KEMBAR78
Password best practices and the last pass hack | ODP
Kevin OBrien, profile picture
Uploaded byKevin OBrien
ODP, PPTX841 views

Password best practices and the last pass hack

The document discusses password best practices, emphasizing the need for strong, unique passwords and the use of password managers like LastPass, despite its recent hack. It explores the differences in security practices between average users and professionals, highlighting that many common user practices may be misguided. The document concludes that LastPass, while having been compromised, still provides significant security due to its layered defense strategies and emphasis on proper password management.

Download as ODP, PPTX
Password Best Practices and the LastPass hack Kevin O'Brien Washtenaw Linux Users Group
What Are Best Practices ● There is a lot of confusion here ● Average users don't have the right priorities ● Look to the pros ● http://arstechnica.com/security/2015/07/what-amateurs- can-learn-from-security-pros-about-staying-safe-online/
Average Users' Top Practices ● Use Anti-Virus Software ● Use Strong Passwords ● Change Passwords Frequently ● Only Visit Web Sites They Know ● Don't Share Personal Information
Pro's Top Practice ● Install Software Updates ● Use Unique Passwords ● Use Two-Factor Authentication ● Use Strong Passwords ● Use A Password Manager
Only Practice They Agree On Use Strong Passwords
Average Users Do Odd Things ● Change Passwords Frequently ● Only Visit Web Sites They Know
Changing Passwords Frequently ● OK, in their defense IT departments insist on this, but it makes no sense ● For what attack vector is this a defense? ● This is actually an example of how silly best practices frequently are
Only Visit Web Sites They Know ● Makes the Web virtually unusable ● With link rot they will soon run out of sites to visit ● The only things left to visit will be Google and ESPN
Look at the Pros again ● Install Software Updates ● Use Unique Passwords ● Use Two-Factor Authentication ● Use Strong Passwords ● Use A Password Manager
Install Software Updates ● This is number one on the Pro's list ● But many average users resist doing this ● It is OK to look at patches and triage them, but security patches should be installed unless you know very well what you are doing ● Most average users should automatically install them
Two-Factor Authentication ● This provides excellent security as part of a program ● But it requires just a little more effort ● I like solutions that push something to my phone to grant access ● Duo Security is one excellent solution
Strong & Unique Passwords ● These are two separate practices, but they work together to provide security ● Strong means long passwords with high entropy ● These are inherently difficult to remember ● The average user will never do this if it means memorizing
Use A Password Manager ● The only way most users can have strong and unique passwords is to use a Password Manager ● LastPass is one that is excellent ● But it was hacked recently ● https://blog.lastpass.com/2015/06/lastpass-security- notice.html/
Game Over for LastPass? ● I don't think so ● Security is a layered process ● You cannot with certainty prevent any intrusion ● The question is how you handle it ● LastPass handled it well, in my opinion
What They Said “In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.”
So Why Are They OK? ● First, they segregated their network ● User password vaults were never accessed ● Contrast with Sony, where once the North Koreans got in, they had access to everything ● This is a key security practice
Things They Had To Store ● Password Hint ● E-mail addresses ● Per-user password salts ● Hashed password values ● Encrypted database
What The Intruders Did Not Get ● Encrypted database – This was on a separate network segment ● This means an intruder would need a second successful attack to get the actual useful data ● If an intruder has for example a 1% chance of being successful, the joint probability of being successful in both attacks is .01% ● The actual percentages may be lower
What They Did Get ● E-mail addresses ● Password Hints ● Per-user Password salts ● Hashed password values
Why Is This Not So Bad? ● To really understand this you need think about the threat model and how security measures mitigate the threat ● As Bruce Schneier always says, the counter-measure needs to work against the threat you have identified ● See my article Sensible Security: The Schneier Model at http://www.zwilnik.com/?page_id=577
What Is The Threat? ● If the NSA was behind the intrusion and they have specifically targeted you as a “person of interest” you might be at risk here ● But realistically, if they are specifically going after you, your LastPass account is the least of your worries, and you should be studying Edward Snowden like a rabbi studies scripture ● The threat I worry about is someone trying to grab a bunch of passwords for criminal uses
This Threat Is Manageable! There is a story about two campers who hear a bear searching the campsite. One of them looks for sneakers to run away. The other one says “That is no use, you can't outrun a bear.” And the first one says “I know, but I only have to outrun you!”
