This Time Self-Hosted
dark mode light mode Search

LastPass got hacked, I’m still okay with it

So LastPass was compromised and so they report. I’m sure there are plenty of smug geeks out there, happy about users being compromised. I thought that this is the right time to remind people why I’m a LastPass user and will stay a LastPass user even after this.

The first part is a matter of trust in the technology. If I did not trust LastPass enough to not have easy access to the decrypted content, I wouldn’t be using it to begin with. Since I do not trust the LastPass operators, even in the case the encrypted vault were compromised (and they say they weren’t), I wouldn’t be worrying too much.

On the other hand I followed the obvious course of not only changing the master password, and change the important passwords just to be paranoid. This is actually one good side of LastPass — changing the passwords that are really important is very easy as they instrument the browser, so Facebook, Twitter, Amazon, PayPal, … are one click away from a new, strong password.

Once again, the main reason why I suggest tools such as LastPass (and I like LastPass, but that’s just preference) is that they are easy to use, and easy to use means people will use them. Making tools that are perfectly secure in theory but very hard to use just means people will not use them, full stop. A client-side certificate is much more secure than a password, but at the same time procuring one and using it properly is non-trivial so in my experience only a handful of services use that — I know of a couple of banks in Italy, and of course StartSSL and similar providers.

The problem with offline services is that, for the most part, don’t allow good access while from phones, for instance. So you end up choosing, for things you use often from the phone, memorable passwords. But memorable passwords are usually fairly easy to crack, unless you use known methods and long password — although at least it’s not the case, like I read on Arse^H recently, that since we know the md5 hash for “mom”, any password with that string anywhere is weakened.

Let’s take an example away from the password vaults. In Ireland (and I assume UK simply because the local systems are essentially the same in many aspects), banks have this bollocks idea that is more secure to ask for some of the characters of a password rather than a full password. I think this is a remnant of old bank teller protocols, as I remember reading about that in The Art of Deception (good read, by the way.)

While in theory picking a random part of the password means a phishing attempt would never get the full password, and thus won’t be able to access the bank’s website unless they are very lucky and get exactly the same three indexes over and over, it is a frustrating experience.

My first bank, AIB, used a five-digits PIN, and then select three digits out of it when I log in, which is not really too difficult to memorize. On the other hand, on their mobile app they decided that the right way to enter the numbers is by using drop-down boxes (sigh.) My current bank, Ulster Bank/RBS, uses a four digits pin, plus a variable length password, which I generated through LastPass as 20 characters, before realizing how bad that is, because it means I now get asked three random digits off the four… and three random characters of the 20.

Let that sink in a moment: they’ll ask me for the second, fifth and sixteenth character of a twenty characters randomly generated password. So no auto-fill, no copy-paste, no password management software assisted login. Of course most people here would just not bother and go with a simple password they can remember. Probably made of multiple words of the same length (four letters? five?) so that it becomes easy to count which one is the first character of the fourth word (sixteenth character of the password.) Is it any more secure?

I think I’ll write a separate blog post about banks apps and website security mis-practices because it’s going to be a long topic and one I want to write down properly so I can forward it to my bank contacts, even though it won’t help with anything.

Once again, my opinion is that any time you make security a complicated feature, you’re actually worsening the practical security, even if your ideas are supposed to improve the theoretical one. And that includes insisting on the perfect solution for password storage.

Comments 3
  1. Maybe I should wait for the followup article but till that comes I wanted to add another example of bad security practice from a bank website. Barclays implements their security theater by two means:1. Not allowing pasting into the password field. This basically annoys anybody using a password manager and forces to use an easy to type and short password. Alas this practice seems to be quite widespread without good explanation, see http://www.troyhunt.com/201… or many hacks on the net trying to work around this anti-feature.2. After inputting the username and password the next page asks a for answering 1 of 3 “security questions”. Note that these questions are mandatory and not the ones that you get when you forgot your password. The existence of security questions instead of passwords is a topic in itself but that has also been discussed in depth with the conclusion that they must die asap.So to sum up. Barcalys forces one to use short passwords and 4 of them! This is not only weaker as compared to a single and good password (which could be enforced by asking for a sane password length) but also annoys people. Kind of hits the nail for the definition of “security theater”.ByeBogdan

  2. Two things:1. I recently migrated phones so I found out lastpass has an Android keyboard now, which i much better than using copy-paste.2. Feature request: password view with character positions.

  3. Martin Vigo and Alberto Garcia did an excellent evaluation of Lastpass security (and wrote a metasploit module for it).See http://www.martinvigo.com/e… .I’m sure, you’ll continue to stick with them but may be you’ll find some doubts creeping in. Some time.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.