Monday, June 23, 2014

The Truth About Your Password Security

Joe Siegrist of LastPass: The Truth About Your Password Security

Joe Siegrist of LastPass: The Truth About Your Password Security

By Ryan Dube
After NSA surveillance, the Heartbleed threat, and hacking attempts against financial institutions, are you feeling like the digital world is falling down around you? Joe Siegrist, the CEO of LastPass, is here to settle the score on what all of these threats really mean for your password security.
Here at MakeUseOf, we often alert readers to the latest security threats both on the Internet and within their own computer systems. This included full coverage of the Heartbleed virus, the Windows technical support scam, and many other computer viruses and threats.
So what can you do to stay safe? The common advice, such as what Christian offered as part of the Heartbleed solution, is to change your passwords. But is this enough, and can a password service like LastPass provide an extra level of security?

An Interview With Joe Siegrist

When anyone first hears of the LastPass service, it seems a bit counter-intuitive. How can it be safer to store your passwords inside of a browser add-on, right on your computer? Wouldn’t this be more of a risk, since your computer could get hacked and those passwords stolen?
The reality is that password security is complicated, because your password goes through many levels of transmission when you log into any online service. In this interview, we sit down with LastPass CEO Joe Siegrist to discuss these sorts of issues and how LastPass – and similar password management apps – deal with those security risks.
joeseigrist2   Joe Siegrist of LastPass: The Truth About Your Password Security

MUO: First – can you describe a little bit about what inspired the creation of LastPass? How did it all start?
Joe: I used to work in Internet telephony as the CTO of Estara, and we did a lot of security there. We had to figure out how to do key exchange and how to do it securely. I left with four of my best friends, and we wanted to work together again, but couldn’t do anything in VoIP telephony. We had used complicated techniques like tiered passwords and utilized an encrypted file to store them, but as we asked around to find out what everyone else did and learned that they used the same exact same password for everything, we knew we could help them.
…but as we asked around to find out what everyone else did and learned that they used the same exact same password for everything, we knew we could help them.
MUO: When people think about storing their passwords inside of a browser add-on, it actually feels less secure, because the browser or computer can get hacked. Is this a misconception? Why is the LastPass safer than other options out there?
Joe: If you’re using your browser’s password manager, there’s a good chance that any malware coming along could pull your passwords — LastPass does this, so could any other software. With LastPass, your exposure is far more limited, because you have less risk when logged into LastPass and nearly no risk when logged out.

Heartbleed And LastPass

MUO: Heartbleed affected encrypted logon transmissions for millions of users across the Internet. Do I understand correctly that this even affected LastPass users? What did LastPass do to respond to the threat posed by Heartbleed?
Joe: We were affected — our web servers utilized OpenSSL as well, but because LastPass has a second layer of protection, we were in a far better position than 99% of companies impacted. This is because sensitive data never hits our servers directly, it’s always encrypted first, and then SSL is a secondary layer of protection. Peeling back a layer of protection is bad — but not nearly as bad as peeling back the ONLY layer of protection for 99% of impacted sites.
Peeling back a layer of protection is bad — but not nearly as bad as peeling back the ONLY layer of protection for 99% of impacted sites.
We first realized that people needed to know what sites were impacted, and if companies had taken the right steps to protect themselves, so we made an overall test page. People could find out if it was safe to change their passwords and if the site had updated their SSL certificates. This was a free tool available for anyone, even if you weren’t a LastPass user.
For LastPass users, we have a security check that looks for all vulnerable sites. It tells you exactly which ones they are, how old your password is, if you should go change those passwords, and when it’s safe to do so.

The Hacking Of EBay And Spotify

joeseigrist3   Joe Siegrist of LastPass: The Truth About Your Password Security

MUO: Recently, eBay’s servers were hacked, and hackers were able to obtain personal user information like emails, addresses and birthdays. Can you share whether LastPass users would have been more affected or less affected by this than other eBayers? Are there special concerns or actions LastPass users should take in response to the eBay security breach?

Joe: LastPass users were affected much less than others. If they utilized different passwords for every site (like our prompts, and security check pushes), they would have contained their risk quite a bit. The risk of identity theft is still there, but you don’t have the problem of that password being cracked (and they will be cracked) and then utilized on other sites.
MUO: At the end of May, Spotify announced unauthorized access to its systems, where one user’s data was accessed, but that it didn’t include password or financial information. Should LastPass users take any special actions in relation to their Spotify password?
Joe: Where there’s smoke, there’s typically fire, so be cautious and just change your password — no harm in changing it beyond the 30 seconds it takes to do it.
I’d advise LastPass users to use multi-factor authentication on your LastPass, and random passwords on all your sites.
MUO:  Do you think LastPass offers any unique protections from these sorts of threats?
Joe: I’d advise LastPass users to use multi-factor authentication on your LastPass, and random passwords on all your sites. When you take these steps, you can’t be phished because you can’t accidentally give out passwords you don’t know!

Additional Steps To Secure Passwords

In the past, MakeUseOf has covered both the free version of LastPass, and reviewed LastPass Premium. Some other password managers we’ve covered before included Chris’s review of Dashlane, Kyle’s review of the KeyDb portable manager, and Dave Drager’s roundup of the best password managers available (including LastPass).
As Joe explained, when you’re shopping for a password manager that truly protects you from serious threats like Heartbleed and hacking attempts, the key things you want to be looking for include multiple layers of security like SSL encryption and protections like multi-factor authentication on your password management software login.
Most importantly, the ideal solution is to keep a completely different password for every single site or service you use. That of course, is the key benefit that password management services like LastPass offer. You don’t have to remember every one of those passwords in order to stay safe.
Do you use LastPass or some other password management service? Does it make you feel more secure in the face of all of these security threats? Share your own thoughts in the comments section below!
Image Credits: Bank Vault Door Via Shutterstock Source: www.makeuseof.com

1 comment:

Norman Sweeney said...

Hi,
very nice article about LP. I used it for 2 years, but finally I try another manager. Now, I manage my passwords with Sticky Password.
http://www.stickypassword.com/features/cloud

How iOS 11 Fundamentally Changes The iPad

Will iOS 11 convince people to use iPad as their main computer? Releasing this September, iOS 11 appears to have been targeted at ...