Password Security Catch-All Thread [2015-06-16: Update your LastPass master password]

I've been using Password Managers for a while, starting with Roboform sometime in 2005. Mostly because Roboform is purely desktop-based, I wound up going with the layered password approach - i.e., a weak password for forums, variations on a strong password for sites like Amazon and then memorable phrases for things like Gmail or Banking (although 2FA has caused me to lower the password complexity on banking nowadays).

I finally moved to Lastpass sometime last year, after I realized I needed my passwords on Linux and Android as well. So the news of the "hack" was more than a little disconcerting - although I'm confident nothing terrible has actually happened to my account.

Partially because I've been in situations where I couldn't access my accounts since Roboform wasn't available, I'm loathe to move to the process of letting Lastpass generate all-random passwords. What do you folks think - is it okay to continue with a layered approach? Or is that approach too risky for today's server-side hacks?

Thanks, Legion. I definitely get where you're coming from and yeah, i probably was coming at the problem from the opposite direction. I just think that relying on a third party service that could disappear at the drop of a hat (either through being bought-out/shut down, lack of internet etc) you lose the benefits that it provides over having a device that you, yourself, manage.

Well there's always offline managers like KeePass.

It too keeps your passwords in an encrypted vault, just one that lives on your computer (or perhaps on some "cloud" space that you control, like Dropbox).

But one of the nice things about LastPass is that it too keeps a locally stored copy of your encrypted vault on your computer. So if the LastPass service disappeared tomorrow, I could still access the locally cached version of my password vault.

avggeek wrote:

Or is that approach too risky for today's server-side hacks?

The risk of your passwords being compromised from LastPass is extremely low.

LastPass themselves do not have enough information to access your vault. It is completely locked until you provide your password, and the vault is unlocked on your side of the wire.

Even if attackers got all your stored information off of LastPass's servers, they would just have a big encrypted blob and a password hash. They would have to crack the password hash before they could access anything from your encrypted password vault. And given a strong hashing algorithm, if you chose a strong password, it would take attackers a very long time before they could successfully crack your password and access your vault.

Hackers can't get "the key" to unlock your vault because LastPass doesn't have it themselves. Only you do. (Which is why LastPass can't help you if you lose your master password).

So, no, I would not consider it too risky. Just make sure you use a strong master password.

So I've ordered one of the Yubico VIP keys and I'm curious about a couple of things, I can't seem to find any info about switching the VIP access to slot 2 since I'll probably be using the OTP more often than the VIP features and I don't want to have to hold the button for 2.5+ seconds to get there.. I've also found this which might be interesting for securing my desktops..

http://www.rohos.com/products/

Anyone tried Rohos Login Key?

I was going to complain that Lastpass makes it extremely difficult to export your data into another manager, but that seems to have changed. Now you can just dump your Lastpass data into a single file and import it into something like Keepass.

So I guess if you were avoiding Lastpass for that reason, you might give it another chance. I never stopped using it, but it always stuck in the back of my mind as a dick thing to do. Their FAQ even used to read something like "We do not plan to implement additional export features because we want you to continue using Lastpass."

So you guys think Lastpass being hacked last week is a non-issue?

Baron Of Hell wrote:

So you guys think Lastpass being hacked last week is a non-issue?

Read everything that's already been written on the subject in both this thread and the LastPass one.

Short answer: there probably was no "hack", there was extremely low risk of issue if the "hack" did in fact happen, and your stuff is pretty damn secure even if someone were able to hack and get all your data from LastPass (since all your data is encrypted and not easily broken).

*Legion* wrote:

So, no, I would not consider it too risky. Just make sure you use a strong master password.

I use the letters from a sentence trick for master passwords - Microsoft doesn't think too highly of my old one or the new one I created after the hack (rating them both "medium"), but really anything more random and I probably won't be able to remember it

Malor, in the LastPass thread wrote:

I'm not too interested in external services to store my passwords

Out of curiosity, what setup do you have for managing passwords?

KeePass + an Android phone with the KeePass app = password security heaven.

I've been using keepass for a few years and like it.

Out of curiosity, what setup do you have for managing passwords?

For routine server logins, I use public keys. For actual root passwords, and web-based stuff that's medium to high security, I use a GPG-encrypted file on a Linux box. If I can't remember, I cut and paste. For stuff I don't care about, I use a little mnemonic system.

I do re-use passwords a little bit among medium-security sites, so that part's slightly weaker than it should otherwise be, but any given password won't expose more than three sites, and most expose only two. It's a compromise between memory capacity and convenience, basically.

My YubiKey has arrived. More to come.

Mysteri0 wrote:

So I've ordered one of the Yubico VIP keys and I'm curious about a couple of things, I can't seem to find any info about switching the VIP access to slot 2 since I'll probably be using the OTP more often than the VIP features and I don't want to have to hold the button for 2.5+ seconds to get there..

This bit I can speak to now.

The VIP credential is "locked" into slot 1. It is not moveable, recoverable, or overwritable. Unlike other credential types YubiKey supports, it is not possible to add a VIP credential to a normal YubiKey - it is set at the time of manufacturing.

Also, I too thought I was going to be annoyed with having my Yubico identity in "slot 2" and having to do the long button press... but now I think it's a complete non-issue.

Yeah mine just arrived today and I setup the Yubico OTP in slot 2 and tied it to my Lastpass account, all in all it was pretty straight forward process, so was linking it with ebay and paypal.

Now I just have to get a keychain for it so I can keep it on me without losing it.. I might keep it in my wallet but I'm not sure if that's a good solution..

Would a password in Dutch or another quaint little language be more secure than one in English? I would think so, at least against dictionary attacks (not brute force ones).

Maybe learn a couple of Spanish words, just to up your security

Hi, I'm dejanzie, and I kill threads with stupid comments.

Question out of interest: why don't they put a limit of say 10.000 consecutive wrong attempts on any login? After 10.000 attempts, your account would be blocked.

This would rule out getting your account blocked because you mistype or try every password you've ever used in your life, as no sane person would ever make that many attempts before giving up.

But it would also block hacking bots for passwords more complicated than Laura6969.

I can't imagine I'm the first to come up with this, so there must be a good reason this hasn't been implemented. Does anyone know why?

dejanzie wrote:

Hi, I'm dejanzie, and I kill threads with stupid comments.

Question out of interest: why don't they put a limit of say 10.000 consecutive wrong attempts on any login? After 10.000 attempts, your account would be blocked.

This would rule out getting your account blocked because you mistype or try every password you've ever used in your life, as no sane person would ever make that many attempts before giving up.

But it would also block hacking bots for passwords more complicated than Laura6969.

I can't imagine I'm the first to come up with this, so there must be a good reason this hasn't been implemented. Does anyone know why?

Some do. And many won't let you submit a new password attempt without a given amount of delay (say 200milliseconds), which vastly ups that amount of time a brute force attack would require.

But one problem you're guarding against is someone hacking a server's database and taking the username and password table (c.f the recent PSN hack). Sure it ought to be encrypted but once you have the table locally you can attempt to brute force it any way you want. Also because many people are stupid and use passwords like "abc123" you can start by sorting the encrypted password hashes and make reasonable guess at what the most common ones might be and then return to the original database and try them out.

dejanzie wrote:

Would a password in Dutch or another quaint little language be more secure than one in English? I would think so, at least against dictionary attacks (not brute force ones).

Maybe learn a couple of Spanish words, just to up your security ;-)

No, because most dictionaries used to brute force passwords will contain multiple languages these days.

*Legion* wrote:
Malor, in the LastPass thread wrote:

I'm not too interested in external services to store my passwords

Out of curiosity, what setup do you have for managing passwords?

I'm mostly with Malor. I think you're a bit loopy entrusting a 3rd party, a distant 3rd party at that, and closed source software to ensure your password security. I'm not confident that the chain between me and the online password store is secure and I and no one else has a way to check. It's certainly convenient but now I'm down the password safe rabbit hole absolute convenience is no longer a guiding principle.

I'm currently using KeepassX as it has builds for win, linux and Mac and I move between all three on a regular/daily basis. I keep all 3 executables and my password db on a USB stick on my keyring and I have it backed up on my home server in case of keyring loss. All my passwords are now as long and as random as they can be and the only passwords I now have memorised are my webmail and password db.

Annoying things I've noitced:
Websites that enforce an 8 or 12 character limit.
Websites that say nothing at all about character limits or which characters are valid and bounce your new passwords when you try to update them
Websites that say nothing at all about character limits or which characters are valid and accept your new password but then bounce your log in attempts requiring a password reset.

DanB wrote:

I'm mostly with Malor. I think you're a bit loopy entrusting a 3rd party, a distant 3rd party at that, and closed source software to ensure your password security. I'm not confident that the chain between me and the online password store is secure and I and no one else has a way to check.

You most certainly can verify what is being sent from your system, and what is being sent is an encrypted blob.

You don't transmit passwords in the clear to LastPass. You don't really transmit passwords at all. You receive your encrypted "vault" from LastPass, which is decrypted locally, altered locally, and then sent as an encrypted blob back to LastPass.

The master password - the key to decrypting the vault - is never transferred to LastPass.

All of that is observable and verifiable by monitoring the traffic from your sysyem. Steve Gibson and other security experts have audited and observed as such.

There's plenty of reason to think about whether using a 3rd party or not is a good idea, but blanket paranoia isn't a very good one.