Security Is Comparative ● So if the NSA is targeting you that is a problem ● But most times you just need to put up a speed bump so that they get other people instead ● That means stopping the most common attacks
Salted Hash ● This is your first level of defense ● It adds a random number to your password before it is hashed ● This “salt” must, perforce, be stored on the same server as the hash ● But, and this is crucial, it gives security against dictionary attacks
Dictionary Attacks ● Every known password is in a dictionary ● The dictionary is then hashed ● The hashes in the are then compared to the hashes in the web site database ● When they match, you know the password
How Salts Protect ● When there is a salt added to each password, even if the salt is known and tied to the user, it forces the intruder to create a dictionary for each salt they find ● This is so time consuming that most intruders will not bother ● They are looking for millions of passwords, so they would need millions of dictionaries ● Does not apply to the NSA if they are after you
So, LastPass Did Not Err ● Yes, the salts and the hashes were exposed ● But when you look at the threat model, the use of salts added significant security to protecting people's data ● The hashing algorithm added even more
Client-Side Algorithm ● You create a vault ● It is secured with a Master Password ● This password is hashed together with your user name ● The hashing uses SHA-256, an excellent hash ● This done multiple times, by default 5000, but you can change that
Server-Side Algorithm ● The Client-Side process creates a key, which is hashed again and sent to the server ● The server adds a random salt to this key, and then hashes another 100,000 times ● This is your encryption key, and is used to encrypt your password database ● LastPass does not have your key
LastPass Does Not Have Your Key ● This is worth repeating ● They really don't have it ● They can't turn it over to the government ● Worst-case scenario, they can turn over the random salt and the hash they have stored ● This could possibly be cracked if the government really tries and you were lazy
Losing Your Password ● I have done this experiment ● LastPass really cannot help you if you lose your password ● The best they can do is give you an earlier version of your encrypted database ● This will help if you remember your previous password ● Otherwise, you are SOL
Reversing Hashes ● Hashing is a well-defined algorithm that is completely reversible if you have all of the parameters ● Adding security means making those parameters hard to recover by your opponent ● Hashing does require resources ● Doing it for millions of passwords is not trivial
What Intruders Do ● They get the database of hashes ● They use a prepared dictionary of passwords that are already hashed ● They run a comparison ● And they get hits ● They don't need to find every password, just enough to be profitable
Success Percentages ● In 2013 a widely reported study found that 90% of passwords were cracked with little difficulty ● However, this study used MD5, which even then was not regarded as secure ● But if a database of hashes is done badly, success rates of over 70% are not too difficult ● Your objective is to the in 30% when the crackers give up
How To Erect Barriers ● Number one is your Master Password ● This is the most important thing to pay attention to ● Length and entropy matter here ● Remember, you only need one! ● LastPass will remember all the other ones for you!
Change Defaults ● Remember that LastPass does 5000 rounds of hashing by default ● That is information a cracker can use! ● Change the default to something bigger ● And don't make it a round number: 19,457 is better than 20,000 ● The cracker cannot get your password without knowing this, or else calculating every possible number
Unique! ● Your LastPass master password should be one you never use on any other site ● A common problem with re-used passwords is that if one site with bad security lets the bad guys get it, they will try it on other sites as well ● Let LastPass remember your Bank password, that is what it is there for
What your password does ● Every time you open LastPass you need to login with your Master Password ● Your Client software will then combine that with your user name, and hash it the number of times your specified to get your key ● This is sent to the server, where the known salt is added, and it is then hashed 100,000 times ● Then your password vault is opened
Is This Enough? ● You have a very strong master password ● You have changed the default settings for client side hashing ● LastPass uses a strong algorithm for hashing, SHA-256, not something like MD5 or SHA-1, which are deprecated for any serious security work ● This is all good
One More Thing ● There is one more thing you can do to stop anyone getting in ● You can have two-factor authentication for LastPass: https://helpdesk.lastpass.com/multifactor-authentication-options ● I use Duo Security for mine ● I cannot log in to LastPass without approving it on my phone
Conclusion ● 4 of the five top strategies used by security pros are addressed by this – Use Unique Passwords – Use Two-Factor Authentication – Use Strong Passwords – Use A Password Manager ● And that is why I still use LastPass, and pay for a premium account (all of $12/year)

