+Warwagon MVC Posted April 8, 2017 MVC Share Posted April 8, 2017 HA! Total click bait, so for the record, I don't have a child, but hey it just got you here... So as I was walking home from the bar tonight (Intoxicated Warwagon FTW!), I was listening to security now. They were talking about the new LastPass vulnerability. On the previous LastPass vulnerability, one of our fabulous Neowin members said, this why we shouldn' be using password managers. In which I responded "Every application/password manager has vulnerabilities, it's the speed in which they patch which is important". On the Last LastPass issue they responded within a day, but this not what this post is about. This post is about the average user and the benefits they would get for paying for the service. So far LastPass has moved a lot of the paid service over to the free side. The only benefit they would get for paying is two-factor authentication. Not only do most people not know what Two-Factor authentication is, they would not know how to enable it on their account to take advantage of it if they actually paid for LastPass. They would have to log into LastPass and then go to account settings then Multifactor and then setup Google Authenticator (or another option for two factor) All of which could not be done unless they were instructed by someone else how to do so. *Bonus story" So I got a call this week, from a customer who was currently using Kaspersky internet security". She told me she had (A LOT) about 20 passwords in it the Kaspersky password manager (In which I told her I have 480 in Lastpass). The funny part was, her (moronic) son went through and changed all of her passwords (for her own sake apparently) .....IN THE PASSWORD MANAGER, not on the actual website. I told her "Oh my god" ... apparently, she had written down "Some" of the original passwords" so I hooked her up with LastPass and she loved it. Which is part of the reason for this post? Sure she could pay for it but the only thing you get now is two-factor which the average user is probably couldn't figure out how to enable / setup. thisdude and +Kyle 2 Share Link to comment Share on other sites More sharing options...
techbeck Posted April 8, 2017 Share Posted April 8, 2017 hmm, you must have had some good booze Link to comment Share on other sites More sharing options...
+Warwagon MVC Posted April 8, 2017 Author MVC Share Posted April 8, 2017 7 minutes ago, techbeck said: hmm, you must have had some good booze I did, and in case you are wondering. Vodka Diet Pepsi (with the can) X2 Samual Adams Vodka Diet Coke (with the Can Samual Adams A Tall glass of Buffalo sweat. At which point the Taxi didn't pick up yet again, so I had to walk home about 1.6 miles. Contemplating this post. Link to comment Share on other sites More sharing options...
sc302 Veteran Posted April 8, 2017 Veteran Share Posted April 8, 2017 Glad you think you know about security and you pat yourself on the shoulder for knowing. Let's play a little devils advocate here, you have a system that has unknown security holes for an unknown amount of time but when you find out you act upon it. That doesn't fix the other holes in the massive leaking ship esp when you don't know where or how big. Understand that you are putting the most secret and capable piece of information on a website for ease of access to you. It isn't the speed of repair that concerns me, it is the unknown...what exploits are out there and not uncovered for this secret information that can give people access. If someone finds an exploit and doesn't report it how long before it gets fixed? Possibly never. It is about acceptable risk, not if the system has holes (it does) and fast they react goretsky 1 Share Link to comment Share on other sites More sharing options...
+Warwagon MVC Posted April 8, 2017 Author MVC Share Posted April 8, 2017 9 minutes ago, sc302 said: Glad you think you know about security and you pat yourself on the shoulder for knowing. Let's play a little devils advocate here, you have a system that has unknown security holes for an unknown amount of time but when you find out you act upon it. That doesn't fix the other holes in the massive leaking ship esp when you don't know where or how big. Understand that you are putting the most secret and capable piece of information on a website for ease of access to you. It isn't the speed of repair that concerns me, it is the unknown...what exploits are out there and not uncovered for this secret information that can give people access. If someone finds an exploit and doesn't report it how long before it gets fixed? Possibly never. It is about acceptable risk, not if the system has holes (it does) and fast they react 1 You make a very good point. We only know about issues which are responsibly disclosed. goretsky 1 Share Link to comment Share on other sites More sharing options...
