How to protect your online identity using ‘LastPass’ password manager


Recently, I’ve decided to take upon myself a daring new mission – to help those reading my blog to achieve relaxation and peace of mind. You might think I’m planning to instruct you in Yoga or meditation, or perhaps help you obtain prescription medicine or drugs of some kind, but I’m actually talking about the peace-of-mind that you’ll find, when your online identity is protected and your data is securely backed-up.

This mission will be broken into a series of posts starting with this one, which will focus on protecting your online identity. First, let’s begin by understanding the subject.


Identity Theft Background
You might be asking, what does it mean to have your online identity stolen ? Which services will it affect ?

  • Email – hacked email accounts will keep their true owners locked out. All their contact information, email correspondence with friends, family and co-workers, may be lost for ever. If they used Gmail, it means that all their other google services accounts, such as Picasa, googleDocs and googleTalk , have been hacked too, and the information stored within them, has been compromised. Not only have they lost access to it, but those hackers can freely distribute that information to whomever, and whenever they like.
  • Facebook – A hacked Facebook account means that all your friends, family members and co-workers are now in contact with a hacker instead of you. He will take advantage of this in many ways: He might convince your Facebook friends to give him information they would only give out to you as their friend, or for spite, damage your relationships by writing obscenities, lies or by posting private correspondence that he retrieved from your email account. Those of you who use Facebook as a photo archive face the danger that the hacker will delete all their cherished photos.
  • Online Banking – Obviously, one of the most damaging aspects of having your online identity stolen is having your finances open for attack. If you, like many, switched to online banking, supplemented perhaps by pay pal, your hacker might now turn into a thief as well – making money transfers or buying online goods. You can and should expect the worst of the unscrupulous hacker.
  • voIP services – Using Skype, Jahjah or countless other voIP services exposes you to numerous dangers. First, many voIP services are connected to your credit card, and the hacker can run up your phone tab. Second, the hacker might use your contact list and assume your identity for fraudulent activities. Third, the same as with Facebook, he can wreak havoc on your relationships.

Those are just a handful of exploits you are exposed to, when you fall victim to online identity theft, but I guess that’s enough of me “scaring the shit out of you !”.
In-order to achieve peace of mind, you need to understand how most identity thefts happen, and what you can do to be protected.
Let me reassure you, although there are numerous ways to steal your identity, most of you are subject to only a couple, and the solution is simpler than you might think.

Example – The ‘Homeless’ Saga
Let’s take for example a very well-known attack that has been exposed a while ago. An Israeli real-estate site called ‘Homeless‘, which helps users rent, buy and sell properties has been hacked by Turkish hackers, and around 40,000 registered user accounts have been compromised. Many of those users probably had their identities stolen too.

The hackers managed to retrieve from ‘homeless’ a list of user accounts, which included both email addresses and passwords used to log into ‘homeless’. Homeless’s first mistake was allowing their website to be hacked, and their database to be stolen. Their second mistake was in keeping users passwords in a clear text form, as opposed to keeping only hashed passwords, which are unreadable and can’t be reversed to learn your original password. Keeping password in clear text means, that anyone gaining or having access to their database, from hackers to company workers, can easily view your password. There is really no excuse for this bad practice, but unfortunately many companies do that exactly ! One way of learning if this is the case with a certain online service, is by attempting a password recovery process. If the system sends you back your password, it could mean trouble. What you are looking for, is a system which does not know your password, and therefore can’t retrieve it. A system like that would issue you a new password instead.

So how does learning your email and password from one site enable a hacker to steal you identity ? well the answer to that is pretty simple – most users use only a few passwords to access all their online services, and usually they are all based on the same password with some variation. Once the hacker has those details, he will first attempt to hack your email account, from which he can usually gather more information to hack other services. First, he will look for registration emails with more login details. Second, he can carry out password recovery operations for any service tied to that hacked email account. Even he does not manage to gather more passwords from your email, he can find the usernames of your online services from registration mails, and with the one password he already has, attempt to access them. If the password does not match, he’ll try variations of the password he has, and a lot of you know, doing that will allow him to hack into many of your online accounts.

Preventing Identity Theft
Now we understand that a broad attack will leave the less weary users, those using only a few, generic and simple passwords at great risks, while users with many complex passwords will be less vulnerable. There are other forms of attacks, but that’s enough information about the attacks for now. Bottom-line, you need to start using different passwords for each online service, and they need to be complex – termed ‘strong’ passwords.

O.K – it’s time for me to make good on my word, and help you achieve the promised bliss and peace of mind. What you are going to do is start using a password manager software that helps you manage and create different, unguessable, strong passwords, for each online service that you use. You might be thinking that switching to strong passwords and many of them at that, is not practical and a hassle, but please have faith that the solution I present here, will be both simple and hassle-free. To accomplish that, it must meet the following requirements:

  • One-click automatic login – eliminates the need to type the strong passwords you will now use. Without this, it would be a hassle to type them manually, and this overcomes potential threats from key loggers (It’s alright if you don’t know what key-loggers are, just be glad this offers more security).
  • Password Generator with customization – it’s hard to believe how hard it is, to come up with your own complex and random passwords, especially when you need to do this for many services, while conforming to different length and permitted character requirements, that each service imposes.
  • Centralized solution on the web so you don’t need to worry about backups, or syncing issues when using multiple PC’s and devices, and it has to be available wherever and whenever you may need it.
  • Multi-platform – will work on any device you throw at it. Supports windows, Mac and Linux machines, and various mobile devices: iPhones, windows mobile, blackberry, android and Nokia’s Symbian.
  • Multiple browsers integration – plugins available for whichever browser your prefer: IE, Firefox, Safari or Chrome.
  • Open – allows you to keep an encrypted local backup, so you can always switch to another solution if you wish.
  • Advanced features – Although most of you will not find this relevant, at least not in most situations, I felt it was important, the solution offered advanced features like: multiform authentication, phishing protection, one-time passwords and portable solutions. I will not explain these features in this post, but perhaps dedicate another for them in the future.

LastPass Password Manager
The solution I chose is called ‘LastPass‘ and it answers all the requirements listed above, and then some. Most of their solution is free, and for one dollar a month (12$/yr) you will get their mobile-device applications and advanced features. I suggest you begin with the free version, which you can easily upgrade later.

How to get started with LastPass password manager ?

  1. Register – Goto https://lastpass.com/create_account.php or first download installation, which will give you the option to register as part of the installation process. In any case it’s best to read the following registration tips:
    • Email address – register with the email address that you use most.
    • Security Question – Choose a security question that no one can find the answer to, by doing a little research. You type your own question so choose something smart. Your dog’s name or kids birthdays or anything of that nature, is not good enough. Choose something you can’t forget, because it will be used for password recovery, and they are serious about security, so don’t expect any leniency if you aren’t able to recover your password.
    • Master Password – the solution is based on you having a master password to unlock your password vault, containing all the login details of your online services. This password should be complex, but I recommend using something that you can remember. Make sure the password you choose has both alphabetical characters and numerical characters, plus special characters such as ‘@’, ‘$’,’ !’, ‘?’.
      LastPas will allow you to save your master password in all its different applications, browser plug-ins & extensions, but I recommend that you don’t do that, at least for a while, until you feel the password you chose is engraved in your mind, and won’t be forgotten.
  2. Download software
    1. Goto https://lastpass.com/misc_download.php
    2. There are many LastPass plugins and applications, based on the platform you use. When you choose a platform it will also recommend a plugin for download. If you are on a windows machine it will recommend a universal plugin, that installs on all three major browser: IE, Firefox and Chrome. You should use that or just download the plugin for the browser you use most.
    3. During the installation, you can either login with the account you created before, or create a new account, if you haven’t done so already.
    4. Importing logins – you may choose during installation to import your previously saved login details from your browser. I recommend doing so, as this list will be a good starting point for changing all your current passwords to new unguessable, strong passwords.
    5. After installation a LastPass button will appear in your browser. Use it to open the LastPass menu, giving you access to your password vault, settings, shortcuts and other features.
  3. Replacing old passwords with strong passwords (View how-to-video instead)
    1. Use the LastPass button in your browser to access the ‘sites’ menu, which displays a list of all the sites you’ve imported. Clicking on a site will navigate your browser to that service and automatically log you in. If you didn’t choose to import your sites during installation, you may do so at any time by using the ‘import from’ option under ‘tools’. Select your browser from the list and your done !
    2. Start a ‘change password’ procedure.
    3. When you need to enter a new password, if the LastPass header isn’t displayed with the ‘generate password’ button you can right-click on the ‘new password’ form field on the site, and you’ll find under the ‘LastPass’ menu item the ‘generate secure password’ option.
    4. This will open a dialog box with password customization options. It’s obvious that the longer your password is, and the more characters types it has, the stronger and more secure it is. But you can settle for just 12 alphanumeric chars. I’m sure it will still be much more secure, than what you have used until now. By the way, I use 16 chars with both alphanumeric chars and special chars. (Don’t forget, LastPass will fill in passwords automatically, so feel free to create long & complex passwords !)
    5. Press the ‘accept’ button which will fill in the ‘new password’ field, or copy-paste it inside. I recommend using the ‘accept’ button, which also saves the password independently in your password vault, and will show as ‘generated password for xxxx’, which is good for troubleshooting scenarios.
    6. Finish the ‘Change Password’ procedure by clicking on a corresponding ‘Save Button’.
    7. LastPass will present its header at the top of page, acknowledging a password has been changed and pressing the ‘Confirm” button displayed in the LastPass header, allows you to save the new password for that site.
A few “How-to-Videos” to get you started:

 

1. Changing an old password to a strong, secure password:

2. Adding an online service to your LastPass passwords vault.

Although LastPass is easy to use, there are still many subjects and features I could not cover in one post. I urge you to begin using this solution, and if you have any questions, feel free to contact me and I promise to help you out.