More Related Content

PPTX
Minding the Metacognitive Gap - BSides NOLA
bychrissanders88
 
PDF
PASSWORD BEST PRACTICES
byRazorpoint Security
 
PDF
Android Attacks
byMichael Scovetta
 
PDF
Strategic Surprise
byMichael Scovetta
 
PDF
Stackjacking
byMichael Scovetta
 
PDF
Consumer Password Worst Practices
byMichael Scovetta
 
PDF
Peter Norvig - NYC Machine Learning 2013
byMichael Scovetta
 
PDF
Modern Kernel Pool Exploitation: Attacks and Techniques
byMichael Scovetta
 
Minding the Metacognitive Gap - BSides NOLA
bychrissanders88
 
PASSWORD BEST PRACTICES
byRazorpoint Security
 
Android Attacks
byMichael Scovetta
 
Strategic Surprise
byMichael Scovetta
 
Stackjacking
byMichael Scovetta
 
Consumer Password Worst Practices
byMichael Scovetta
 
Peter Norvig - NYC Machine Learning 2013
byMichael Scovetta
 
Modern Kernel Pool Exploitation: Attacks and Techniques
byMichael Scovetta
 

Similar to Password best practices and the last pass hack

PPSX
Heartbleed Explained & LastPass Demo
byWilliam Mann
 
ODP
Secure Password Management, Informal, @WalmartLabs
byKarl Mueller
 
PPTX
Password Managers - Lastpass
byBertold Kolics
 
PDF
LastPass Password Manager - the last password you'll ever have to remember
byiSiteBuild.com
 
PPTX
Passwords, Passwords and more Passwords
byclcewing
 
PPSX
West Chester Staff Technology Training - Website,LastPass and Tips!
byWilliam Mann
 
ODP
All Your Password Are Belong To Us
byCharles Southerland
 
PPTX
How to Protect Yourself From Heartbleed Security Flaw
byConnectSafely
 
ODP
Passwords
byKevin OBrien
 
PPTX
Securing Passwords
byMandeep Singh
 
PDF
How to be safe on the internet. Make the web better!
byOctavian Irimia
 
PDF
W make107
byGreg in SD
 
PDF
Be Cyber Smart! (DLH 10/25/2019)
byDavid Herrington
 
PPTX
Password management
byWilmington University
 
PPTX
Personal internet security
byMostafa Siraj
 
DOC
Protect Your Business With Web Security
byHarrison Kenyon Marketing
 
PDF
Why is password protection a fallacy a point of view
bySTO STRATEGY
 
PPTX
Don't Forget Your (Virtual) Keys: Creating and Using Strong Passwords
byrmortiz66
 
PDF
How to choose a password that’s hard to crack
byKlaus Drosch
 
PDF
How to Design Passwords
byUniversity of Hertfordshire
 
Heartbleed Explained & LastPass Demo
byWilliam Mann
 
Secure Password Management, Informal, @WalmartLabs
byKarl Mueller
 
Password Managers - Lastpass
byBertold Kolics
 
LastPass Password Manager - the last password you'll ever have to remember
byiSiteBuild.com
 
Passwords, Passwords and more Passwords
byclcewing
 
West Chester Staff Technology Training - Website,LastPass and Tips!
byWilliam Mann
 
All Your Password Are Belong To Us
byCharles Southerland
 
How to Protect Yourself From Heartbleed Security Flaw
byConnectSafely
 
Passwords
byKevin OBrien
 
Securing Passwords
byMandeep Singh
 
How to be safe on the internet. Make the web better!
byOctavian Irimia
 
W make107
byGreg in SD
 
Be Cyber Smart! (DLH 10/25/2019)
byDavid Herrington
 
Password management
byWilmington University
 
Personal internet security
byMostafa Siraj
 
Protect Your Business With Web Security
byHarrison Kenyon Marketing
 
Why is password protection a fallacy a point of view
bySTO STRATEGY
 
Don't Forget Your (Virtual) Keys: Creating and Using Strong Passwords
byrmortiz66
 
