the importance of unique, generated passwords for all of your accounts, tackling concepts like hashing, dictionary attacks, rainbow tables, and salting. The main take-away points:
  • Passwords are less secure than even a few years ago, thanks to advancements in hardware and password-cracking techniques, including the sheer speed at which they can be executed
  • Hackers have created rules and algorithms to cut through our "clever password tricks"
  • It's critical to use a unique password for each site, and a password manager is the best way to achieve this
It's stuff you've heard us say before, but the data he uses to back up the above provides a really convincing argument (if you have the time, the article is worth a read in its entirety).

With a password manager like LastPass, you're well on your way to more proactively protecting your data - the security challenge can also help you identify weak and duplicate passwords, and the password generator can help you set long, unique passwords for each account. Data stored in LastPass is encrypted and decrypted locally, and is protected behind a whole lot of encryption technology, including salted hashes. But above and beyond that, LastPass is also staying far ahead of the threat landscape by implementing PBKDF2, which Goodin notes significantly increases the time and computation required.

A few other articles this week that caught our eye:
What caught your attention this week? Share in the comments below!

Enjoy the weekend,

The LastPass Team

18 comments:

  1. I am a firm believer in LastPass, and use it to manage hundreds of passwords. However, I recently got to thinking how this is an enormous single point of failure.

    If I were to lose access to LastPass for any reason, I would be unable to access all of my accounts since I no longer know what any of my passwords are.

    If my LastPass account were compromised for any reason, all of my other accounts would also be compromised.

    Either of these things would be very bad. Comments/suggestions?

    ReplyDelete
    Replies
    1. The only failsafe if you want to stick to Lastpass is to use a different password that is not auto generated for your email. That way, you can reset your other accounts.

      Delete
    2. Use LastPass for all site except your e-mail where you also have a rly good password. Therefore it you lose lastpass you can reset passwords to your e-mail.

      Delete
    3. Multifactor authentication is critical - it provides an added step for gaining access to your account, so a compromised master password does not translate to a compromised account.

      Delete
    4. Another option is to store an offline copy of your LastPass database in a secure location, e.g. an encrypted USB thumb drive.

      Delete
    5. Everything's pretty much been covered.

      1) Set up multifactor authentication so that it's no longer good enough to have just your LastPass password. (Bad guys require your Authenticator Code in order to log in)
      2) Back up your LastPass data regularly to a secure place. (You can use LastPass pocket to access an encrypted XML file with all of your LastPass data on it.)
      3) Turn up the number of PBKDF2 iterations in your LastPass settings (this mitigates risks of bad guys trying to brute force their way into figuring out what your encryption key is)
      4) Use a security notification email address for LastPass account change notifications.
      5) Set up One Time Passwords to access your LastPass account. (If anything ever happens so that you forget your master password.)

      Hope that helps!

      Delete
    6. The perfect solution? export those passwords from lastpass, print them on good old fashioned paper and keep it physically secure in the same way you would secure your passport or credit card. It's useful as a last resort, and gets around the thing which often blind sides us technical people. sometimes, the old world solution is the correct one.

      Delete
  2. Lastpass is great for "normal" web pages where it can automatically fill in the generated strong passwords.

    However, more and more and more and more... webpages use Javascript popups that Lastpass cannot populate.

    And just as common: More and more phone Apps require the same login and password as their website (or don't even have a website, but still are deserving of a strong password).

    Finally, Android has a dozen GOOD browsers to choose from: Lastpass does not integrate with many of these (except... Dolphin?).

    Suggestion: Is there a way to get Lastpass to integrate into keyboard drivers of both PC's and Android keyboards?

    ReplyDelete
    Replies
    1. Actually, the LastPass app for android provides an alternate LastPass keyboard. It's pretty much the default, but includes a LastPass button, which performs an auto-fill. It might be worth your while to look into it.

      Delete
    2. Echoing GothPanda, we do have the LastPass input method on Android, and the Save All command should at least provide a workaround for tricky sites, we continue to improve as logins evolve.

      Delete
    3. I use SwiftKey on Android. You mean I have to switch to a entirely different soft-keyboard in order to have LastPass input method available? Or should it show up like Microphone input or something??

      Delete
    4. Currently yes, you'll need to fully switch, we may support SwiftKey in the future.

      Delete
    5. The lastpass keyboard is a clunky solution at best, the real answer is integration with swiftkey for android users (not an iphone user, does iphone have swiftkey, i thought not). Could you create an app that lists all the apps on your phone and allows you to match up to different usernames and passwords?

      Delete
  3. First You say:

    "[...]passwords have never been weaker -- and crackers have never been stronger.[...]"

    and then You add...

    "[...]Enjoy the weekend,[...]"

    How can a Paranoid Pole enjoy the weekend after reading such a thing? ;)

    But being serious for a moment... Thanks for a great product. Been using it for few years now and I am very happy with it. I recommended it to a several folks and they are enjoying it too.

    Regards.

    AndrzejL

    ReplyDelete
    Replies
    1. :) At least you can be proactive now!

      Delete
  4. Good points, but generally covered. You do have the ability to have a local encrypted copy of your database. Even if LastPass were to go out of business and the servers erased, you still have your data.

    Your second point is true, but should be mitigated. It does need to be a strong password. Having "monkey" as your LastPass password is a bad idea. But, since it's really the only password you need, you can make it a strong one that you can remember. Plus you can restrict logins so that someone can't access it from a country don't live in or travelling in. You can use two factor authentication with Google Authenticator, or a Yubikey to add layers of security.

    ReplyDelete
  5. >>Since this article reflects common password design, will _Last_Pass_ start reviewing / critiquing master passwords using the processes described in the article?
    >>Also, can we get some suggestions for Master Passwords that are remember-able, and mostly secure? For example, the article notes that verses from religious sources are in the quick to decode pile [not first pass, but in there]; I have used Bible verses [including capitals, numbers, symbols, etc.] as access to my "Trusted Computers" [different ones for different 'trusted's]. Now, I am concerned that these may be compromised by an attack, and thus lead to my account data.
    >>Would lengthier passwords be the answer? My Bank just went to 24 characters, any keyboard characters, which made me feel better than the previous 8. And, I upgraded my password to 24 characters, thinking that it would take to the next millennium for the password to be brute forced. Now, I am not so sure.

    ReplyDelete
    Replies
    1. We do offer a master password strength checker in the security challenge (LastPass icon > Tools > security check), we'll continue to look at offering tips and restrictions for master passwords. Using a longer phrase, but switching out characters with some numbers and symbols, is usually a good method - it should be something that has meaning to you so it's memorable but not too closely based on a common, logical sequence of words or characters. 24 characters is a very good master password, as long as it's unique.

      Delete