Aug 8, 2012

Want to Up Your Online Security? Follow These Steps Now.

If you haven't seen the recent reports of Mat Honan's devastating hack, it's a powerful tale and one worth reading in its entirety. It's in part a cautionary tale about the current security practices of online services, but given that and other recent breaches, his situation raises bigger questions about what we can learn from the situation and how we can prepare ourselves moving forward.

There are two overarching messages we want LastPass users, and the web community at large, to take away from the story:
  • Proactiveness and preparation are key in mitigating risks of attacks, and
  • Protect your email account like your online life depends on it, because it pretty much does these days.
And a password manager like LastPass can help with both. Here's how:
  1. Change the password for your email account(s), now. We have seen alarming statistics on the number of leaked passwords out there, including leaked email username and password combinations. A password generator like the one built into LastPass allows you to create unique, long, strong passwords for each of your online accounts. The LastPass security challenge can also help you identify any weak and duplicate passwords still lurking in your vault. One account's password compromised = all accounts compromised that use that password, or that give access to the password reset functions for other accounts.
  2. Protect your email account(s) with multifactor authentication if possible. Google has increased efforts to encourage all Gmail users to set up multifactor authentication. If your email service offers the option, enable it as soon as possible. You'll ensure that just knowing the password for your email account will not be enough to let someone in.
  3. Replace answers to "security questions" with obscure, non-personal responses. Truthfully answering security questions can put you at risk for social engineering. Use a password generator or create bogus answers that you can then store in a note in LastPass - if you do ever need to reference it, you'll have access to the bogus answer, but you'll ensure that your personal information can't be used against you.
  4. Set up multifactor authentication for your LastPass account, now. By adding multifactor authentication to your LastPass account, you're requiring another piece of secure data to be entered after you submit your master password, but before you can gain access to your stored data. So even if your master password is somehow captured, by a keylogger or even by someone you thought you could trust, you'll keep them locked out because they won't have that second piece of login data.
  5. Create a "security email address" for your LastPass account. Although protecting your primary email address(es) should be a high priority, you can set up an obscure email address to be used in the case of account recovery, multifactor authentication resets, and other critical changes to your LastPass account.
  6. Run the Security Challenge, and get proactive about your security fitness level. Located in the Tools menu of the LastPass addon, the Security Check allows you to keep an eye on weak and duplicate passwords, and reminds you of ways to improve your overall online security (such as #4 above). Take full advantage of LastPass security options, like autologoff on browser idle and restricting IP address to certain countries.
Remember, LastPass is just one tool you should have in your arsenal, but one that can help you be proactive and mitigate potential risks. You should also be following standard practices like avoiding the use of open WiFi, running up-to-date antivirus software, avoid using public computers, and always backup your data - but that's a post for another day.

We highly recommend all LastPass users follow the above steps, and as soon as possible. We also call on your help in spreading the word about secure password management to family, friends, and coworkers who would benefit from the ability to achieve higher security standards while making their online life easier. If you want to recommend LastPass, you can do so here: https://lastpass.com/friendemail.php and receive Premium as a thank you!

The LastPass Team

28 comments:

  1. So, does multi-factor auth to lastpass needed when I just log into lastpass chrome extension, or is this only when logging into the last pass web site?

    ReplyDelete
    Replies
    1. Once enabled for your account, you will be prompted when logging in to your account in any location, whether the web vault or any browser addon. Only Google Auth and YubiKey NEO are currently supported on mobile devices, however.

      Delete
    2. I have my lastpass set to logout after short inactivity or when the screen saver is on or when I lock the PC. This is very important for work... because while most people can't log into my PC, the admins there have full auth to log in. So, while they have the keys to my PC, they don't have the keys to my Lastpass account.

      So, I might log into Lastpass Chrome extension 5 1- 10 times a day, and needing a second factor would just be too much of a pain.

      Delete
    3. Once you enable the 2nd factor authentication on your LastPass account, then you can establish any device as 'trusted'. This means that you will only be prompted for your master password on that device (and not the 2nd factor). So... unless the bad guys get your device TOO, then you will be safe and secure.

      Delete
  2. With many of us also using an iPad to access our email accounts, it becomes more difficult to keep up with security. Even Lastpass, who offers some apps for the iPad, does not seem to be able to provide foolproof security for this.
    What do you suggest we can do about this?

    ReplyDelete
    Replies
    1. If you want to be extra cautious, it's advisable to logoff your email account when you're done, whether using the browser or a standalone app. LastPass can help make logging back in easier, and it ensures that if your device is lost your email account(s) aren't at risk.

      Delete
  3. Hey LastPass, more people will use multi-factor auth if it was sooo scary with Lastpass.

    Unlike Lastpass, Google multi-factor auth allows me to use "matrix" (like), google app, SMS with two phones, etc. to do my multi-factor auth. Lastpass I can only use one of these.

