Password best practices and the last pass hack

1. Password Best Practices and the LastPass hack Kevin O'Brien Washtenaw Linux Users Group

2. What Are Best Practices ● There is a lot of confusion here ● Average users don't have the right priorities ● Look to the pros ● http://arstechnica.com/security/2015/07/what-amateurs- can-learn-from-security-pros-about-staying-safe-online/

3. Average Users' Top Practices ● Use Anti-Virus Software ● Use Strong Passwords ● Change Passwords Frequently ● Only Visit Web Sites They Know ● Don't Share Personal Information

4. Pro's Top Practice ● Install Software Updates ● Use Unique Passwords ● Use Two-Factor Authentication ● Use Strong Passwords ● Use A Password Manager

5. Only Practice They Agree On Use Strong Passwords

6. Average Users Do Odd Things ● Change Passwords Frequently ● Only Visit Web Sites They Know

7. Changing Passwords Frequently ● OK, in their defense IT departments insist on this, but it makes no sense ● For what attack vector is this a defense? ● This is actually an example of how silly best practices frequently are

8. Only Visit Web Sites They Know ● Makes the Web virtually unusable ● With link rot they will soon run out of sites to visit ● The only things left to visit will be Google and ESPN

9. Look at the Pros again ● Install Software Updates ● Use Unique Passwords ● Use Two-Factor Authentication ● Use Strong Passwords ● Use A Password Manager

10. Install Software Updates ● This is number one on the Pro's list ● But many average users resist doing this ● It is OK to look at patches and triage them, but security patches should be installed unless you know very well what you are doing ● Most average users should automatically install them

11. Two-Factor Authentication ● This provides excellent security as part of a program ● But it requires just a little more effort ● I like solutions that push something to my phone to grant access ● Duo Security is one excellent solution

12. Strong & Unique Passwords ● These are two separate practices, but they work together to provide security ● Strong means long passwords with high entropy ● These are inherently difficult to remember ● The average user will never do this if it means memorizing

13. Use A Password Manager ● The only way most users can have strong and unique passwords is to use a Password Manager ● LastPass is one that is excellent ● But it was hacked recently ● https://blog.lastpass.com/2015/06/lastpass-security- notice.html/

14. Game Over for LastPass? ● I don't think so ● Security is a layered process ● You cannot with certainty prevent any intrusion ● The question is how you handle it ● LastPass handled it well, in my opinion

15. What They Said “In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.”

16. So Why Are They OK? ● First, they segregated their network ● User password vaults were never accessed ● Contrast with Sony, where once the North Koreans got in, they had access to everything ● This is a key security practice

17. Things They Had To Store ● Password Hint ● E-mail addresses ● Per-user password salts ● Hashed password values ● Encrypted database

18. What The Intruders Did Not Get ● Encrypted database – This was on a separate network segment ● This means an intruder would need a second successful attack to get the actual useful data ● If an intruder has for example a 1% chance of being successful, the joint probability of being successful in both attacks is .01% ● The actual percentages may be lower

19. What They Did Get ● E-mail addresses ● Password Hints ● Per-user Password salts ● Hashed password values

20. Why Is This Not So Bad? ● To really understand this you need think about the threat model and how security measures mitigate the threat ● As Bruce Schneier always says, the counter-measure needs to work against the threat you have identified ● See my article Sensible Security: The Schneier Model at http://www.zwilnik.com/?page_id=577

21. What Is The Threat? ● If the NSA was behind the intrusion and they have specifically targeted you as a “person of interest” you might be at risk here ● But realistically, if they are specifically going after you, your LastPass account is the least of your worries, and you should be studying Edward Snowden like a rabbi studies scripture ● The threat I worry about is someone trying to grab a bunch of passwords for criminal uses

22. This Threat Is Manageable! There is a story about two campers who hear a bear searching the campsite. One of them looks for sneakers to run away. The other one says “That is no use, you can't outrun a bear.” And the first one says “I know, but I only have to outrun you!”