How to choose a password that’s hard to crack
byKlaus Drosch
 
How to Design Passwords
byUniversity of Hertfordshire
 

More from Kevin OBrien

PPTX
American icon pmi
byKevin OBrien
 
ODP
Tls 1.3
byKevin OBrien
 
ODP
Forward Secrecy
byKevin OBrien
 
ODP
Diffie_Hellman-Merkle Key Exchange
byKevin OBrien
 
ODP
SSL certificates
byKevin OBrien
 
ODP
Encryption basics
byKevin OBrien
 
PDF
Linux Directory Structure
byKevin OBrien
 
PDF
Hardware Discovery Commands
byKevin OBrien
 
PDF
Introduction to linux
byKevin OBrien
 
PDF
Help, my computer is sluggish
byKevin OBrien
 
PDF
The ps Command
byKevin OBrien
 
PDF
Installing Software, Part 3: Command Line
byKevin OBrien
 
PDF
Installing Software, Part 2: Package Managers
byKevin OBrien
 
PDF
Installing Software, Part 1 - Repositories
byKevin OBrien
 
PDF
Installing Linux: Partitioning and File System Considerations
byKevin OBrien
 
PDF
The ifconfig Command
byKevin OBrien
 
PDF
Find and Locate: Two Commands
byKevin OBrien
 
PDF
The Shell Game Part 4: Bash Shortcuts
byKevin OBrien
 
PDF
The Shell Game Part 3: Introduction to Bash
byKevin OBrien
 
PDF
The Shell Game Part 2: What are your shell choices?
byKevin OBrien
 
American icon pmi
byKevin OBrien
 
Tls 1.3
byKevin OBrien
 
Forward Secrecy
byKevin OBrien
 
Diffie_Hellman-Merkle Key Exchange
byKevin OBrien
 
SSL certificates
byKevin OBrien
 
Encryption basics
byKevin OBrien
 
Linux Directory Structure
byKevin OBrien
 
Hardware Discovery Commands
byKevin OBrien
 
Introduction to linux
byKevin OBrien
 
Help, my computer is sluggish
byKevin OBrien
 
The ps Command
byKevin OBrien
 
Installing Software, Part 3: Command Line
byKevin OBrien
 
Installing Software, Part 2: Package Managers
byKevin OBrien
 
Installing Software, Part 1 - Repositories
byKevin OBrien
 
Installing Linux: Partitioning and File System Considerations
byKevin OBrien
 
The ifconfig Command
byKevin OBrien
 
Find and Locate: Two Commands
byKevin OBrien
 
The Shell Game Part 4: Bash Shortcuts
byKevin OBrien
 
The Shell Game Part 3: Introduction to Bash
byKevin OBrien
 
The Shell Game Part 2: What are your shell choices?
byKevin OBrien
 

Recently uploaded

PPTX
The First Internet Message was sent on 29 Oct 1969. However . . .
byBob Mayer
 
PDF
The 13 satanic codes for Self Power and Sovereignty
byhikariaoki1
 
PDF
Buying, Aged Twitter Accounts_ The Secret to Instant Growth.pdf
byBEST IT SMM
 
PDF
Nome completo de Laurence Gregory Watkins
bydiariodocentrodomundo
 
PPTX
UNIT –I community health CHN P.B.Sc ppt.pptx
byDr.Anjalatchi Muthukumaran
 
PDF
Dark Humanism 200 Principles for living a life in shadow
byhikariaoki1
 
PPTX
Hathway_Fiber_Bajaj_wi-Fi_Best internet_
byHATHWAY FIBER INTERNET SERVICE PROVIDER in Bajaj enclave
 
