Posts

LastPass Hacked, Change Your Master Password Now

LastPass – my favorite password manager – has been hacked. This is the bad news. It’s time to change your master password. If you have LastPass, do this right now before you finish reading this post. The good news is that passwords you have saved for other sites should be safe.

LastPass announced on their company blog that they detected a server intrusion. While encrypted user data (your stored passwords for other sites) was not stolen, the hackers did take LastPass account email addresses, password reminders, server per user salts, and authentication hashes. The latter is what’s used to tell LastPass that you have permission to access your account.

According to LastPass, the authentication hashes should be sufficiently encrypted to prevent anyone from using them to access your account. However, the company is still prompting all users to update their master password that they use to log in to their LastPass account. If you use LastPass, you should do this immediately. If you share that master password with any other services, you should change it there, too. Finally, if you haven’t enabled two-factor authentication you should do that immediately here.

LastPass Security Notice – Updated June 16, 2105:

Was my master password exposed?
No, LastPass never has access to your master password. We use encryption and hashing algorithms of the highest standard to protect user data. We hash both the username and master password on the user’s computer with 5,000 rounds of PBKDF2-SHA256, a password strengthening algorithm. That creates a key, on which we perform another round of hashing, to generate the master password authentication hash. That is sent to the LastPass server so that we can perform an authentication check as the user is logging in. We then take that value, and use a salt (a random string per user) and do another 100,000 rounds of hashing, and compare that to what is in our database. In layman’s terms: Cracking our algorithms is extremely difficult, even for the strongest of computers.

Am I at risk if I have a weak master password?
An attacker could try to guess your master password, then use your per-user-salt and authentication hash to determine if their guess was correct. Typically, an attacker would try a list of commonly-used passwords or dictionary words (such as 12345678, password1, mustang, robert42, iloveyou). They would have to do this for you specifically, since your “per-user” salt is unique to your account . Because your password is hashed thousands of times locally, and this hashed value is again hashed 100,000 times before being stored server-side, guesses will be very slow. If your master password is weak or if your password reminder makes it easy-to-guess, then the attacker could significantly reduce the number of attempts needed to guess it correctly. Then the attacker would have your master password, but not your data, since your data vault was not exposed. If the attacker attempted to get access to your data by using these credentials to log into your LastPass account, they’d be stopped by a notification asking them to first verify their email address.  We require this security measure for any attempt to access your vault from a new device/location, unless you have multifactor authentication enabled.

Were passwords or other data stored in my vault exposed?
No, your data is safe. Encrypted user vaults were not compromised, so no data stored in your vault is at risk (including form fill profiles, secure notes, site usernames and passwords). However if you used your master password for any other website, we do advise changing it – on LastPass as well as on the other websites. Note that you should never reuse passwords – especially your LastPass master password!

What should I do now?
Our security and processes worked as designed, and customer data was, and is, protected. Because we are requiring verification for any new IP address or device, your account is secure. You will be prompted to update your master password when you login. Not all users will see the prompt immediately, but your account is safe and you can update when prompted. For added security going forward, we recommend enabling multifactor authentication. Also, be wary of phishing emails asking you to disclose your master password, payment information, or any other personal information. Never, ever disclose your master password or any confidential information, even to someone claiming to work for LastPass.

Why did I hear about this in the media first?
Emails have been sent to all users regarding the security incident. Notifying millions of users via email takes time. Therefore, we also announced the security alert to our blog and our social accounts in real-time, and the media quickly picked up the story.

I reset my master password, but now I can’t get in!
If you forgot or mis-typed your new master password, please revert your change: https://lastpass.com/revert.php and login again with the previous master password. Then you can try another change (and be careful of typos!).

I don’t remember my old master password.
Please try password recovery: https://lastpass.com/recover.php on a browser where you’ve used LastPass before. For more information about account recovery, see: https://helpdesk.lastpass.com/account-recovery/

Ten ways to protect yourself online

 

Any time you are online you are vulnerable to hackers. Whether you are a sole proprietor or a massive corporation like Sony, your chances of being hacked, scammed, or infiltrated in some way, are unfortunately about the same. Hackers can steal your credit card numbers, tax records and passwords, erase your hard drive, disable your entire computer, and even use your built-in webcam or microphone to spy on you. The most complete way to protect yourself online would be to get offline and disconnect yourself immediately, but that solution is no longer an option for any of us.

To protect yourself online, you should take these 10 steps very seriously:

1. Fortify your passwords

Don’t reuse your passwords. If an attacker gets your password she might try it on all of your accounts. This means that a given password is really only as secure as the least secure service where it’s used. Use a single master password or passphrase along with a password manager like LastPass. Choose strong passwords – short passwords of any kind, even totally random ones like nQ\m=8*x or !s7e&nUY are not strong enough today.

2. Use a password manager

Check out LastPass. This is what I use. There’s a free version that syncs between devices but doesn’t allow you to sync with your mobile phone. The premium version costs just $12/year!

3. Secure your security questions

Beware of security questions. Honest answers to many security questions are often publicly discoverable facts. If you do use factual information in the security questions, make them more secure by adding numbers and other characters. Your cat Fluffy can be F1uff7 instead.