23. Security Is Comparative ● So if the NSA is targeting you that is a problem ● But most times you just need to put up a speed bump so that they get other people instead ● That means stopping the most common attacks

24. Salted Hash ● This is your first level of defense ● It adds a random number to your password before it is hashed ● This “salt” must, perforce, be stored on the same server as the hash ● But, and this is crucial, it gives security against dictionary attacks

25. Dictionary Attacks ● Every known password is in a dictionary ● The dictionary is then hashed ● The hashes in the are then compared to the hashes in the web site database ● When they match, you know the password

26. How Salts Protect ● When there is a salt added to each password, even if the salt is known and tied to the user, it forces the intruder to create a dictionary for each salt they find ● This is so time consuming that most intruders will not bother ● They are looking for millions of passwords, so they would need millions of dictionaries ● Does not apply to the NSA if they are after you

27. So, LastPass Did Not Err ● Yes, the salts and the hashes were exposed ● But when you look at the threat model, the use of salts added significant security to protecting people's data ● The hashing algorithm added even more

28. Client-Side Algorithm ● You create a vault ● It is secured with a Master Password ● This password is hashed together with your user name ● The hashing uses SHA-256, an excellent hash ● This done multiple times, by default 5000, but you can change that

29. Server-Side Algorithm ● The Client-Side process creates a key, which is hashed again and sent to the server ● The server adds a random salt to this key, and then hashes another 100,000 times ● This is your encryption key, and is used to encrypt your password database ● LastPass does not have your key

30. LastPass Does Not Have Your Key ● This is worth repeating ● They really don't have it ● They can't turn it over to the government ● Worst-case scenario, they can turn over the random salt and the hash they have stored ● This could possibly be cracked if the government really tries and you were lazy

31. Losing Your Password ● I have done this experiment ● LastPass really cannot help you if you lose your password ● The best they can do is give you an earlier version of your encrypted database ● This will help if you remember your previous password ● Otherwise, you are SOL

32. Reversing Hashes ● Hashing is a well-defined algorithm that is completely reversible if you have all of the parameters ● Adding security means making those parameters hard to recover by your opponent ● Hashing does require resources ● Doing it for millions of passwords is not trivial

33. What Intruders Do ● They get the database of hashes ● They use a prepared dictionary of passwords that are already hashed ● They run a comparison ● And they get hits ● They don't need to find every password, just enough to be profitable

34. Success Percentages ● In 2013 a widely reported study found that 90% of passwords were cracked with little difficulty ● However, this study used MD5, which even then was not regarded as secure ● But if a database of hashes is done badly, success rates of over 70% are not too difficult ● Your objective is to the in 30% when the crackers give up

35. How To Erect Barriers ● Number one is your Master Password ● This is the most important thing to pay attention to ● Length and entropy matter here ● Remember, you only need one! ● LastPass will remember all the other ones for you!

36. Change Defaults ● Remember that LastPass does 5000 rounds of hashing by default ● That is information a cracker can use! ● Change the default to something bigger ● And don't make it a round number: 19,457 is better than 20,000 ● The cracker cannot get your password without knowing this, or else calculating every possible number

37. Unique! ● Your LastPass master password should be one you never use on any other site ● A common problem with re-used passwords is that if one site with bad security lets the bad guys get it, they will try it on other sites as well ● Let LastPass remember your Bank password, that is what it is there for

38. What your password does ● Every time you open LastPass you need to login with your Master Password ● Your Client software will then combine that with your user name, and hash it the number of times your specified to get your key ● This is sent to the server, where the known salt is added, and it is then hashed 100,000 times ● Then your password vault is opened

39. Is This Enough? ● You have a very strong master password ● You have changed the default settings for client side hashing ● LastPass uses a strong algorithm for hashing, SHA-256, not something like MD5 or SHA-1, which are deprecated for any serious security work ● This is all good

40. One More Thing ● There is one more thing you can do to stop anyone getting in ● You can have two-factor authentication for LastPass: https://helpdesk.lastpass.com/multifactor-authentication-options ● I use Duo Security for mine ● I cannot log in to LastPass without approving it on my phone

41. Conclusion ● 4 of the five top strategies used by security pros are addressed by this – Use Unique Passwords – Use Two-Factor Authentication – Use Strong Passwords – Use A Password Manager ● And that is why I still use LastPass, and pay for a premium account (all of $12/year)

Password best practices and the last pass hack

Password best practices and the last pass hack

Recomendados

Mais conteúdo relacionado

Similar a Password best practices and the last pass hack

Similar a Password best practices and the last pass hack(20)

Mais de Kevin OBrien

Mais de Kevin OBrien(20)

Último

Último(20)

Password best practices and the last pass hack