Be safe & prosper
Gezer

Other password managers worth mentioning:

  • keepass – Free open-source, cross platform solution.
  • 1password – Mac based with a beta stage windows application.
  • RoboForm – Well-known Windows solution.
  • Clipperz– Web based solution.

Bookmark and Share

Advertisements

6 comments on “How to protect your online identity using ‘LastPass’ password manager

  1. great post, addict.
    extremely helpful for people like me for whom every second login anywhere includes retrieving a forgotten password and figuring out how the hell I spelled the name of my first pet (Moca? mocca? moka?)
    But i have to admit that it still feels a bit counter-intuitive for me to give one software the key to all my private data. I assume that their privacy policy and security standards are very tight for that very reason, but aren’t there cases where such password managers get hacked?
    Also, how simple is it to move with this solution between machines, say when I (finally) buy a new computer instead of the one I’m still carrying from Sterna :-)?

    • Thanks, Yoni. I’m truly glad you liked this post, and would like to use LastPass. My intention was to get people started using this software, so I focused on explaining the dangers, and just the basics of getting started.
      To answer your questions/reservations :

      A) LastPass doesn’t really have your master password, only a secure hashed version (unreadable form). So if someone manages to look into their databases – hacker or company worker, they won’t be able to learn your master password.

      B) LastPass also provides multifactor authentication, meaning that accessing the password vault requires more then just your master password.
      They offer a few multifactor solutions:
      1. Sesame – USB application you can carry with you. A pro account feature (Watch video)
      2. Grid – A printable grid of numbers that you can carry in your wallet, and lastpass will request you enter a values corrosponding to the correndinates it displays. Free for all accounts ! (Watch video)
      3. YubiKey – A USB device, that has a button to automatically create 1-time passwords to be used a second factor for authentication. (Watch video)
      4. RoadMap features – They are planning some more types of multifactor authentication options: SMS, phoneCall and later on Biometric.

      C) Regarding other PC’s and devices – one of the most important issues for me when I chose this software, is that it supports all platforms and enables one account to be used on multiple devices. The password vault is saved on their servers and is synced automatically to all your devices. Your information is encrypted on their servers, and decryption is done locally on your device, so it’s not a problem they have it stored.

      I suggest you start using it without multifactor and other advanced features, and learn more features over time.

  2. or ……..How to create a ‘super password’ – CNN.com
    The KeePass Password Safe icon.Image via WikipediaParanoia can be a harsh mistress.

    The problem is not memory, the problem is attitude. People are too god dam casual about these passwords until it is too late. Lose your password to your Google account and all of your Gmail, Picasa, Calendar, Address Book, Blogger, etc. are at risk. Some of those Google-secured connections are directly connected to money. For example, your AdWords account is accessed through a Google login.

    The more places you use these accounts, the more paranoid you need to be because it WILL happen to you too.

    And please, it is not just a matter of making the password long! Please STOP using real English words as passwords! There is something called a dictionary attack that allows a miscreant to quickly figure out a password. If you use a word that can be found in a common language, be assured that it WILL find yours.

    The article has good advice. Go for 11 or more characters, a phrase would be even better. And be wary of any website that won’t allow you to type in at least 12-16 characters, it is a red flag for other security problems.

    If you have trouble remembering passwords, then try to use a keyring application. Macs have one built into the operating system, and you can also use something like KeePass that runs on almost every major operating system and even on smart phones. With an application like this, you just need to remember one strong password, then you can use longer and much harder to remember passwords for your online activities.

    Thanks to KeePass I have certain accounts protected with passwords that are random strings of 32 characters. If you had 10,000 computers that could run in parallel, each trying 500,000 passwords per second, it would take up to 2.8420938392451628e+22 years to crack a 20-character password! The calculator that I found online couldn’t even calculate it for 32 characters 🙂

    This of course assumes that no new technology arrives that allows computers to bridge that computational gap. Using 99,999,999 passwords per second, and 999,999 computers available to run in parallel, we are still talking up to 1421048354881405700 years to crack a 20-character password.

    Another thing that was not discussed in the article? Biometrics. A combination of biometrics and two-factor authentication (like with the RSA dongles or soft keys) would be horribly hard to defeat, assuming that the physical aspects of the biometric reader can’t be attacked. It doesn’t matter how good is the software part of the biometrics package if you can fake a fingerprint like in the movies!
    Related articles by Zemanta

  3. Pingback: Celebrities Facebook & Email accounts hacked « Addicted 2 Tech

  4. This may be an extreme thought. But.. what if the LastPass servers were destroyed say in a natural disaster or solar flare emp pulse type of event..Would that not put all users in dire straits? Seems to me password managers should be stand alone and able to be backed up …stored…used from usb device.. Comments???
    thanks for your work

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s