Password Security Catch-All Thread [2015-06-16: Update your LastPass master password]

It was so good, I posted it to Metafilter. Forgot to link it here.

I saw Malor's post on Metafilter and read the article. It was fascinating, but it took me a little research to get a satisfying answer on how rainbow tables work. The article was a little sparse in that regard.

It did make me really glad that I started using a password manager a few months back and emphasized the need to finish reassigning more random passwords to some of my lesser used accounts.

Small follow-up on the Ars article: apparently they found a way to decrypt the Windows 7 and Windows 8 password hints. This could be used for remote access (you don't need access to the physical computer).

Right, the biggest takeaway from that article is this: if you have a system, ANY system, for mentally generating passwords with some kind of rule, you're probably vulnerable. Hackers used to try random passwords that they thought might work, based on dictionary words and numbers and such. But nowadays, they have enormous databases of passwords that have actually been used. So they can do massive number crunches, looking for patterns, and then replicate those patterns with different words and sites, narrowing the brute-force search space by many orders of magnitude.

If you have a system, chances are pretty darn unlikely that you're the only one using it. People out there are almost certainly using a similar pattern to the one you use, and the bad guys now have tens (hundreds) of millions of actual passwords for data mining. They are, in essence, hacking your brain, discovering patterns that you may not be aware of at all. We're extremely good at finding patterns; it's one of our best cognitive skills. And they're deploying absolutely massive computing power, looking for common patterns in human brains.

The only true defense against pattern-finding algorithms is randomness. Whatever system you're using, it makes you vulnerable. You need separate, truly random, 10-character passwords for each site you visit. The length stops the brute-force attacks from working, and the randomness stops the pattern attacks.

Presumably, you will not be able to remember all those passwords, so this implies that you're going to need mechanical assistance of some kind. Whatever method you use, be it local or in the cloud, make sure that your keystore password is stronger than any other password you have.

If you don't trust programs, and want to do it yourself, one possible solution we talked about in the MeFi thread is to write down the passwords for all your sites, in plain text, 10 random characters each. And then memorize a 10-character, truly random password that you use as either a prefix or a suffix to the one you wrote down. You MUST remember your prefix password. You can write it down briefly to learn it, but you need to carefully destroy the paper as soon as you have it correctly.

This way, if your password store ever falls into enemy hands, they won't easily be able to use it against you. Starting from nothing at all, without your paper, they'd have to decrypt two separate 20-character random passwords, from two separate sites, to determine that you had the prefix. As long as the sites are hashing passwords, even with a weak hash, this is basically never going to happen. If bad guys get your password list, then they need to crack a 10-character random prefix, which is much too hard, even for the giant server farms they can deploy using services like Amazon EC2.

However, this still does not protect you against keyloggers. If someone can intercept the actual password bitstream between you and the destination, then you'll lose that site at least. If they get two passwords, then all your passwords are now only 10 characters long, which is still too hard to brute-force, but the subsequent loss of your password list will compromise you completely.

Something like KeepPass is a LOT easier, if you feel you can trust them.

My TLDR: You're always vulnerable, just to varying degrees which you have some control over.

I strategically left the article open on the iPad for my wife. She said she made it to halfway through the third page, so I suppose I have to give her credit for that—even though the takeaway is at the end of page four!

Still, goal for this weekend: set her up on LastPass, no excuses. Her reticence stems from believing a) it's hard work (it is, but only initially); b) no one would want to hack her (anyone would, for all sorts of reasons); and c) she doesn't do much online that's sensitive anyway (except her banking).

I can't blame her for having those beliefs, I'm sure 99.98% of all Internet users share them. But she reuses short dictionary words for passwords. And that sh*t has to stop.

Gravey wrote:

I strategically left the article open on the iPad for my wife. She said she made it to halfway through the third page, so I suppose I have to give her credit for that—even though the takeaway is at the end of page four!

Still, goal for this weekend: set her up on LastPass, no excuses. Her reticence stems from believing a) it's hard work (it is, but only initially); b) no one would want to hack her (anyone would, for all sorts of reasons); and c) she doesn't do much online that's sensitive anyway (except her banking).

I can't blame her for having those beliefs, I'm sure 99.98% of all Internet users share them. But she reuses short dictionary words for passwords. And that sh*t has to stop.

Yeah I basically niggle my partner over and over until she accepted moving to last pass. She had almost all the same objections

Also, don't use LastPass's "Remember password" option. For some reason, I'd checked it on my laptop, while entering the password manually on my desktop.

For the last three weeks, my desktop (and the note I wrote the password on) has been in storage on the other side of the country, and going that long without typing a password I'd only created about a month before that was enough time for me to start forgetting it.

And then the laptop (sensibly) started asking for it again, and the link LastPass sent me for account recovery doesn't work on the laptop in any browser.

Learn from my mistake, and don't ever lose your master password!

Thread newbie here:

I just got LastPass. Premium subbed. The next thing I should do is systematically go through and change every single one of my passwords from what I have now (generated by me, at whatever time I signed up for the site) to a LastPass generated password, right?

Yep. Start with the big ones you use often, and the ones that would cripple you if compromised, like your email. It's not fun, but definitely worth it.

MrDeVil909 wrote:

Yep. Start with the big ones you use often, and the ones that would cripple you if compromised, like your email. It's not fun, but definitely worth it.

This. Changing your email passwords is first priority, because email is the gateway to all the rest of your accounts.

Hit all the biggies right away, then start changing the lower priority stuff as you visit each site.

Later, you can run LastPass's "security challenge" and it will enumerate all the sites where you have weak and repeated passwords, and you can run through them real quick to change them up.

misplacedbravado wrote:

Learn from my mistake, and don't ever lose your master password! :)

Put it on a USB stick, or a piece of paper, and put it in a bank deposit box. Or somewhere similar where you securely store documents.

So it looks like the passwords you allow Chrome to save for you can be viewed in plaintext

just one more reason to use keepass or lastpass. Check what passwords it is storing here: chrome://settings/passwords

Chairman_Mao wrote:

So it looks like the passwords you allow Chrome to save for you can be viewed in plaintext

just one more reason to use keepass or lastpass. Check what passwords it is storing here: chrome://settings/passwords

Thanks for the heads-up. I deleted all saved Chrome passwords.

dejanzie wrote:
Chairman_Mao wrote:

So it looks like the passwords you allow Chrome to save for you can be viewed in plaintext

just one more reason to use keepass or lastpass. Check what passwords it is storing here: chrome://settings/passwords

Thanks for the heads-up. I deleted all saved Chrome passwords.

Chrome security head Justin Schuh doesn't instill me with confidence with his responses. I don't understand all the specifics, but it's mostly his tone that rubs me the wrong way (mostly irrelevant since I don't use Chrome anyway):

https://news.ycombinator.com/item?id...

The response is very engineer-like: someone can compromise your passwords if they have access to your computer, therefore, making passwords trivial to expose does not actually add to the security risk.

This fails to recognize the threat from the 95%+ of the population who can easily click to reveal Chrome passwords, but would have no idea how to retrieve them from storage on the computer.

This is where it gets unfortunate that "no security by obscurity" has become an axiom. Because, yes, it's true that hiding passwords from the Chrome UI does not increase absolute security. But removing the "easy button" reveal of passwords does very much increase "security" in that it would foil plenty of cases of accidental password leakage. For many people, the change would prevent their nosy cousin from being able to root around their passwords, and that is a win.

Here's a question for anyone in general, on your personal computer that only your household has access to, how does your password manager operate? Right now, for me, it automatically is always logged in whenever I open my browser and many site automatically log in for me. So essentially if anyone sits down to my computer, they doen't even have to worry about figuring out any log-in info. This is obviously a bad idea with a growing child in the house.

I hadn't checked any options in lastpass until just now, but it seems there is a auto log-out function, and I guess I should be using that. Any other tips on usage in this regard?

Google continues to make my breakup with them easier and easier.

Time to throttle chrome like Homer throttles Bart...

mrtomaytohead wrote:

Here's a question for anyone in general, on your personal computer that only your household has access to, how does your password manager operate? Right now, for me, it automatically is always logged in whenever I open my browser and many site automatically log in for me. So essentially if anyone sits down to my computer, they doen't even have to worry about figuring out any log-in info. This is obviously a bad idea with a growing child in the house.