PPTX
Generating-Patterns: Arithmetic Sequences, Arithmetic Mean,
byChanelleObate
 
PDF
kjhhhhhhhhhhhhhhhhhhhhhhhhhhhhhkjhkkkkkkkkkkkkkkkkjh
bybishnoijordan29
 
PPTX
Viva_Digitally_Online_Meeting_Presentation.pptx
byHubraSEO
 
PPTX
一比一原版(StuttgartH毕业证书)斯图加特工程应用技术大学毕业证办理成绩单学历认证
by办硕士文凭昆士兰科技大学学历认证【Q微号:1954 292 140】QUT毕业证成绩单
 
PDF
Reality Drift: Cultural and Academic Footprints Across Media, Classrooms, and...
byDr. Samuel Wellington
 
PPTX
Presentation contoso chart 1 2 3 4 5 6 7 8
byJohannReyes3
 
PDF
Unlocking-the-Future-AI-Software-Development-Services.pdf
byPrologicTechnologies
 
PDF
WHMCS Croster 2.1.2 Nulled Pre Activated
byCroster 2.1.2 Nulled
 
PPTX
Pembagian kelompok menentuan tema yntuk paud.pptx
bywiwiktriwahyuni13
 
PPTX
TREC_2024_Lateral_Reading_Purpose_and_Need.pptx
byGichxIocHiIvdug
 
PPTX
Protection from Cyber attacks and Security Firewall
byAjayTiwari684365
 
The First Internet Message was sent on 29 Oct 1969. However . . .
byBob Mayer
 
The 13 satanic codes for Self Power and Sovereignty
byhikariaoki1
 
Buying, Aged Twitter Accounts_ The Secret to Instant Growth.pdf
byBEST IT SMM
 
Nome completo de Laurence Gregory Watkins
bydiariodocentrodomundo
 
UNIT –I community health CHN P.B.Sc ppt.pptx
byDr.Anjalatchi Muthukumaran
 
Dark Humanism 200 Principles for living a life in shadow
byhikariaoki1
 
Hathway_Fiber_Bajaj_wi-Fi_Best internet_
byHATHWAY FIBER INTERNET SERVICE PROVIDER in Bajaj enclave
 
Generating-Patterns: Arithmetic Sequences, Arithmetic Mean,
byChanelleObate
 
kjhhhhhhhhhhhhhhhhhhhhhhhhhhhhhkjhkkkkkkkkkkkkkkkkjh
bybishnoijordan29
 
Viva_Digitally_Online_Meeting_Presentation.pptx
byHubraSEO
 
一比一原版(StuttgartH毕业证书)斯图加特工程应用技术大学毕业证办理成绩单学历认证
by办硕士文凭昆士兰科技大学学历认证【Q微号:1954 292 140】QUT毕业证成绩单
 
Reality Drift: Cultural and Academic Footprints Across Media, Classrooms, and...
byDr. Samuel Wellington
 
