I advocate using password managers. But users push back, explaining they are cumbersome to use. Up until now, I could not argue that point.
Two things prompted this post. My last article, "Are users right in rejecting security advice," produced a flurry of questions about passwords and the cost of using secure ones. The other has been my quest to find a password manager that users would appreciate. It's not official, but I may have stumbled onto something that will help all of us.LastPass
Drama aside, I am referring to an app called LastPass. Plain and simple, it is not your usual password manager. For sure it does that, yet it does so much more, such as:
- Configurable form filling
- Several multi-factor authentication options
- Synchronizes across browsers/computers
- Ability to store information notes securely
- Stand-alone applications for mobile devices
Features are important, but if you are like me, understanding everything about an application that is securing my password information tops the list. That's why I inundated Joe Siegrist of LastPass with the following questions. Here's what he had to say:TechRepublic: What prompted the development of LastPass? Siegrist: LastPass has four founders. Who for the past 10 years worked together, creating a sizable Software as a Service business for financial service companies. Two years ago, we were ready for a new challenge. LastPass is the outcome of a need we saw and based on our accumulated experience.
We also got lucky: it would have been difficult for us to work together if Maryland was still playing Penn State in football every year. Loyalty to our alma maters runs deep.TechRepublic: Could you describe how LastPass works, specifically the interaction between the local LastPass client and LastPass.com? Siegrist: LastPass installs an add-on in the browser to capture usernames and passwords as you enter them. The captured data is encrypted, saved locally, and sent to LastPass servers. That way access is not confined to just the one computer. TechRepublic: I understand that Last Pass is based on Host-Proof hosting, could you please explain what that means and the benefit it provides? Siegrist: LastPass utilizes host-proof hosting techniques for your most sensitive data (usernames, passwords, site name, group names, notes, field values, all your form fill profile data, etc). The core concept behind host-proof hosting is that only the client can access the data because it's sent to the LastPass servers in an encrypted form.
The key benefit is a reduction in how much you need to trust LastPass. You can verify that your data is being encrypted locally and because it is, LastPass employees don't have access to your data on the servers. It also was important to us from a liability perspective. If we never have the plain text data on our servers, it can't be hacked. Also, an employee cannot go rogue and look at this data.TechRepublic: LastPass uses what is called a salted hash, could you explain what that is and why using it is important? Siegrist: There are two problems we considered:
- A majority of websites store passwords as plain text.
- A majority of users use the same password over and over.
Security-conscious Web sites use one-way hashes (a mathematical function that turns input into a long and unrecoverable number) to store password data. That is a good start, but susceptible to computed databases known as Rainbow Tables. To avoid this risk, random data (known as salt) is added to the plain text before hashing. Doing so makes Rainbow Tables useless. LastPass takes this a step further:
- The user's login hash is salted with the username locally.
- The new hash is sent to LastPass servers.
- The hash is salted once again with a random 256-bit number before being stored.
Another advantage is if you have multiple computers. With LastPass, you do not have to worry about reentering the password data on every computer. You simply install the add-on on the other computer and log in.TechRepublic: I was reading that you made special provisions for people that use public computers. Would you explain what security measures you have added? Siegrist: Public computers can be a hostile environment. So, we've included ways to mitigate risk:
- One Time Passwords: Allow you to print out a password list and use each once to log in.
- Screen keyboard: Can be used to defeat key loggers.
- Multi-factor authentication options: If the password is compromised there's still another factor protecting you.
- Grid: Our free offering, allows you to print out a set of 260 coordinates and responses. LastPass will challenge you to enter the value of four coordinates to prove you are who you say you are.
- Sesame: Included in LastPass Premium, Sesame allows you to turn a USB thumb drive into a second factor.
- Yubikey: A device that acts as a USB keyboard that outputs a onetime password when activated. LastPass then verifies the password with Yubico's servers. You must purchase this separately and have LastPass premium to utilize it.
- You can setup accounts to share (as "Roles"), and they're automatically accepted by your users.
- When you make a change to a shared account it can be pushed out to your users and accepted automatically.
- Changing passwords on accounts that are shared amongst team members goes from being a chore to invisible.
- Logging allows you to see who is using what accounts, and provides more audit capability when you're dealing with a single account shared amongst multiple people.
- You can also disable and delete accounts if employees leave the company.
- There are also capabilities around automatic provisioning of accounts on login to an Active Directory domain.
LastPass also layers security techniques to mitigate risks. For example, we utilize SSL for data transfer, even though the data is already encrypted. We have automatic throttling of bogus-login attempts, and are innovating on the multi-factor front.Helpful Web site
I found the LastPass Web site helpful. The numerous videos explain how individual components of LastPass work. They also made installation and configuration a snap. I would suggest reading their privacy statement to allay any concerns.Final thoughts
LastPass has some competition, but I have not found any other password manager/form filler that automatically syncs between computers and has so many options for multi-factor authentication. Some interesting features currently under development are; synchronizing LastPass and Bookmarks/Favorites, Windows login replacement, and biometric multi-factor authentication.
I'm glad I asked all those questions. I'm also thankful for Joe Siegrist's help in answering them.
Michael Kassner is currently a systems manager for an international company. Together with his son, he runs MKassner Net, a small IT publication consultancy.