background preloader

Password Managers

Facebook Twitter

Bad news! LastPass breached. Good news! You should be OK… Here at Naked Security, we have a variety of views about password managers.

Bad news! LastPass breached. Good news! You should be OK…

Generally speaking, we're in favour, because password managers are tools that generate and store a list of different, hard-to-guess passwords for all your websites and online accounts. That means that if you're the kind of person who has hundreds of passwords, or who struggles to memorise even a few wackily long and mixed-up passwords, or both, password managers can be a huge help. With a password manager, you don't end up with repetitious and guessable passwords like mikenyt, mikeicloud and mikegmail for your New York Times, Apple and Google accounts respectively. Instead, the password manager makes up phrases like OLr9Ia7iJZgt, mz8mE;Vbnf4DVtm0 and JDYUG=mzGrSW.8j.

Better yet, it enters those passwords for you into the right web pages, so there's no extra hassle caused by typing in weird-and-wacky text. The downside of password managers LastPass breached That's the bad news. Not all bad But here's the good news. A native KeePass app for Mac – Blog post - Simon Fredsted’s blog. Password storage is incredibly important to me.

A native KeePass app for Mac – Blog post - Simon Fredsted’s blog

Since I began seeing friends and others get their identities and online lives taken away because of reusing and/or using weak passwords, I started taking password security extremely seriously. When I chose the utility to use for this, I had a couple basic requirements. It had to be open source, for obvious reasonsI had to be able to access my passwords on all my devices (iPad, iPhone, MacBook, workstation) Things like 1Password and Lastpass didn’t fullfill the first requirement, although very handy because of browser integration and the mobile apps. How can I be sure Lastpass really can't access my passwords? Some of these answers are pretty dated, but the subject is important enough that I think it merits revisiting.

How can I be sure Lastpass really can't access my passwords?

LastPass assertion is that they offer a Zero-knowledge proof implementation - i.e. the encryption happens client-side (with the password being the key) and that they, presumably, cannot decrypt the data even if they wanted to. If they're served with a warrant or court order they'll be obliged under law to hand the data over, but it would still be in encrypted form, and then it's up to the respective investigators' supercomputers (or modest GPU array) to crack that. In this regard it's fundamentally no different than storing a KeePass DB in DropBox (which I've seen more times that I care to mention) That being said.... LP have recently released the source for their CLI client: It's now up to us to do the peered code-review, so as to validate their claims match up to what's delivered. Security Now 256: LastPass Security. The Last Password You Have To Remember.

YubiKey Authentication « LastPass User Manual. A YubiKey is a key-sized device that you can plug into your computer’s USB slot to provide another layer of security when accessing your LastPass Account.

YubiKey Authentication « LastPass User Manual

YubiKeys are a secure, easy to use, two-factor authentication device that are immune from replay-attacks, man-in-the-middle attacks, and a host of other threat vectors. YubiKey support is a Premium feature, and the device must be purchased through Yubico.com for $25. Up to 5 YuibKeys can be associated with one LastPass account.

Pocket « LastPass User Manual. LastPass Pocket is a stand-alone application (available for Windows, Mac OS X and Linux) that can be installed on a USB memory device, allowing you to carry your LastPass data around with you.

Pocket « LastPass User Manual

Pocket provides backup capability and offline access for your Vault. If you would like a mobile version of LastPass that has full functionality, we recommend LastPass Portable. Since you can always access your LastPass data via the plugin or website, LastPass Pocket is intended to be used when you do not have an Internet connection but need to access information for a Secure Note or a Site. Pocket allows you to access all your data from the locally cached and encrypted version of your data on your local drive. KeePass Password Safe. Portable « LastPass User Manual. For users of Windows, Mac, and Linux (Firefox Portable-only), a version of LastPass that is compatible with FireFox Portable (Firefox 2.0+) and Chrome Portable (Chrome 4+, Windows and Linux only) can be installed on your USB thumb drive.

Portable « LastPass User Manual

If you frequently use public or untrusted computers, the Portable option is an ideal way to securely access your LastPass Vault. Downloading Portable Apps To download the Firefox Portable or Chrome Portable browser(s), simply visit the PortableApps.com site and download the application(s) for free. After clicking the ‘Download’ button from the application’s page, you can save the file onto your computer and run the installer. Store the file somewhere memorable on your computer, such as your Desktop. Downloading LastPass Portable Now that the portable application has been successfully downloaded and installed, open the file and run the browser.