I hadn't checked any options in lastpass until just now, but it seems there is a auto log-out function, and I guess I should be using that. Any other tips on usage in this regard?

I set my LastPass auto-logout timer to about 500 minutes (after the browser is closed), which in practice means I have to login once per day as my browser never closes while the computer is on.

You have to set this timer for every computer though.

Firefox does the same thing as chrome, cleartext passwords w/o an authentication check.

I lock my machine when I not in use and really only RDP to it from my wife's machine, laptop or tablet (it is in the garage). So while I keep KeePass open the machine is locked. If it were cheaper I'd give out smartcards for my family to log in with.

Eezy_Bordone wrote:

Firefox does the same thing as chrome, cleartext passwords w/o an authentication check.

I lock my machine when I not in use and really only RDP to it from my wife's machine, laptop or tablet (it is in the garage). So while I keep KeePass open the machine is locked. If it were cheaper I'd give out smartcards for my family to log in with.

Like the article says, turn on the master password for Firefox.

This is pretty cool: Microsoft has a tool that tries to guess the next letter of your password as you type it.
I might need to reconsider some of mine....

https://telepathwords.research.micro...

Typing sensitive passwords into a website that's not under your control is always such a great idea.

The answer to the question, "Is my password secure?" should always come back as, "not anymore!"

Malor wrote:

Typing sensitive passwords into a website that's not under your control is always such a great idea.

The answer to the question, "Is my password secure?" should always come back as, "not anymore!"

I didn't try any important ones

Well, it IS Microsoft, so it's *probably* safe, but they should make the tool available offline.

I am glad that I switched to LastPass. It made the KickStarter breach less of a worry.

My worry now is what happens if LastPass goes out of business? Will they give me time to export my passwords?

Greg wrote:

I am glad that I switched to LastPass. It made the KickStarter breach less of a worry.

My worry now is what happens if LastPass goes out of business? Will they give me time to export my passwords?

Offline access to your LastPass vault

TL;DR: if LastPass disappeared tomorrow, you could still log in "offline" on any device you've accessed your Vault on previously, and interact with the Vault.

This is because the *only* thing the LastPass remote service is for is syncing your encrypted Vault. All interaction with your vault happens client-side.

Kinda like Dropbox. If Dropbox disappeared tomorrow, you'd still have your local copies of everything.

Apparently there are flaws in every big Password Manager. (Ars article)

article wrote:

The researchers examined LastPass and four other Web-based managers and found critical defects in all of them. The worst of the bugs allowed an attacker to remotely siphon plaintext passcodes out of users' wallets with no outward sign that anything was amiss. LastPass and three of the four other developers have since fixed the flaws, but the findings should serve as a wakeup call. If academic researchers from the University of Berkeley can devise these sorts of crippling attacks, so too can crooks who regularly case people's online bank accounts and other digital assets.

Any thoughts by the more tech-savvy goodjers here? Should I refresh my master password every other month, or should I reset every single password in my database occasionally?

dejanzie wrote:

Should I refresh my master password every other month, or should I reset every single password in my database occasionally?

Both. Don't get complacent and think that just because your passwords are random and locked up in a password manager they're safe in perpetuity. Password managers make changing passwords trivial (no need to do everything at once, but do one every once in a while), and changing passwords is just good practice anyway.

dejanzie wrote:

Apparently there are flaws in every big Password Manager. (Ars article)

article wrote:

The researchers examined LastPass and four other Web-based managers and found critical defects in all of them. The worst of the bugs allowed an attacker to remotely siphon plaintext passcodes out of users' wallets with no outward sign that anything was amiss. LastPass and three of the four other developers have since fixed the flaws, but the findings should serve as a wakeup call. If academic researchers from the University of Berkeley can devise these sorts of crippling attacks, so too can crooks who regularly case people's online bank accounts and other digital assets.

Any thoughts by the more tech-savvy goodjers here? Should I refresh my master password every other month, or should I reset every single password in my database occasionally?

Finally my wild paranoia is paying off