Category: Lastpass

The Prevailing winds of the Lastpass Breach — How it affects you!

Paul

hacking, cyber, security, hacker, technology, web, coding, internet, face, mask, identity, hack, virus, danger, protection, anonymous, code, crime, criminal, firewall, illegal, password, spy, stealing, thief, illustration, font, graphic design, art, graphics, clip art, Free Images In PxHere

Photo by mohamed_hassan from PxHere

Understanding the Lastpass Breach

Let us be clear about this, people really don’t truly understand what is going on with this breach.   It however will not stop the threat actors from taking control of your data if they get a chance.   This means they will go after the websites you will visit or maybe impersonate you in some way to get the access they are seeking.   Either way it isn’t like we can just sit back and do nothing.

“It is possible to crack those passwords,” Melissa Bischoping, director of endpoint security research at Tanium, said via email. “Instead of running the math to determine how complex your password would be to crack with modern equipment, it’s best to go ahead and do some credential hygiene.” — CyberSecurity Dive

Credential hygiene is necessary in our day to day routines because it helps stops theft of our accounts and our personal information.  However that doesn’t that the Meta data associated with your vault was encrypted, in fact it wasn’t and can be used to exploit this issue.   So even if they don’t brute force yoru password vaults, they can do fishing or means to get the access they are seeking so they can get even more information about you to use against you.

The Lingering effects of Password Managers

Password managers are a necessity in today’s time because of the all too common breaches.  Even if Lastpass wasn’t breached, some other site or sites would of breached and you’d still have to change your password or add multi-authenticator access to prevent any authorized access.  This goes without saying, we will see other breaches and it will not just be Lastpass.   Sooner or later some other Password manager will be a target and we will see this again but that shouldn’t deter you from using a Password manager it is the one tool we will always need to create even better Passwords than we could by our selves.    Although Many in the Security field are advicing users to go to another Password Manager.  I too have not like the taste of what Last Pass has done.  They way they made it sound less important that it truly is but that just might be because they’re lawyers got involved.   Either way I will suggest three things to better help you even if you keep Last pass.

  1.  Check your interations and make sure you have them high.   I think the minium we should have is over 500,000 interations to make sure they can’t be hacked the next time as easily.   Also if they are low, now is a good time to bump them up even though it makes you more of a target right now.  This will help in the future, in case there is another breach.
  2. Change all your imporant sites passwords, don’t just wait to get hacked might as well go through and see which sites you are truly using right now and go ahead and change your password and if you can add an authentication method to help protect you incase there is another hack down the road.
  3. Create a new masterpassword which isn’t anywhere close to what you have now.  If you can create your own acronym with a minium of 12 digits that would help. (What is an acronym?)  I suggest not using the most common acronyms but creating one that you can only remember and use that.   It may take some time but it could be something you have to say everytime you type in on your computer, just don’t let everyone else hear it.

Those Password Managers

Finally, let’s talk about your choices in this matter. Even though I talked about this in the previous post, we should at least look at the ones that might want to go another service.  Here are a few of them that I saw around the internet:

  • Bitwarden  — This is the one I perfer to go to because it is so opened sourced and you have several options to choice from.   It is where a lot of people are going right now after the LastPass Breach, I am sure of it.
  • 1Password —  This one I only know about through what i’ve heard.  I’ve heard good things about this but there are not many options to those who are wanting free.   This is good because they’ve been in this for quite sometimes.  I’ve heard of this company for MANY years and still has some great value to give to their users.
  • Dashlane — I’ve never heard of this product but it comes highly recommended by other because of how security focused they are.  You will have to pay a yearly subscription fee and there is only a demo version that means you do not have a free version.
  • Roboform — I’ve talked about Roboform way in the past and still it was a very useful password manager when I was using them 10 or so years ago.  So they must ast least be doing something right to still be in the business.   I haven’t explored them lately but I might just do that again to see how they are doing.