I really like my ironkey. It's a usb drive with hardware level encryption. Their mid-level offering comes with a password management tool that is similar to KeePass, but I opt to use KeePass that runs solely on the usb drive so that my passwords are portable if I choose not to use my iron key in the future.

To backup the data on the ironkey, I like using an external HDD that is encrypted using TrueCrypt. It's best to keep the drive disconnected when not taking a backup so that should your computer become compromised, the HDD won't be accessible because it's physically disconnected.

To keep secure copies of passwords that would be needed in the event that the ironkey was lost or destroyed (like the truecrypt password), I like password card, which I keep in my wallet and on my iPhone.

Once I got used to this setup, I randomized all of my passwords so that I need to use keepass when I login. It's a little inconvenient, but I deal with it since I won't have problems the next time Sony gets hacked :).

Someone did an analysis on the leaked passwords from the Sony hack.

The findings, in brief:

  • 93% of passwords fell in the 6 to 10 character range. Most were either 6 or 8 characters
  • 50% of passwords had only one character type (in other words, exclusively lowercase, uppercase, or numeric)
  • 1% contained "special" (non-alphanumeric) characters. One. Percent.
  • 36% of the passwords were present in a password dictionary that the author grabbed from somewhere and tried.
  • Because the leak contained logins from multiple Sony sites, the author compared accounts with the same email address on both of the sites he analyzed. 92% of accounts that were on both sites used identical passwords
  • Frankly, it's scary how insanely easy people make a password cracker's job. All a cracker has to do is run a dictionary attack, and run a simple one-character-type-at-a-time brute force of passwords of 6-10 characters in length, and they'll end up with the majority of those passwords before they even start trying.

    *Legion* wrote:

    Frankly, it's scary how insanely easy people make a password cracker's job. All a cracker has to do is run a dictionary attack, and run a simple one-character-type-at-a-time brute force of passwords of 6-10 characters in length, and they'll end up with the majority of those passwords before they even start trying.

    Well it's not like sites enforce 12 character, mixed character, non-dictionary passwords. It's pretty openly understood knowledge that people don't choose secure passwords unless you make them do so. When you know this, then if you implement a system that requires a password then it's on your head to enforce some good password practices. You need to make it easy for people to pick secure passwords or provide some other layer of security like the Banks have with CAP. People aren't stupid but they are overwhelmed by the number of passwords they need to maintain and take the path of least resistance.

    My girlfriend is a prime example. She uses the same password for EVERYTHING and it's not even a good password. It infuriates me. But she's not stupid she simply doesn't care if most sites she uses got hacked. I am going to sit down and sort out lastpass for her at some point before it drives me up the wall though.

    DanB wrote:

    My girlfriend is a prime example. She uses the same password for EVERYTHING and it's not even a good password. It infuriates me. But she's not stupid she simply doesn't care if most sites she uses got hacked. I am going to sit down and sort out lastpass for her at some point before it drives me up the wall though.

    History is replete with these types of decisions. When someone cracks her password and does some pretty bad things, that might be the lesson that needs learning.

    "I don't care if foam falls off the tank. It's not like it could make a hole in the shuttle."
    "I don't care about those ice-burgs. This ship is unsinkable!"
    "I don't care about those savages. We have guns."
    "I don't care if we tax the colonists more. What are they going to do?"
    "Thog not care if big cat coming. It just stupid cat."

    I've written up my first blog post about the YubiKey.

    Still have more playing with them to do, but off to a decent enough start.

    Hey Legion, have you come across what seems to be a bug with the LastPass/Yubikey integration?

    I've got some tabs in firefox that are Pinned App tabs that are password protected sites. When I re-launch Firefox it wants me to enter the passwords before it asks me for my LastPass info.. If I hit cancel it'll ask me for my Yubikey authentication instead of asking me for my LastPass password first and if I authenticate with the Yubikey it doesn't even ask for my master password.. Have you seen this or is it just something weird on my setup?

    IMAGE(http://imgs.xkcd.com/comics/password_strength.png)

    It won't take 550 years to crack the second one with a dictionary attack.

    Password crackers like John the Ripper have the option to combine dictionary words together with spaces to attack passphrase-style passwords like this.

    It doesn't really matter how good your password is. I've never told anyone my password and no one's ever guessed it, yet I've still had to change all of my passwords a handful of times because giant corporations can't say the same thing.

    It really sucks when a corporation (or a group of script kiddies) blow a good password, because it was working fine and the moment you have to memorize a second iteration or passphrase, you've added a degree of uncertainty. "correcthorsebatterystaple" is all well and good, until you have two or three other phrases you might have used. Or maybe that particular website requires at least one number in your password, so now you're looking at four or six, which is more than enough to get you locked out of some sites as a security measure.