thisdude Posted April 9, 2017 Share Posted April 9, 2017 I've been using LastPass for several years now. And I'm of the belief if I really like a piece of software and want to continue to use it I have no problem paying for it or it's subscription service. Because if you're using some software for free, like a free VPN, then you're actually the product because they're making money off your user date. I get both points stated here about taking a risk for convince also how great LastPass has been when ever there's been a vulnerability. But the fact is once you start using the internet, sign up for internet service, open up a web browser you expose yourself somehow. Passwords are unfortunately the way we login and verify our identities to these services. So if you want to use a password manager or write down all your user/pass on a piece of a paper and use that that's up to you. How do you want to mitigate the risk of convince and privacy. NOTHING IS 100% But it's also so easy to kick a company over vulnerabilities because that's the "troll/internet" thing to so right. Personally I'd rather judge them on how they behave and act when vulnerabilities are exposed. As far as LastPass is concerned, they acted very fast considering the vulnerability was in their source code. They were very professional, immediately let their users know, posted on all their social media, and replied to Ormandy's Tweet. And once they fixed it they acknowledge him and thanked him for making them better. They released what the issue was too. That's impressive when you have many company's that just out right don't care about their customer's satisfaction or the integrity of their products. https://arstechnica.com/information-technology/2017/04/iot-garage-door-opener-maker-bricks-customers-product-after-bad-review/ I always keep my ear open to new security and privacy software and technology. But for service and behavior and what you pay for LastPass has demonstration so far that they care about the security of their customers and the integrity of their product. FYI, Security Now! is a GREAT podcast. It's on "pullist" of podcasts I listen to weekly. If I can make a suggestion for another podcast? https://privacy-training.com/podcast.html These two guys are very serious about privacy because they teach it but they have some great tips and information about erasing your digital footprint and have interviews with people from Private Internet Access, ProtonMail etc. Link to comment Share on other sites More sharing options...
fusi0n Posted April 9, 2017 Share Posted April 9, 2017 On 4/8/2017 at 9:04 AM, sc302 said: what exploits are out there and not uncovered for this secret information that can give people access. If someone finds an exploit and doesn't report it how long before it gets fixed? Possibly never. Everyone needs to read this 10 time or more. People freak out over a website leak, but they don't realize about what threats they don't know about. Link to comment Share on other sites More sharing options...
thisdude Posted April 9, 2017 Share Posted April 9, 2017 This is true with any software or hardware. It's the nature of technology. The ONLY way to avoid it is to cut yourself off from it, i.e. not posting on Neowin. So if one doesn't want to be a Luddite, it then becomes an issue of how to mitigate the risks and what is acceptable on an individual's needs for privacy and security. Anibal P 1 Share Link to comment Share on other sites More sharing options...
Cnónna Posted April 9, 2017 Share Posted April 9, 2017 On 08/04/2017 at 4:15 AM, warwagon said: HA! Total click bait, so for the record, I don't have a child, but hey it just got you here... So as I was walking home from the bar tonight (Intoxicated Warwagon FTW!), I was listening to security now. They were talking about the new LastPass vulnerability. On the previous LastPass vulnerability, one of our fabulous Neowin members said, this why we shouldn' be using password managers. In which I responded "Every application/password manager has vulnerabilities, it's the speed in which they patch which is important". On the Last LastPass issue they responded within a day, but this not what this post is about. This post is about the average user and the benefits they would get for paying for the service. So far LastPass has moved a lot of the paid service over to the free side. The only benefit they would get for paying is two-factor authentication. Not only do most people not know what Two-Factor authentication is, they would not know how to enable it on their account to take advantage of it if they actually paid for LastPass. They would have to log into LastPass and then go to account settings then Multifactor and then setup Google Authenticator (or another option for two factor) All of which could not be done unless they were instructed by someone else how to do so. *Bonus story" So I got a call this week, from a customer who was currently using Kaspersky internet security". She told me she had (A LOT) about 20 passwords in it the Kaspersky password manager (In which I told her I have 480 in Lastpass). The funny part was, her (moronic) son went through and changed all of her passwords (for her own sake apparently) .....IN THE PASSWORD MANAGER, not on the actual website. I told her "Oh my god" ... apparently, she had written down "Some" of the original passwords" so I hooked her up with LastPass and she loved it. Which is part of the reason for this post? Sure she could pay for it but the only thing you get now is two-factor which the average user is probably couldn't figure out how to enable / setup. think lastPass even lets you print out your passwords so you can have a hard copy. in any case nothing is 100% secure, best case is you want to be more secure than next person, so it's not worth the trouble and they move on to an easier target who is less secure. I wish more sites, institutions and companies would enable 2FA, for access. ah well meaning idiot is still an idiot Link to comment Share on other sites More sharing options...
sc302 Veteran Posted April 9, 2017 Veteran Share Posted April 9, 2017 You can call it trolling or you can call it conspiracy or you can call it tin foil hat syndrome. Whatever you perceive it as, you should take into consideration all aspects and act on your knowledge. The simple fact is this, if it has been created by man/humans, it also can be broken by man/humans. Another way to put it is that someone smarter will always come along. understand that a good portion of my job is security and how to mitigate attack, the only fool proof way to do so is to unplug yourself from the world....obviously that can't really happen if you like ease and want access to information, then there comes acceptable risk. Whether or not you understand it you do it daily with where you go and what you access. Many times you think the reward is better than the risk without fully understanding what you have done or are doing (infected porn sites, infected p2p files, etc), not everyone is nice out there or willing to give you something for nothing....there are some but few and far between. thisdude and +BudMan 2 Share Link to comment Share on other sites More sharing options...
thisdude Posted April 9, 2017 Share Posted April 9, 2017 LastPass let you print out all the information (passwords and notes) you have and export to CSV file. I agree about your 2FA comment. LastPass does have 2FA as well. But it should just be standard for any site or app that requires a user and pass. Link to comment Share on other sites More sharing options...