As you can see you have several choices to choose from if you decide you want to get away from Lastpass but ultimately you will have to decide what you want to do.  I am still going to possibly go to Bitwarden because of the open source or I might go back th Roboform if I can find my license that i had with them in the past.  I haven’t really decided I think Bitwarden would be my best choice because I know people can look at their code and help keep my passwords secure.   Are you planning on changing or staying with Lastpass?  Who will you be going to if you are going to change Password Managers?  Why not leave a comment and tell me your options.  I’d love to hear them and find out exactly what you are thinking about this LastPass breach.

Is it time to say NO to LastPass?

Paul1 Reply

Lastpass Recent Incident

Lastpass in the recent has been an excellent password manager and I was one of the many supporters.   The problem with it now is that it is going down hill.   They seem to not want everyone to know just how severe this incident is and have not really done the job that we should of expected.   In December they sent out a small notice to people and reference their blog post.   Who is going to go look at a blog post around Christmas.   I sure as heck was to busy with other stuff to worry about a small email telling people to check out the blog post.   LastPass you should of done better and put out the warning bells for everyone to know just how much you screwed up.

In there blog post:

The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.

Vault and Robbers

You see this isn’t very nice how much information they didn’t send out on the email.  This should of been “Danger, Will Robinson, Danger!” type of warning.  Yet, Lastpass didn’t sound the alarm.  Shame on you for not doing the right thing.   As you can see they got your vault data and mine, althought they can’t really use it without the master password but it is only going to take time and then they will have all our passwords for sites across the internet.   There’s the problem they don’t seem to care that it got out.   The threat actors will use GPU’s and other hardware to finally figure out one user at a time their passwords and it could be years before they get to yours or it could be next month depending on how good you Master Password was.   Was it long or was it Short?  What about enterations?  Did you bump it up to keep it from getting hacked and making it harder for them to figure out your Master Password?

The threat actor may attempt to use brute force to guess your master password and decrypt the copies of vault data they took. Because of the hashing and encryption methods we use to protect our customers, it would be extremely difficult to attempt to brute force guess master passwords for those customers who follow our password best practices.

As you can see even Lastpass has stated they will eventually do that to each and every vault password they can, but did you their suggestions?  Probably not and I wouldn’t blame you because we don’t always have time to keep track of what they recommend.

They claim it could take thousand of years for threat actors to crack the Master Password:

f you use the default settings above, it would take millions of years to guess your master password using generally-available password-cracking technology.

However that isn’t alwasy true if they have enough computers put enough effort into cracking a vault it could be sooner and not later.   The way technology is growing and the speeds of comptuer now would mean threat actors could start usurping people processing powers and have thousands of computers world wide to crack the Master Password keys.   That is how Bitcoin came into being but we wouldn’t know it until it could be too late.

Is it time to switch to another Password Manager?

I’m inclined to switch to Bitwarden just because it is open sourced and I really feel like at least I won’t have to worry about my passwords being leaked.   I will also probably go through every site that I visit and change my password and also use 2FA (2nd Factor Authentication) to prevent threat actors from taking control of my accounts.   I’m going to explore my options but I am more and more thinking about going somewhere else where my data can be safer than with Lastpass.  What’s your throughts on this?  are you staying with LastPass or are you Planning to go somewhere else?

How much is your identity really worth to you?

Paul

Identity is Everything!

I’ve been talking about this my whole life about security and you but it seems it might of happened to me.   I am sending off my information snail mail to Equifax to get my mail version of the Credit report!

If it wasn’t for Lastpass and their Free Credit Monitoring that you get with your 12$ a month subscription to their lastpass Mobile service.  I was alerted earlier than I ever thought possible.   Almost as soon as it hit the credit monitoring services.  I am so glad I took the option of having them monitor my credit report for me.   It reminded me through pop ups and push notifications on my phone and tablet.

Identity theft and you!

It can happen to anyone and at any time.   I found out that I might be a victim and I put a Credit Reporting Freeze on my account on Equifax, Experian, and Transunion.   It only cost me 15$ on all three credit bureaus that prevent it from going any further than that!  I also went with LifeLock (affiliate link) to help protect my identity for 10$ a month.   Currently I am going to offer peope a 30-Day Free Trial + 15% Off 6 Months LifeLock Service with code SHAREASALE15S30 (affiliate link) to encourage you to keep your identity safe.

