Stop Trying To Kill The Password

I’ve seen a lot of reports in the last year that have been prompted by the massive password dumps on major websites. The focus of these reports has been about ‘killing passwords’ and replacing them with new technology. The thing is, passwords are actually great, and they don’t need to go anywhere.

First of all, passwords simply aren’t going anywhere. You’re not going to reinvent every websites authentication – we can barely convince sites to stop storing in plaintext, or use something other than MD5, so you’re absolutely not going to convince anyone to change their entire authentication method from the ground up.

On top of that… there’s just nothing wrong with passwords. Passwords on their own are kind of awesome, and, if used properly, way beyond most attacks. If you were to come up with a completely random 16 character password you could rest assured for the next wonderful couple hundred million years of your life you wouldn’t have to worry about anyone bruteforcing it.

The problem is that remembering something like L10F!E4d1I4U8Nhr is difficult, and remembering a unique password for every site is even harder, given that most people have at least a dozen websites that they log into.

So should we dump the password? Definitely not. We should instead move to password management systems, like LastPass, and implement two-factor auth on critical websites. This should have a very small effect on usability while having a very significant effect on security.

With a password manager like LastPass you don’t have to remember any of your passwords, so there’s no reason for you to use the same password twice, or use something easy to remember – you can very easily use 16 character random passwords for every site you visit. The only password you have to remember is your master password, and that’s the ‘point of failure’ that needs to be addressed.

Addressing that master password security is actually not so difficult. LastPass deals with it in two ways.

1) PBKDF2 rounds make bruteforcing far less useful, with a default of 5,000, and an incredibly high maximum value of 256,000. That means every single password attempt will take ~5,000x as long as a single password attempt. You can raise this number significantly to make even weaker passwords way too difficult to bruteforce.

2) Two-Factor Authentication means that even if an attacker has compromised your password they still need access to a physical device that’s used for authentication, such as an Android device, or a piece of paper.

So bruteforcing the master password just isn’t practical anymore, if you use even a slightly strong password with PBKDF2 and 2FA.

It’s dead easy to use and you can access it anywhere with internet connection (or use the Android App, which is great) and it would solve users reusing passwords, users using weak passwords, and other issues.

Of course, websites themselves should always assume the worst. They should always use PBKDF2 or bcrypt, and websites that store critical information should use 2 Factor Auth as well. But, for the users end of things, a password manager solves most issues.

So rather than scrap the most basic authentication mechanism used everywhere, just harden it. It’s not difficult.

LastPass Security Challenge

So I was checking out the LastPass website to see what I can learn. I stumbled across the “Security Challenge” – a series of tests run on your passwords to test their ‘strength’, if you have duplicates, and a few other things.

I’d actually forgotten how many websites I used the same password for (old old accounts from pre-security conscious days) and often a really short one.

I went through and after about 20 minutes I removed all duplicates and significantly upped the average character count for breaking into any single account.

I suggest anyone using LastPass runs the benchmark and sees how good they’ve been.

 

Here’s what I’m up to. I wouldn’t take the score too seriously, it seems like the more passwords you have the more secure you are, which is silly. Just go through and make sure you’ve got no duplicates and a decent average length.

Get Free LastPass Premium (for both of us!) for one moth with this link: https://lastpass.com/f?420446 

LastPass – Secure Password Storage And Syncing

If you’re using a modern browser you very likely have some kind of sync option so that when you log in you’ll have all of your passwords, no matter what computer you access. This is great but the security issues that go along with syncing your passwords, the keys that unlock every important piece of data, should be apparent. Thankfully Chrome and Firefox handle password syncing very securely but if you’re looking for an alternative method  and the highest level of security possible you might want to check out LastPass.

What Is LastPass?

LastPass is a browser extension that will handle all password autofill, autogeneration, and synchronization for the browser. It encrypts the data locally, then transmits it through asymmetric encryption, and then encrypts it again server side. Your master password is never transmitted and it handles it in a cryptographically secure way (PBKF2 stretching with SHA256 and 500+ rounds along with AES.)

See this post on how to create a strong password before reading further.

How Do I Set LastPass Up?

Installation is easy.

https://lastpass.com/misc_download.php

That page will show you the extension you can download.

Once it installs you should be greeted by a page that asks for an email (provide one you actually check) and a master password. See this post on password generation.

It will also ask for a password reminder. I highly suggest you don’t bother with this. Enter in gibberish if you’d like. It’s much more important to actually create a memorable password than give a reminder that will provide valuable information to an attacker. If you feel it’s necessary make it as vague as possible.

After that’s done it’s a matter of:

1) Entering in usernames/ passwords (you can automate this on Windows with the binary extension.)

2) Deleting the passwords from your browser and disabling password sync.

Once you’ve done this I suggest you go to your LastPass ‘Vault’ where you can change a few settings.

Image

You’ll see “Increase Iterations” and I suggest you change it to 1000. Any higher and some mobile devices/ very old systems won’t handle it. I’ve found I can go as high as 25000 before my single core CR48 slows down when I enter the MP. If you don’t use a mobile phone or anything weaker than a 1.6ghz ATOM you might want to try higher than 1,000 rounds.

What increasing the iterations does is slow down bruteforcing. It’s one of the best features of LastPass as you can even increase to as high as 100,000 rounds.

I don’t really mess with the other settings, they’re fine by default. Feel free to check them out though and tweak to your liking. If you think I’ve left out a key feature just leave a comment and I’ll edit it in.

And that’s all there is to it. LastPass will now save, autofill, and synch your passwords. It’ll even make suggestions for new passwords.

Get Free LastPass Premium (for both of us!) for one moth with this link: https://lastpass.com/f?420446