Presentation contoso chart 1 2 3 4 5 6 7 8
byJohannReyes3
 
Unlocking-the-Future-AI-Software-Development-Services.pdf
byPrologicTechnologies
 
WHMCS Croster 2.1.2 Nulled Pre Activated
byCroster 2.1.2 Nulled
 
Pembagian kelompok menentuan tema yntuk paud.pptx
bywiwiktriwahyuni13
 
TREC_2024_Lateral_Reading_Purpose_and_Need.pptx
byGichxIocHiIvdug
 
Protection from Cyber attacks and Security Firewall
byAjayTiwari684365
 

Password best practices and the last pass hack

  • 1.
    Password Best Practicesand the LastPass hack Kevin O'Brien Washtenaw Linux Users Group
  • 2.
    What Are BestPractices ● There is a lot of confusion here ● Average users don't have the right priorities ● Look to the pros ● http://arstechnica.com/security/2015/07/what-amateurs- can-learn-from-security-pros-about-staying-safe-online/
  • 3.
    Average Users' TopPractices ● Use Anti-Virus Software ● Use Strong Passwords ● Change Passwords Frequently ● Only Visit Web Sites They Know ● Don't Share Personal Information
  • 4.
    Pro's Top Practice ●Install Software Updates ● Use Unique Passwords ● Use Two-Factor Authentication ● Use Strong Passwords ● Use A Password Manager
  • 5.
    Only Practice TheyAgree On Use Strong Passwords
  • 6.
    Average Users DoOdd Things ● Change Passwords Frequently ● Only Visit Web Sites They Know
  • 7.
    Changing Passwords Frequently ●OK, in their defense IT departments insist on this, but it makes no sense ● For what attack vector is this a defense? ● This is actually an example of how silly best practices frequently are
  • 8.
    Only Visit WebSites They Know ● Makes the Web virtually unusable ● With link rot they will soon run out of sites to visit ● The only things left to visit will be Google and ESPN
  • 9.
    Look at thePros again ● Install Software Updates ● Use Unique Passwords ● Use Two-Factor Authentication ● Use Strong Passwords ● Use A Password Manager
  • 10.
    Install Software Updates ●This is number one on the Pro's list ● But many average users resist doing this ● It is OK to look at patches and triage them, but security patches should be installed unless you know very well what you are doing ● Most average users should automatically install them
  • 11.
    Two-Factor Authentication ● Thisprovides excellent security as part of a program ● But it requires just a little more effort ● I like solutions that push something to my phone to grant access ● Duo Security is one excellent solution
  • 12.
    Strong & UniquePasswords ● These are two separate practices, but they work together to provide security ● Strong means long passwords with high entropy ● These are inherently difficult to remember ● The average user will never do this if it means memorizing
  • 13.
    Use A PasswordManager ● The only way most users can have strong and unique passwords is to use a Password Manager ● LastPass is one that is excellent ● But it was hacked recently ● https://blog.lastpass.com/2015/06/lastpass-security- notice.html/
  • 14.
    Game Over forLastPass? ● I don't think so ● Security is a layered process ● You cannot with certainty prevent any intrusion ● The question is how you handle it ● LastPass handled it well, in my opinion
  • 15.
    What They Said “Inour investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.”
  • 16.
    So Why AreThey OK? ● First, they segregated their network ● User password vaults were never accessed ● Contrast with Sony, where once the North Koreans got in, they had access to everything ● This is a key security practice
  • 17.
    Things They HadTo Store ● Password Hint ● E-mail addresses ● Per-user password salts ● Hashed password values ● Encrypted database
  • 18.
    What The IntrudersDid Not Get ● Encrypted database – This was on a separate network segment ● This means an intruder would need a second successful attack to get the actual useful data ● If an intruder has for example a 1% chance of being successful, the joint probability of being successful in both attacks is .01% ● The actual percentages may be lower
  • 19.
    What They DidGet ● E-mail addresses ● Password Hints ● Per-user Password salts ● Hashed password values
  • 20.
    Why Is ThisNot So Bad? ● To really understand this you need think about the threat model and how security measures mitigate the threat ● As Bruce Schneier always says, the counter-measure needs to work against the threat you have identified ● See my article Sensible Security: The Schneier Model at http://www.zwilnik.com/?page_id=577
  • 21.
    What Is TheThreat? ● If the NSA was behind the intrusion and they have specifically targeted you as a “person of interest” you might be at risk here ● But realistically, if they are specifically going after you, your LastPass account is the least of your worries, and you should be studying Edward Snowden like a rabbi studies scripture ● The threat I worry about is someone trying to grab a bunch of passwords for criminal uses
  • 22.
    This Threat IsManageable! There is a story about two campers who hear a bear searching the campsite. One of them looks for sneakers to run away. The other one says “That is no use, you can't outrun a bear.” And the first one says “I know, but I only have to outrun you!”
  • 23.
    Security Is Comparative ●So if the NSA is targeting you that is a problem ● But most times you just need to put up a speed bump so that they get other people instead ● That means stopping the most common attacks
