2 LastPass or not 2 LastPass
Posted on | March 20, 2014 | Comments Off on 2 LastPass or not 2 LastPass
Over the last year security breaches of various kinds have made millions of logins and passwords available to virtually anyone that is interested. The recent Adobe software breach alone released roughly 38 million logins and passwords onto the open internet.
We know that this kind of information leaked onto the net causes damage, but we can also learn a great deal about protecting ourselves by looking at the studies of this kind of data. At 2bridges Technologies we review these studies to find information that assists us in protecting our clients.
In this article we want to focus on one of the most important take-aways from several of these recent password studies.
To set the background I am going to list the first 10 most used passwords compiled from the Adobe breach. If you want to review one of the sources of this data visit PCWorld at http://www.pcworld.com/article/2060825/123456-millions-of-adobe-hack-victims-used-horrible-passwords.html
It is important to remember these are real passwords used by real people.
The list is ordered by the number of people that used each password, high to low. My understanding is that only about 32 million of the passwords were actually used in this study (meaning that these are the ones that were cracked I would think). The password is on the left and the number of people using that password is on the right.
Password Number of users
———————————————-
1. 123456 *1,911,938
2. 123456789 *446,162
3. password *345,834
4. adobe123 *211,659
5. 12345678 *201,580
6. qwerty *130,832
7. 1234567 *124,253
8. 111111 *113,884
9. photoshop *83,411
10. 123123 *82,694
All of these passwords are trivial to ‘crack’, they are simple, short and in a password dictionary. And the odds are good that they are being used by the same person in multiple locations not just at the adobe site. This is the road to password perdition.
I know you’ve heard it a dozen times but long, psuedo random passwords with as much cryptographic entropy as possible are the only secure way to go. In tests done at 2bridges our technicians determined that with not very specialized equipment,i.e., a computer with a reasonably fast processor, reasonable amounts of ram and a couple of high end graphics cards, passwords of up to eight characters could be ‘cracked’ in about five minutes.
So how do you get “cryptographic entrophy” (a fancy way of saying “mixed up with no pattern”)? When we log into a web site we can choose from different types/sets of characters to use in our password. Those characters types are, upper case alphabet A-Z, lower case a-z, the numbers 0-9 and special characters like “:;<>-=~!@#$%^&*()_+{}|\/?.,`”. These (including the space) are called printable ASCII characters. Using some of each of these character types in your password is how you add entrophy. The more entrophy the better. And there should be at least twelve characters in that mix. Also the more the better.
So a long ‘randomized’ collection of letters, numbers and symbols. Wow. Some of the guys here at 2bridges can remember those types of things but I can’t. I’ve always thought that there is only so much room up there for storage and I don’t want to have to forget fun things in order to remember a bunch of random login stuff.
One other catch is that we don’t want to use just one randomly built password, we need to use a different password for each place we go. Not possible in my world since I have to log into hundreds of different forums, financial institutes, vendors, and other websites on a pretty regular basis. If I had to memorize all that i would probably have to forget my own birthday to make room.
I know that down the road there will be ‘no password required’ solutions for authentication and authorization on the internet but I am not sure exactly how far down the road that is. And we need something that will work now, not next year.
Using a password management package is the best solution for resolving this problem in a way that lets us have safe, long and unique (by site) passwords, without having to carry our desk around with us. Many people end up using password tools built into browsers, but even the ones that are protected by a password are not really secure. Luckily there are a number of good password management tools available to choose from for whatever OS or device you use.
At 2bridges Technologies we have found that one of the most secure, easiest to use, and widely available on the OS of your choice package is called LastPass. Their website is located at https://lastpass.com/ The software is free as an extension for your browser of choice on your desktop and if you want it available on your phones and tablets it is available for $12 per year (Windows tablets are free).
Though I consider security to be the primary reason I started using LastPass what keeps me enjoying it is the fact that it makes my life easier every day and saves me time and frustration. Plus I sleep a litte better at night.
LastPass works with Windows, Windows RT, MacOS, Linux, Android and iOS. There are browser extensions for Firefox, Chrome, Opera, Safari, Dolphin, and Internet Explorer. It doesn’t just manage your passwords either. Built in is the ability to import all of your browser stored passwords, test for weak or duplicate passwords, generate good long passwords for you while recording your login information, storing form filling information, and a feature that I use alot called ‘secure notes’.
The secure notes feature offers templates for many different types of items you might want to have secure access to like health insurance info, drivers license, bank accounts, server logins, wifi passwords, and many more, as well as a ‘general purpose’ form that I use for all sorts of crazy stuff (like my wife’s birthday).
The web sites you log into can also be organized into groups that make sense to you, which will make them easy to find (there is a search feature too). Some people use their LastPass vault as their ‘homepage’ giving them quick access to an organized list of sites they visit. Just click and you open the web page and login securely.
The one password you will *have* to remember is your password for logging into your LastPass app because LastPass itself is designed around a security concept coined by Steve Gibson called “TNO”, trust no one. This simply means that LastPass never has unencrypted access to your password or password data and no one else will have unencrypted access either. Only you. This is a good thing, especially these days.
If you have any questions or are interested in talking about or taking a look at how we use LastPass give us a call at (253) 292-9989 or stop by. We love to help.
And remember that even though January 31st, 2014 was “National Change Your Password Day” it’s not too late to do it now.