Saturday, April 24, 2010

The Skinny on LastPass

One of the people that I do odd-jobs and random tech consulting/work for asked me a question about Lastpass and I figured that I should post it up here for everyone to see.

The security added on by lastpass essentially falls into the area of user awareness/best practices. Security is provided on the basis that it is easier for a user to remember one password that meets recommended requirements (more than 14 characters including uppercase, lowercase, symbols and special characters) than for the users to manage a number of passwords for a number of services that meet these needs for complexity.

This will mostly serve to protect you from persons wishing to gain access to your accounts through what is commonly referred to as 'bruteforcing' you may already be familiar with it, but it essentially when someone either uses a dictionary/wordlist attack or a pure bruteforce to access your account(s). These people would have found your login name or username somewhere else on the internet and are trying remotely to gain access to your accounts.

Users that are already on your box can either MITM (Man in the Middle) your browser, install a keylogger or datamine your box to obtain your LastPass password, so in the case of malware (like the Zeus Bot Agent) or a virus on your computer, LastPass will gain you absolutely nothing. Once your computer is compromised it's game over.

My personal advice is to write down your passwords on a piece of paper that you keep on your person or to put all of your passwords into an encypted file or drive.

Once again, security is not nearly as complicated as most people think, follow these best practices to help protect your passwords, accounts and digitally stored personal data:

1. Use strong passwords EVERYWHERE (you can check your password strength here: )
2. Do not have a "passwords.txt" or "secret" file that can be easily accessed on your computer.
3. Keep your antivirus software up to date (both the software AND the signatures)
4. Harden your browser and don't visit sites you don't trust (install noscript, adblock plus, etc and don't allow scripts to run for advertisement sites or other untrusted sites)
5. Don't allow 3rd party cookies (unless you use gmail, in which case you'll have to allow 3rd party cookies from *

As a parting comment, I have heard of numerous penetration tests that have involved lastpass, and in every case the tester was able to gain control of the workstation and get all of the passwords.

The moral of the story is focus on securing your workstation and following security best practices.

No comments: