LastPass Security Flaws Disclosed

The link below takes you to the best explanation I've seen on two recently disclosed LastPass security flaws. A few thoughts:

  1. The Bookmarklet vulnerability is the more serious of the two problems, but its exploitation would be difficult – you'd have to be on a rogue or compromised site, and then use the bookmarklet to try to log into that site. Less than 1% of LastPass users use the bookmarklet. Still, I'd venture a guess that most exploits come via compromised sites, so maybe this is a bigger problem than it seems.

  2. The One Time Password vulnerability would be unlikely to cause a problem, as someone would need to target you with your username, and even then the person would only have access to your encrypted data.

  3. Most concerning is how long it took LastPass to disclose these vulnerabilities after they were patched- about 10 months. The LastPass blog post made it sound like the company was giving the researcher a chance to publish his findings first. Sounds like PR spin to me, with the company having no choice but to discuss the fixed problem after the researcher disclosed it publicly.

I've been using 1Password since the start of the year, but I was a devoted LastPass user prior to that. I fell into the “less than 1%” of users who used the bookmarklet. In fact, the bookmarklet is what I miss the most in 1Password, as it made browsing in Safari on iOS much easier.

Despite the way LastPass seems to be downplaying this, this one is a serious stumble that should give users pause. Still, I think a password manager like LastPass is a much better alternative to the way that most people handle passwords.

LastPass security holes found by researcher, says password management firm – but no need to panic | ESET Welivesecurity Blog

How to Backup Your LastPass Passwords to 1Password

LastPass-to-1Password.jpg

No, LastPass fans, the title of this post doesn’t mean that you need to tell me I’m an idiot for switching. LastPass is still my favorite password manager, although I do enjoy 1Password’s user interface. I recently decided, though, that it would be prudent to have a backup of my passwords in a secure place, outside of Lastpass. I already had a license for 1Password, so that seemed like the perfect spot. Here’s how I backed up my LastPass passwords to 1Password. You could use the same method to migrate from LastPass to 1Password, too.

READ MORE

The 2011 App of the Year

Lastpass app of the year

LastPass is the 40Tech community’s choice for 2011 App of the Year. After almost a week of voting, LastPass outdistanced the second place finisher, Springpad, by over 250 votes. If we had voted ourselves, LastPass would have merited strong consideration. As a convenient and secure password manager, it is one of a handful of apps that the 40Tech team uses on a daily basis. One of the earliest posts we wrote, and still one of our most popular, was a comparison between LastPass, KeePass, and eWallet, with LastPass coming out on top as our favorite password manager. LastPass fared just as well when we put it through the paces against 1Password. Do you use LastPass? READ MORE

Make Your LastPass Account Uncrackable: LastPass Adds Support for Google Authenticator

LastPass Google Authenticator two factor authentication

LastPass, our favorite password manager, has just introduced support for two-factor authentication through Google Authenticator. Two-factor authentication is a form of security that requires a user to present a second form of confirmation before being able to log in to an account. We previously wrote about how, for Google accounts, that second form of authentication can come via a one-time code generated by the Authenticator app for iOS, Android, and Blackberry. That same app can now be used with LastPass.

READ MORE

LastPass vs. 1Password: Password Manager Shootout [Windows/Mac]

lastpass vs 1password

Password managers help you keep track of your passwords, which is vital if you want to use unique passwords on all sites that you visit. We’ve previously compared Lastpass, Keepass, and eWallet, and found that Lastpass came out on top. Those apps aren’t the only apps in the password manager field, though, and Lastpass just experienced a potential security issue. “Potential” is the key word here. There was no definitive indication that user data was compromised, but the LastPass team required all users to change their master passwords, out of an abundance of caution. Still, it seemed like a good time to compare Lastpass with another popular choice in the field, 1Password.

READ MORE

LastPass Hit By Potential Security Breach (and Some Quick Tips On Creating a Strong, Memorable Password)

LastPass Hit By Potential Security Breach (and Some Quick Tips On Creating a Strong, Memorable Password) | 40Tech

With all of the crazy outages and hacking going on in the digital world over the past week or two, the fact that LastPass has an issue (as of May 3rd), probably shouldn’t come as a surprise. Still, it is a bit of a shock to the system to be reminded that the “last password you’ll have to remember” is potentially as vulnerable as any other. Before panic sets in among LastPass users (of which I am one), know that the company is on it, and that those with strong, non-dictionary based passwords should be fine in any case. LastPass also admits that they may even be overreacting, but prefer to err on the side of caution when it comes to keeping your data safe — a policy that I am 100% behind.