I will be talking more in depth on what to do if your identity is stolen, but first I have to fix the problems I have and see if I can make it even better for myself.   This post will not be long but the ones that come up with be more in depth on how to avoid this misfurtune fro yourself!

How password security will change in 10 years!

Paul

Passwords are going out the Window!

We’ve seen in the past where people have used such words as ninja, jesus, 12345678, and password!  I’ve talked about Lastpass in the past and I really believe they are the best possible combination of the two. With the recent questions of Password Length and Password Strength, I have come to the conclusion that in the coming years.   People will be doing a 3 factor authentication and having the passwords as a back up.   It really would be nice to have two ways to authenticate and not have to put in a password.

3 factor authentication!

I know your Password! Click image to see!Three factor authentication is a simple concept.   Since we have a password we can simply use two other ways to authenticate for example a cell phone and maybe a Yubi Key.  The password will be the backup for one or the other.  If you lost your phone and still would need to authenticate you password would be one you can use in an emergency. Thus it really becomes a 2 factor authentication but since we could use all three to authenticate it would make it that much harder for a hacker to brute force an attack and get your sensitive data.

2 factor authentication!

Although most people don’t think of this but having a limited number of possible access to the important data can make it just that much harder and maybe get the hacker to go somewhere else.   What about social networks?  Do we really need that for social?  I am thinking maybe and it just depends on how you login in the first place.   I would love most of them to to maybe let me authenticate with Google and come back to them but that leaves a large hole.   It just depends on how valuable your social status is and what the possible outcome of someone getting a hold of that social network.  

Elite passwords!

Some would call it “leet” speak,  and I’ve heard people say this is something we should do in reguards to making a password.   I tell you know, we already have a 2,000 most common passwords and I am betting it has some really good leet passwords already.  So what makes a hacker no try those to hack your account.   I would think these would be tried after the primary just because this would also be the easiest way to gain access to an account.

In Ten years!

I am pretty confident in ten years we will see something like this happen and we will no longer be depending on a system that was developed in the late 1990’s.   We have to be ready for change and keep it.  I just hope it happens sooner rather than later and that most companies should jump aboard and help us get this implemented.   I don’t know how hard this will be but it will be nice to not have to worry about a password anymore with my bank or other financial institution. 

Paul Sylvester

Playing around with Google Authenticator and the 2 step process!

Paul

Yubico Yubi key neo

2 Factor Authentication and You!

When I started this experiment looking to enhance my security.  I was thinking about Yubi Key but It isn’t like I have the 25 dollars for it.  I do suggest it to anyone who might not have any other options available to you.   It however works really well from what I have been told with Lastpass and I wanted something that would do just that.   

It isn’t like I have a lot of money to throw around!

So I went to Lastpass security settings to see if there was something else.   When I found the Google Authenticator Tab!

Google Authenticator?

Well it looks like Google came up with a way to have a two factor authentication available for you when you login to sites that you may want more than one way to protect your identity or privacy! So even though I could protect my privacy by having a One Time Password it isn’t going to be the easiest way to keep my security safe.  

I installed Google Authenticator on my Kyocera Rise and it is working really well.   I will have to do even more figuring out of this little app but I am wondering how hard it would be to change to another phone when the time comes and how hard it is to get it installed.

I’ve printed up a few One time Passwords and they are safely hidden away for those times I might need them because something happened.

My next step is to find out which if any social media sites are two factor compliant and which ones I would want to have this available to.   I am hopeful that Facebook will have this to help keep my identity safe and people from gaining access to stuff they shouldn’t have.

Lastpass Plus Google Authenticator equals AWESOME.   Even though this just the beginning of my journey into exploring this.   I will do another blog post about this later on when I have explored this with greater detail and discuss the benefits and draw backs of this but for right now I am more secure then I was and I am happy!

Paul Sylvester