It seems that the hackers (if there were hackers) may have only gotten a small number of encrypted salted hashes. If you use a longer, non-dictionary-word password, you'll be fine.

Using a longer non-dictionary word master password is good advice, but you aren't saying that lastpass users shouldn't be concerned about this, are you?

If I were using lastpass, I certainly would change my master password, however, their servers can't handle the load from all their users changing their master passwords at the same time. So you can't just change it and expect it to work everywhere until they resolve that problem. That's an even bigger problem if you ask me. And what started all this is a data transfer that they don't understand and couldn't explain?

Maybe (eventually) some good will come of this incident, but until it does ...

To each their own, I guess.

-David

Many ways to make your own secure password
 

and make it easy to remember

if you are at site X, let's say you were born on the 7th of may .... start at the numeral 7 and "go downhill" = 7ujm ... now go to where the 5 is but GO UPHILL WITH CAPLOCKS ON = BGT5....
thus your password for site X = 7ujmBGT5

simply do variants of the above ...
home address = 3345 .. so you use 4 and 5 = password 4rfvBGT5...
etc etc ad infinitum
if you cannot remember your birthdate, house number or last 4 of mobile phone number ... you should not be allowed to touch a keyboard.

I'm certainly concerned how a leaky Asterisk box could be on the same network as boxes containing password data. Surely someone there should have split the networks up to protect our data?

Exactly why I don't trust storing my passwords online. Why keepass is still the best solution for me.

I remember my passwords by a "concept." For example, all passwords are names of former pets or former street names. Always substitute certain letters with certain numbers and have a punctuation mark in the same location (end or beginning) of every password. This last bit allows you to use your same passwords even with sites with specific complexity requirements. Even if I don't remember the exact password, it is one of only a few options, and I just try them until I get the correct password. I get a lockout about once per year.

I used to use nonsense words from the Jabberwocky with a number in them. Now I use LastPass, and I'll continue using LastPass. Their probably-paranoid approach has shown that they take security seriously.

Here's an interview in PC World with their CEO:

http://www.pcworld.com/article/22726...ible_hack.html

http://www.iliumsoft.com/site/ew/ewallet.php
 

I use eWallet - can be installed and used on several devices. I have it on all three of my computers, as well as work and on my Android. Been using it for several years and love it.

I use an Ironkey it is a mil grade encrypted usb thumb drive. It is relatively expensive, but I keep stuff on it that needs to be controlled (work, finance). Good when traveling abroad. If the wrong password is inputted wrong 10 times it self destructs. Also it is tough, I have washed and dried it 3 times now. Has Firefox on it and has secured browsing.

Can anyone find fault with this method
 

I have about a hundred username/passwords. I keep them in Yahoo Mail Notepad. Each "Note" has a title - e.g., "Flyertalk", in which I keep the pertinent data. I have never had a problem and am wondering the wisdom of this method. Thanks for your opinions.

It's only as secure as:

a) Your Yahoo account, which is available 24/7 for anyone to try to get into. I hope you're using a very good password: at least 8 characters, no words from the dictionary, including uppercase letters, lowercase letters, and either numbers or symbols, preferably both.

b) If you use multiple computers that others have access to, be aware that the webpages containing your passwords could be cached on those computers in unencrypted form for anyone to see who bothers to go look at the cache.

c) The security of Yahoo's datacenters. I probably wouldn't worry too much about this one, though it would be interesting to know how they destroy old hard drives. I've seen a video of how Google does it (crush the drive with a steel press, then shred the whole thing into mangled bits), but dunno how Yahoo does.

All in all, I'd say that it's not a terrible method if you use a strong password on Yahoo and are careful to clear the cache on shared computers. But I'd go with something else mentioned in this thread, myself.

One of my customers, who worked with me in the past for a certain company ;-) STILL writes his passwords down in a small notebook that he carries everywhere and then puts in a safe. LONG passwords, letters, numbers, symbols, total gibberish.

That said, I don't really like the 1password or lastpass solutions and as we have seen recently things are getting HACKED. single sign-on is a GREAT concept and another company I worked for had a biometric authentication with a key card AS WELL and the passwords were stored on a chip in the key card. It was pretty solid.

A recent security researcher published an article where he detailed what the highest level of password security was and the result was interesting:

Best possible passwords to USE if your website or company makes it possible is a simple PHRASE of THREE WORDS or more (there was no need to go beyond three) with A SPACE as expected in between the three words.