    Needs to be fixed ASAP.

    ReplyDelete
    Replies
    1. We do only allow one multifactor authentication method to be used at any given time with your account, but we offer a number of options so you can select one that will best meet your needs. We'd welcome any further feedback you may have on making multifactor more usable: https://lastpass.com/supportticket.php

      Delete
    2. @Amber thanks for confirming my understanding. It would be much better if Lastpass multi-factor auth worked like Google and we could use ALL of your options at the SAME time and not to have to select only ONE.

      Any idea when you guys will be able to improve LastPass so more people will protect themselves?

      Delete
    3. Encouraging people to use even one multifactor authentication method, and spreading awareness of what it is to begin with, is the critical first step. Improving and adding features for users to protect themselves continues to be our primary focus.

      Delete
  4. Hi
    I think you should set the automatic log out time to something like 30 minuttes as default. Right now, it is not set at all, which means people with computeres that are never turned off, might have a logged in account just standing there

    ReplyDelete
    Replies
    1. Ron White: "Ya can't cure stupid."

      Delete
  5. Why should I trust Google to be my 2FA? I can't use Yubikeys because my work computer does not allow the use of USB drives, and Sesame continues to show up as a virus (or dangerous file) on all my computees with Symantec/Norton. That just leaves Google, and while I trust Lastpass to do this right thing, I do not trust a company that will take as much data from my hard drive as they can and target advertising (and other things) to me without asking. Google's privacy record sucks thus far. So my question is - why should I trust Google as my 2FA?

    ReplyDelete
    Replies
    1. Google is free, you seem to have no problem using their services without paying for them. Shouldn't you cut them them a little slack?

      Delete
    2. This comment has been removed by the author.

      Delete
    3. With Google 2FA, google never have the key used for the lastpass 2FA. google uses the open OATH HOTP and TOTP algorithms for their 2FA, so you don't even have to use the google authenticator app. You could use any application that will parse the QR code presented by lastpass. Additionally, google has open sourced their google authenticator apps so their is little they could do to circumvent the security.

      Delete
    4. I use yubikey as my 2FA for LastPass. The Yubikey appears as a keyboard, not as a drive. Most lockdowns will still allow keyboards to be plugged in.

      Delete
  6. hello! what is a good way to store security questions and answers for our different accounts? pls suggest

    ReplyDelete
    Replies
    1. This blog post: http://blog.lastpass.com/2012/01/new-years-resolutions-with-lastpass-5.html is a great place to start.

      Delete
    2. thanks! will go through that.

      Delete
  7. The google authentication based login should be improved. There should be an option to send the 6 digit authentication code via phone to a backup phone number.

    ReplyDelete
  8. I use Two-Factor Authentication across a lot of my accounts. I feel a lot more secure when I can telesign into my account. If you have that option available to you use it, it is worth the time and effort to have the confidence that your account won't get hacked and your personal information isn't up for grabs. It would be nice to see more of the leading companies in their respective verticals start giving their users the perfect balance between security and user experience. I know some will claim that 2FA makes things more complicated, but the slight inconvenience each time you log in is worth the confidence of knowing your info is secure. I'm hoping that more companies start to offer this awesome functionality. To me this should be a prerequisite to any system that wants to promote itself as being secure.

    ReplyDelete
  9. Gmail offers address variations as an extra security layer. Any thoughts if this is useful? see:

    http://dannseca.blogspot.com/2012/09/add-simple-extra-security-layer-to-most_22.html

    ReplyDelete
    Replies
    1. Strong passwords are arguably more important, but security by obscurity would be a benefit in the case of that Gmail feature.

      Delete
  10. Love your products and Premium version with Android!
    Any way to have different settings for home & away?
    Like the ability to have a stronger profile/setting when I leave my home office.

    ReplyDelete
    Replies
    1. We're glad to hear that. Yes, you can modify the browser addon settings for each computer where you install them, via the LastPass Icon > Preferences menu. You can set LastPass to autologoff on computers where you want to restrict access. Multifactor authentication: http://helpdesk.lastpass.com/security-options/#Multifactor+Authentication+Options is also highly recommended, you can mark certain devices as "trusted" so you won't need to enter the multifactor data there, but will be required to do so on other machines. Please direct any further questions to our support team: https://lastpass.com/supportticket.php we're happy to be of further help.

      Delete
  11. And they have a hard time accepting it because it's different than what they
    are use to. It's obvious from the above that starting a website
    is the best way of how to make more money on the side without breaking
    a sweat. In business they say it's all about location, location,
    location.

    ReplyDelete
  12. or better yet, create a stronger password! i made mine with passwordturtle.com . they make you passwords from common english phrases so theyre easy to remember and secure. i highly recommend them.

    ReplyDelete