  • 24.
    Salted Hash ● Thisis your first level of defense ● It adds a random number to your password before it is hashed ● This “salt” must, perforce, be stored on the same server as the hash ● But, and this is crucial, it gives security against dictionary attacks
  • 25.
    Dictionary Attacks ● Everyknown password is in a dictionary ● The dictionary is then hashed ● The hashes in the are then compared to the hashes in the web site database ● When they match, you know the password
  • 26.
    How Salts Protect ●When there is a salt added to each password, even if the salt is known and tied to the user, it forces the intruder to create a dictionary for each salt they find ● This is so time consuming that most intruders will not bother ● They are looking for millions of passwords, so they would need millions of dictionaries ● Does not apply to the NSA if they are after you
  • 27.
    So, LastPass DidNot Err ● Yes, the salts and the hashes were exposed ● But when you look at the threat model, the use of salts added significant security to protecting people's data ● The hashing algorithm added even more
  • 28.
    Client-Side Algorithm ● Youcreate a vault ● It is secured with a Master Password ● This password is hashed together with your user name ● The hashing uses SHA-256, an excellent hash ● This done multiple times, by default 5000, but you can change that
  • 29.
    Server-Side Algorithm ● TheClient-Side process creates a key, which is hashed again and sent to the server ● The server adds a random salt to this key, and then hashes another 100,000 times ● This is your encryption key, and is used to encrypt your password database ● LastPass does not have your key
  • 30.
    LastPass Does NotHave Your Key ● This is worth repeating ● They really don't have it ● They can't turn it over to the government ● Worst-case scenario, they can turn over the random salt and the hash they have stored ● This could possibly be cracked if the government really tries and you were lazy
  • 31.
    Losing Your Password ●I have done this experiment ● LastPass really cannot help you if you lose your password ● The best they can do is give you an earlier version of your encrypted database ● This will help if you remember your previous password ● Otherwise, you are SOL
  • 32.
    Reversing Hashes ● Hashingis a well-defined algorithm that is completely reversible if you have all of the parameters ● Adding security means making those parameters hard to recover by your opponent ● Hashing does require resources ● Doing it for millions of passwords is not trivial
  • 33.
    What Intruders Do ●They get the database of hashes ● They use a prepared dictionary of passwords that are already hashed ● They run a comparison ● And they get hits ● They don't need to find every password, just enough to be profitable
  • 34.
    Success Percentages ● In2013 a widely reported study found that 90% of passwords were cracked with little difficulty ● However, this study used MD5, which even then was not regarded as secure ● But if a database of hashes is done badly, success rates of over 70% are not too difficult ● Your objective is to the in 30% when the crackers give up
  • 35.
    How To ErectBarriers ● Number one is your Master Password ● This is the most important thing to pay attention to ● Length and entropy matter here ● Remember, you only need one! ● LastPass will remember all the other ones for you!
  • 36.
    Change Defaults ● Rememberthat LastPass does 5000 rounds of hashing by default ● That is information a cracker can use! ● Change the default to something bigger ● And don't make it a round number: 19,457 is better than 20,000 ● The cracker cannot get your password without knowing this, or else calculating every possible number
  • 37.
    Unique! ● Your LastPassmaster password should be one you never use on any other site ● A common problem with re-used passwords is that if one site with bad security lets the bad guys get it, they will try it on other sites as well ● Let LastPass remember your Bank password, that is what it is there for
  • 38.
    What your passworddoes ● Every time you open LastPass you need to login with your Master Password ● Your Client software will then combine that with your user name, and hash it the number of times your specified to get your key ● This is sent to the server, where the known salt is added, and it is then hashed 100,000 times ● Then your password vault is opened
  • 39.
    Is This Enough? ●You have a very strong master password ● You have changed the default settings for client side hashing ● LastPass uses a strong algorithm for hashing, SHA-256, not something like MD5 or SHA-1, which are deprecated for any serious security work ● This is all good
  • 40.
    One More Thing ●There is one more thing you can do to stop anyone getting in ● You can have two-factor authentication for LastPass: https://helpdesk.lastpass.com/multifactor-authentication-options ● I use Duo Security for mine ● I cannot log in to LastPass without approving it on my phone
  • 41.
    Conclusion ● 4 ofthe five top strategies used by security pros are addressed by this – Use Unique Passwords – Use Two-Factor Authentication – Use Strong Passwords – Use A Password Manager ● And that is why I still use LastPass, and pay for a premium account (all of $12/year)