THIS IS THE PASSWORD type of thing, or MY DOG BITS, or TAKE ME HOME. Compared to a SIX DIGIT with minimum ONE CAP and ONE SYMBOL and ONE NUMBER which could take a super computer with brute force something like eight months to break, this was essentially 1 MILLION YEARS+ with a brute force method and 2300 years with a common dictionary attack.

Seems interesting.

Here is a link to the article that excerpted the study

http://www.baekdal.com/tips/password-security-usability

Pssst - Yahoo mail sucks.

I use Gmail, which has "https" option for reading, so all my mail and notes are "secure". Even Hotmail recently implemented the full HTTPS protocol as well, after lagging for a long time.

Yahoo mail is the only one that does not offer full HTTPS encryption when you read your mail. So your ISP tech can read your notes / mail, anyone sharing a network can read your Yahoo mail and notes. And they can even side-jack your yahoo mail with a very simple tool called Firesheep.

For frequent travelers as those who frequent this site, Yahoo mail is the worst, when you're trying to read email on the road at hotels and open wifi spots.

Just use Keepass - it's free, multi-platform, and works amazing well.

agree 100%. Great link.

just wish the pc interface was as good as the mac version

> A recent security researcher

Not recent; 2007.

Nor is Baekdal a security researcher. Looking at his alma
mater(s); it's not clear that they have ever offered a curriculum
that is relevant to the science of cryptography and the practice
of computer security.

He started out as a fashion designer and now works as a
(new media) publisher of magazines and websites. Those
are hardly the credentials of someone that should be described
as a "security researcher."

> published an article where he detailed what the
> highest level of password security was and the
> result was interesting:

He did indeed publish that bit of irresponsible nonsense in 2007.

Highest level of password security? HIGHEST??? Hawgwash.

> Best possible passwords to USE ... is a simple PHRASE of THREE WORDS or more
> (there was no need to go beyond three) with A SPACE as expected in between the
> three words.

Before using Baekdal's methodology; PLEASE READ:

http://www.grc.com/sn/SN-297.htm

Thanks for the link. I need to listen to more GRC episodes...never find the time. Security needs time though.

this was an interesting read. I will comment though, that the guy Steve Gibson does NOT contradict any of the analysis or even the mathematical computers that Baekdal had done in his original piece (updated to a more recent one a few weeks ago) even noting that it might be an UNDER estimation of the time and method required to break a 3+ words password which includes SPACES or a CHARACTER in between the 3+ words. What Mr. Gibson seems to lack in his analysis is that it isn't just three words, it is three words with a space (or better yet a special character in between) which makes the permutations for a dictionary or brute force attack just that much more exponential. And, again, Mr. Gibson says the "math seems accurate"

The detail that Mr. Gibson seems to go into is what he feels are behavioral or environmental weaknesses of using such a password protocol/type and I find them accurate.

If someone sees you type it, they could know it.
If you write it down, then someone can get access to it.
If someone sees you write or type PART of it they could probably recreate it.
If it is easy for YOU to remember, once someone else sees or hears it, it is easy for THEM to remember too.

All true, all valid, but even though LEO continues to comment on the MATH ANALYSIS of how lets say this algorithm is fundamentally or statistically or technically more VULNERABLE, Mr. Gibson does not.

I'm going to talk to a friend over at checkpoint and see what their analysis of it is, try to put a bit more math behind it.

I'm not throwing out for naught based on this transcript.

To be clear: LastPass was not necessarily hacked. Their database server sent out some encrypted information and they couldn't verify exactly why, so they assumed the worst. In addition, the amount of information sent out was not very large; I believe they mentioned that it wouldn't have been more than a hundred or so users' worth, out of several million.

The information that the server sent out included people's email addresses, the server salt and their salted password hashes from the database. This means that the hackers, if there were actually hackers, got some encrypted information and part of the encryption key (the part that isn't users' passwords). So they can sit around trying to figure out each person's password, which will be proportionally as difficult as the password is complex. If a person had a password of at least 8 characters that didn't include a dictionary word, the hypothetical hackers won't be able to figure it out for years. Changing one's password re-encrypts the data in Lastpass, and removes the threat.

This is why one should use strong passwords.