Anibal P Posted April 12, 2017 Share Posted April 12, 2017 This is why I migrated to Enpass, my encrypted password DB is stored only on Dropbox behind 2FA All the app does is interface with the DB and stores nothing on the company's servers thisdude 1 Share Link to comment Share on other sites More sharing options...
thisdude Posted April 13, 2017 Share Posted April 13, 2017 18 hours ago, Anibal P said: This is why I migrated to Enpass, my encrypted password DB is stored only on Dropbox behind 2FA All the app does is interface with the DB and stores nothing on the company's servers I've considered Enpass after reading a good critical review about it. There is something appealing (security wise) about not having my encrypted passwords anywhere else but my own personal computer. But once I go down that road of thinking I always wonder what the risks of having my computer stolen or destroyed versus LastPass servers being hacked? Plus I don't have a Dropbox account and would have to create another online profile. But it's still going to stay on my radar. It's always good to have a back up plan right? Link to comment Share on other sites More sharing options...
Anibal P Posted April 13, 2017 Share Posted April 13, 2017 5 hours ago, LoboVerde said: I've considered Enpass after reading a good critical review about it. There is something appealing (security wise) about not having my encrypted passwords anywhere else but my own personal computer. But once I go down that road of thinking I always wonder what the risks of having my computer stolen or destroyed versus LastPass servers being hacked? Plus I don't have a Dropbox account and would have to create another online profile. But it's still going to stay on my radar. It's always good to have a back up plan right? It can be set to sync with most cloud services and Own Cloud Plus, what are the odds your computer actually gets stolen? Link to comment Share on other sites More sharing options...
thisdude Posted April 13, 2017 Share Posted April 13, 2017 7 hours ago, Anibal P said: It can be set to sync with most cloud services and Own Cloud Plus, what are the odds your computer actually gets stolen? That's true but that's something to consider if you're going to store something locally. What if my home gets broken into and my laptop is stolen, my home catches fire etc. If I have my passwords stored in a cloud service like LastPass then it's not something I have to worry about. The same with creating a DropBox account, it's a cloud service and the backing up locally thing just becomes another step to manage. I'm curious what the chances statistically that you're personal information would be in a massive database hack versus you getting your laptop stolen from home, school, work, your car, and from just plain 'ol human stupidity? The more I think about it I think it really just comes down to an individual's own security and privacy needs. Are you a single person or married with children. If something happens to you will your significant other need access to your passwords for banking, insurance etc. Or do your passwords mainly consist of things that aren't financially important? I'm sure this was a longer than expect reply, sorry lol. I just really enjoy talking about security and privacy stuff, get my geek on! Link to comment Share on other sites More sharing options...
+Kyle Subscriber¹ Posted April 13, 2017 Subscriber¹ Share Posted April 13, 2017 I work in security too, we are red team and blue team for large enterprise/government and nearly every single one of us uses Lastpass. We have CISSPs, QSAs, CISMs, CEHs, and we all still trust Lastpass. It has a fairly secure encryption method, and the last vulnerability was with the web browser apps, not with the vault itself. thisdude 1 Share Link to comment Share on other sites More sharing options...
+mram Subscriber² Posted April 13, 2017 Subscriber² Share Posted April 13, 2017 It boils down to trust and risk. Long story short, yes I also work with security a ton, and I trust Lastpass. For those of you who don't trust Lastpass - why? Think about it this way -- if you are employed, you probably have some sort of directory management, probably Active Directory. Within that construct, you also probably have domain administrators. Do you think they don't have access to your password? They don't. They are hashed in a protected database, and that's not even something set up like Lastpass, which is designed to be even more secure. You have to give up some level of trust no matter where you place it -- for some it's a Dropbox account, but who has access to Dropbox? How protected is that? If you put Enpass on a Dropbox folder, you might not be notified of someone downloading your database and then taking their sweet sweet time bashing into it offline. You know, minor stuff like that. To my knowledge, Lastpass has been hacked in concept but never with any user exposure (proof of concept). Dropbox has actually been hacked with privileged data exposed including passwords. So, there's that. Consider where you place your critical data, folks. HellboundIRL, +Kyle, +Warwagon and 1 other 4 Share Link to comment Share on other sites More sharing options...
Zlain Posted April 15, 2017 Share Posted April 15, 2017 (edited) I use last pass with two factor authentication. I enable two factor authentication for as many sites as possible and I try to avoid daisy chaining accounts together. Link to comment Share on other sites More sharing options...
.thumb.jpg.958469f789995895cc0de1fb3c106d00.jpg)
Recommended Posts