Without getting into the technical aspects behind it all, what basically happened is that LastPass discovered at least two network traffic anomalies in their systems that they couldn’t explain. One occurred in a “non-critical machine” and the other came from one of their databases. The second matched with the first and involved information exiting the LastPass environment. The company reported in their blog post that the outgoing amount of data was large enough to have contained email addresses, password hashes, and “server salt,” but not enough to have “pulled many users’ encrypted data blobs.”

While LastPass doesn’t feel that the issue is a large one, they recognize the potential for brute force hacking on the passwords of any users that may have been compromised. This is most likely to affect those who have a master password that is lacking in strength and/or dictionary-based, which is still incredibly common, even today. To protect the integrity of their systems, and their users’ data, LastPass is requiring all users to change their master password. They are also looking for email validation from you if you happen to be logging in from an IP address that is outside your usual set. This is an added security measure, just in case your password does get compromised before it is changed.

Don’t rush off and change your password right away, however. The sheer volume of password change requests is slowing down LastPass as a whole, which is causing server connectivity problems across the board. The company has beefed up the email verification protection as a result, and are confident that there should be little risk in waiting a day or two before changing your master password. You will have to do it eventually, however.

 

Creating a Strong – But Easy to Remember – Password

When you do change your password, strength should be your primary focus — but there is no reason you have to put together something that is impossible for you to remember. That may seem a bold statement, considering that strong passwords need to have combinations of numbers, symbols, and both uppercase and lowercase letters — and should avoid dictionary words — but a great post by Gina Trapani (Lifehacker) back in 2006 essentially solves that problem.

Gina advises that you use a single rule set as the basis for all of your passwords. You start with a base password that you create from something like a favourite acronym, letter/number combination, or nonsense word that you will never forget. Pad that with some symbols for extra safety, if you want, and store it somewhere offline, just in case you forget it. Once the base of the password is set, the rest comes as a result of the service you are signing up for.

For example, you could set your base password using your initials (including middle) or even your favourite pet’s initials, combined with your favourite number. In this case, you are the proud owner of Fluffy Cattington, and have a love for the number 86. Your base password could be something like FC86, or FfyCt86, etc. Add a few things to that for extra strength and you could have this: &*FfyCt86!, or #(FC86)^^. Already, we are well on our way to a secure password.

The next step is to add a standard code for the service you are using. Initials or the first few letters of the service name are good here as well. If this were to be your LastPass master password, for example, you could have something like this: &*FfyCt86!LP, or #(FC86)^^Las. Just try to make sure your password is at least eight characters long and that you are using numbers and letters. Using symbols and uppercase/lowercase letters is even better, but not all services will allow this in their passwords, so you may have to adjust for that. LastPass does, so no worries there.

Check out the Lifehacker post for even more ideas on how to choose your base password.

If you are interested in alternatives to LastPass, check out Evan’s post on eWallet vs Keypass vs LastPass. I like LastPass, though, and am pleased by the lengths they go through to protect their service and users. Evan also makes a great case for LastPass here.

What are your thoughts on choosing and remembering strong passwords?

Would LastPass Stand Up to a Password Cracker?

lastpass Last week, Lifehacker posted an article detailing how to recover your Firefox master password using a freeware password recovery tool, Firemaster.  Firemaster generates password guesses on the fly, coupled with other procedures, to rapidly attempt to crack your password.  If you lose your master password, you lose access to ALL of your passwords, so being able to recover it is great, right?  Maybe not.  If you can use Firemaster to crack your password, so can anyone who has access to your computer.

A few months ago, we took a look at three password managers, and fell in love with LastPass.  How would LastPass hold up to tools like Firemaster? READ MORE

Password Manager Shootout – eWallet vs. KeePass vs. LastPass

pwkey

I initially intended for this post to discuss my disappointment with password managers.  After a few years of hearing tech sites and other tech geeks praise password managers, I finally jumped on the bandwagon last week.  A password manager is software that helps you organize and remember passwords, PIN codes, and sometimes even bank account and credit card information.  I wanted a password manager that would work across multiple platforms – PC, iPhone, and U3 (SanDisk’s thumbdrive technology).  For that reason, I started with eWallet.  From there, I also looked at KeePass, which is the manager I have seen discussed the most in tech circles.  In both cases, I was disappointed.  I was wondering whether my expectations had been too high.  It was then that I discovered LastPass.

For another password manager comparison, check out our showdown between LastPass and 1Password.

Photo by Mirko Macari
READ MORE