Furthermore, I disagree that programs like Keepass are any better. If anyone gets access to your computer and downloads the Keepass file (or if you contract some malware that sends it to someone), then you're vulnerable to the same attack. In fact, you're doubly vulnerable, because you can't simply change your master password. That would only re-encrypt the password file on your computer, not the one that the hackers took.

I choose to have the more convenient approach and put my passwords where I can get them any time.

Did you check the source code of the implementation? Are you certain that it was correctly implemented?

sure
 

Sure, I didn't mean to infer that lastpass was totally comprimised, just that THINGS are getting hacked, companies with credit cards, companies with emails and their associated passwords, etc. It would appear for the time being at least that if one wants to have essentially absolute security for documents, information, privacy, etc., it is best NOT to put it IN THE CLOUD as the cloud (which is just another word for INTERNET IMHO) has been shown to be vulnerable in many different ways. Direct access to servers, collocation breaches and hacking, third party CDN and application provider networks, etc.

to the point above about keepass and other locally stored master files, I have seen where people will LOCALLY ENCRYPT that file, which requires a constant direct LOCAL authentication when it requires access, but if the laptop or local file is compromised then it cannot be used by a third party. This can be done with services as well like the dropbox master file, the dropbox master storage location, etc., which means that even if it is compromised or they choose to turn it over to an authority organization via subpoena that it cannot be recovered or read.

yes
 

yeah, I remember having a thorough review done by a couple of outside third parties, including the founder of CPS, security engineer from ?filenet? can't remember, they did all the authentication for POS for visa?

Anyway, if I recall there was essentially a small DMZ on the card. the biometric would authenticate with the server and allow access for the LOCAL MACHINE to access the information from the CARD. The local MACHINE would validate the authentication and pass access as "open" to the direct client with a simple user name, which would call up the network share for that user. Then, the user would have to re-authenticate with a password sign on which was simply network based as usual. At first there was a second step to authenticate back to the DMZ of the card but it wasn't really necessary.

or something like that. Losing the CARD was a pain to deal with as everything would have to be rebuilt.

Sure, everything is hackable. And local files are arguably no less so. Plus, with local files, what do you do when your hard drive crashes, or if you're using a different computer that doesn't have the file on it? My point is that an online service like LastPass, which from everything I can tell uses well-implemented procedures and standards, is as secure as your master password.

If you want absolute privacy, keep everything in your head and don't write anything down...but what will you do when they send you to Guantanamo? :)

Sure, fair enough. But nobody can use my LastPass info, since LastPass doesn't have my password. All the encryption/decryption happens on my computer. So it's the convenience of anywhere-access, and the security benefits you ascribe to local-only files. Seems like a win-win to me! :)

Tell you (or anyone) what: anyone who wants to try getting into my LastPass account is welcome to try. PM me for my email address logon. I'll tell you that it's a 9 character password with upper- and lowercase letters and at least one number.

Thanks for your support, Mark. We really appreciate it!

We also have eWallet GO! ( http://www.ewalletgo.com) It's a great solution for folks looking for a simpler, low-priced solution for storing passwords.

Marc
Ilium Software
www.iliumsoft.com

PS: I'm a really person - not a bot! Not trying to spam anyone here. Just saw Mark's post and wanted to suggest eWallet GO! as well. A lot of folks who don't need all the features in eWallet really like eWallet GO!

That's not doubly vulnerable; lastpass sends your computer the same stuff 1password or keepass would store locally, and there's nothing stopping an attacker who gets access to that information from storing it for an offline attack (which would still take thousands of years).

Really, any password manager that allows you to use long and difficult passwords without the fallibility of human memory and randomization is fine. If somebody really wants to get you, they'll always be able to use rubber-hose cryptanalysis, and anybody who wants to just do wanton damage will find other peoples' crappy passwords first.

Not only that, if LastPass was free and open source maybe I'd consider it. The fact I have to PAY money to have a private closed source program to store my most sensitive data - no thanks.

Open Source + Free is always best for personal security solutions, unless I'm the developer that developed the program myself and charge people to use it, with my closed source program code.

KeePass is open-source: http://keepass.info/

Have fun with your auditing!

Oh about passwords, the IronKey will also generate them for you. Also you can back it up on your computer and also online.

IronKey

I've been using eWallet for quite some time. It's secure and syncs wirelessly with my iPhone.

LastPass generates passwords too.

LastPass is free unless you want the mobile apps. Then it's something like $10/year.

deleted.... saw the existing recent thread about passwords