4. All HTTPS all the time

HTTPS will encrypt any stream of data between you and the service, ensuring that anyone using Firesheep or a packet sniffer on a (usually public) Wi-Fi network can’t glean your login data. Never work at a coffee shop or other public wi-fi without it.

5. Turn on Two-Step verification

Facebook and Google both offer the option of 2-Step authentication when you login, meaning you have to enter a secondary pin number which is generated and/or texted to your phone. It’s a complete and utter pain in the ass whenever you’re logged out, but it’s also a pretty safe guarantee that no one will be getting into your account without a heavy-duty targeted attack.

6. Use a secret email address

Publicly available information is the first way a hacker can get their foot in the door. Few things are tossed around more casually than an email address. Don’t give potential hackers a starting point, especially if you use the same login info across multiple sites (which you shouldn’t be doing in the first place!). Instead, create an email address that as few people know about as possible that you use only for account log-ins.

7. Set up  login notifications

Facebook will allow you to receive a text message anytime an unrecognized IP address logs in to your account. You may not prevent a hack, but if you act quickly enough, you can remotely log them out and re-secure your account before they get their hands too deep into your business. Gmail is also set by default to alert you if it notices anything particularly strange with your login activity.

8. Put passwords on your devices

This is a no-brainer and should not require explanation. All of your phones, tablets, laptops, and desktops should have a password.

9. Don’t save your credit card information in your browser

Another no-brainer.

10. Keep an offline backup

Just in case your online backup provider is ever hacked, it’s probably a good idea to have your most important documents backed up using a physical hard drive connected to your computer.

11. Don’t link your accounts

Facebook sign-on certainly makes life easy for you, but imagine what happens when someone steals the phone that doesn’t have a password or hacks your password on your computer.

12. Use email wisely

Email is a great way to keep in touch with friends and family, and as a tool to conduct business. Even if you have good security software on your PC, however, your friends and family might not have the same protection. Be careful about what information you submit via email. Never send your credit-card information, Social Security number, or other private information via email.

Conclusion

Those of you who are very perceptive will note that I couldn’t resist and actually gave you 2 extra tips for protecting yourself online. Data shows that a blog post titled “ten ways to protect yourself online” will do better than the same post titled “twelve ways to protect yourself online”. If I had to hone in on one or two particularly important ways to protect yourself online, I would pick number 1/2 – fortify your passwords/use a password manager and number 12 – use email wisely as the most important ways to protect yourself online.

Do you all agree with me? Did I miss anything?

If You Aren’t Using a Password Manager, It’s Time To Start Using One Now

Online merchants and secure websites aren’t doing a very good job of keeping your personal information safe. Not a week goes by without news about a major online retailer being hacked. To make matters worse, even those websites that use decent security practices may have been compromised by the recently discovered Heartbleed bug. If the bad guys got your password, you’re in trouble. But if you used that same password at other sites, then you’re really in trouble. The only safe thing to do is to use a different strong password on every site, and the only practical way to do that is with a password manager.

If you aren’t using a password manager, it’s time to start using one now. This is important stuff, well worthy of major procrastination because setting up a password manager involves a considerable amount of time and planning. If you are starting from scratch, chances are good that you are using your browser’s built-in password management feature. There are a variety of password managers but we recommend LastPass and will help walk you through the process. LastPass will import those passwords, delete them from the browser, and turn off the browser’s password management. LastPass goes for a clean sweep, importing from all major browsers.

Beyond The Master Password

Most password managers support authentication using a master password. Since it’s protecting all of your other passwords, that one password needs to be really strong. But if that’s the only protection for your data, a crook who manages to steal your master password can access all of your data. The best password managers offer two-factor authentication.

LastPass 3.0 Premium can be configured for fingerprint-based authentication. LastPass supports authentication via the Google Authenticator mobile app.

Password Capture and Replay

Most, but not all, password managers integrate with the browser to capture login credentials as you enter them and replay those credentials when you revisit the site. LastPass goes a step beyond, actively detecting and managing password change events and capturing credentials as you sign up for a new service.

Quite a few password managers let you log in to your password storehouse from any browser, so you can look up credentials even when using someone else’s computer. Among these are Norton Identity SafeRoboForm Everywhere 7, and Keeper 5.0; LastPass and Dashlane also offer this feature. F-Secure, by contrast, doesn’t allow any online access, considering it a potential security risk.

Form Filling and Personal Data

Given that most password managers already have the ability to fill your username and password into a login form, it’s not surprising that many also serve as form fillers for personal data. LastPass will cleverly offer to capture what you’ve entered if it sees that you are filling a form manually.

LastPass can store various types of ID data such as passports and driver’s licenses.

Free Protection

The free edition of LastPass has almost everything found in the premium; support for mobile devices is the big exception. LastPass Premium costs only a dollar a month. That’s not a lot, considering what LastPass is protecting.

Security Checkup

Virtually every password manager will report the strength of your master password.  And virtually every product will generate strong, random passwords for you on demand.

LastPass takes this concept a step further by offering a security report listing all of your passwords and rating the strength of each. They also report on duplicates—passwords you’ve used on more than one site. And they make it easy to upgrade all your passwords to improve security.