back to article LastPass now supports 2FA auth, completely undermines 2FA auth

Password manager LastPass has added a new feature to its software: the ability to store two-factor authentication codes. This is great news. For hackers. Increasingly, people with sense use two-factor auth as a way of ensuring that it is much harder for miscreants to break into their accounts, and to detect if anyone is anyone …

  1. AegisPrime
    FAIL

    Better alternatives...

    With the increasing vulnerability of cloud-based services (not to mention governments wanting access to everything online) I've finally retired my LastPass account in favour of KeePass - I share the database via Sync.com (like DropBox but encrypted and zero-knowledge their end) and keep the key local.

    LastPass just has a huge target painted on it these days.

    1. a_yank_lurker

      Re: Better alternatives...

      I prefer a local password manager on my box. True it limits me if I am using a different device without the manager. Syncing is basically sneaker net if desired.

      1. Pompous Git Silver badge

        Re: Better alternatives...

        @ a_yank_lurker

        Bruce Schneier's Password Safe can run from a USB stick. One of several reasons I find it useful.

        1. Anonymous Coward
          Anonymous Coward

          Re: Better alternatives...

          @ Pompous Git

          Thanks for the Password Safe tip. Looks like they've got a Linux Beta.

          1. Pompous Git Silver badge

            Re: Better alternatives...

            "Thanks for the Password Safe tip."

            I use the Linux Beta (no issues during ~16 months of daily use), the Windows freebie, the paid-for exe that runs from a USB stick and there's an android app that also reads the same files.

        2. Adam JC

          Re: The Need For Speed

          A USB stick can be lost, I prefer a cloudy app to store it (Whether it's KeePass on Dropbox, OneDrive, etc) or LastPass in the cloud. You keep your KeePass file locally and your SSD bites the dust... boom, chaos.

          As I understand it, your 'vault' is encrypted in-situ on LastPass' server and even they can't access it, so even if their servers were ransacked, there's no way to get in unless they have your master password.

    2. big_D Silver badge

      Re: Better alternatives...

      I use KeePass at work and LastPass privately. To be honest, I hate KeePass, it feels so awkward, compared to LastPass. The UI is the one part that LastPass really has done well.

      1. Uplink

        Re: Better alternatives...

        KeeWeb.info is mentioned as an unendorsed alternative implementation on the KeePass website. If it's a nice UI you are after, that one looks quite nice.

      2. Sgt_Oddball

        Re: Better alternatives...

        I think I speak on behalf of a number of us here but we'd prefer a secure password manager you a good looking one. Both would be nice but first and foremost it should be secure.

        1. Pompous Git Silver badge

          Re: Better alternatives...

          @ Sgt_Oddball

          AFAICT Password Safe meets your criteria. Password Safe It's FOSS so would expect any vulns to be exposed quickly.

        2. DropBear

          Re: Better alternatives...

          @ Sgt_Oddball: as far as I'm concerned, security is a required feature, not a sufficient one. If I find something too unwieldy to use, I won't, no matter how super-safe it is. I'm not familiar with KeePass specifically, but I do know I'm sick and tired of 2017-edition apps that look dated even by Gingerbread / Win3.11 standards "because UI is just fluff, who cares about that, Real Men only need a CLI anyway"...

    3. PNGuinn
      Coat

      Re: Better alternatives...

      Store all your passwords and access codes in a manilla folder marked "Demolition notices" in a locked filing cabinet in a disused basement lavatory with a notice saying "Beware of the Leopard" chalked on the door ...

      I think I'll start keeping essential security info in a a camber pot under the bed. Is dampness / pong a security advantage?

      Security by obscurity and all that?

      Thankyou - It's the one with the bottle of perfumed waterproof invisible ink in the pocket.

      1. VinceH

        Re: Better alternatives...

        @PNGuinn

        "I think I'll start keeping essential security info in a a camber pot under the bed. Is dampness / pong a security advantage?

        Security by obscurity and all that?"

        That's not security by obscurity - it's security by odorosity.

      2. mr_souter_Working
        Pint

        Re: Better alternatives...

        have a beer for the Hitchhikers Guide reference

        I am going to assume you mean to use a full (to the brim) chamber pot, and put your encrypted USB stick in a sealed bag inside it - no burglar or hacker is going near it (especially not after it festers for a few weeks) - of course, you may have to move out of your own home due to the smell..............................and obviously write the password down on the underside of the pot. :D

      3. caffeine addict

        Re: Better alternatives...

        I think I'll start keeping essential security info in a a camber pot under the bed.

        Presumably a camber pot is for when you're on the piss?

    4. AbortRetryFail

      Re: Better alternatives...

      @AegisPrime - yes that's what I do too although currently still on Dropbox but I'll look into sync.com now - thanks!

      I agree with comments that KeePass is rather clunky though. But it works well enough for me despite not being as slick and convenient as I hear LastPass is.

    5. Anonymous Coward
      Anonymous Coward

      Re: Better alternatives...

      Me too. In my opinion it's a serious risk to keep on using LastPass. Now using the really excellent Sticky Password (with local network sync option than cloud if you prefer). For the really sensitive stuff like banking using Keepass for the time being.

      1. Anonymous Coward
        Anonymous Coward

        Re: Better alternatives...

        Care to explain why it's a serious risk? This is no less secure than using Google Authenticator app separately, vault and contents are still nowhere near being exploited and - Much like KeePass, if they get your master password they're still in your vault. Alternatives like KeePass don't even have the capability to implement 2FA let alone have it exploited :-/

        1. Adam 52 Silver badge

          Re: Better alternatives...

          "This is no less secure than using Google Authenticator app separately,"

          With Authenticator your 2FA seed is held locally. With LastPass's version it's at LastPass and therefore vulnerable to an attack on LastPass.

          "Much like KeePass, if they get your master password they're still in your vault."

          No they can't, just having a KeePass password doesn't help you without the database whereas a LastPass vault can be accessed from anywhere worldwide if you know the password.

          " Alternatives like KeePass don't even have the capability to implement 2FA"

          Oh yes they do.

          "let alone have it exploited :-/"

          LastPass's authenticator leaves all your 2FA vulnerable, not just you LastPass vault.

          Oh, and whoever preferred the LastPass GUI to KeePass. Each to their own but you are weird! Why on earth would "add item" in a shared folder add a private item? Why do you have to add an item to a private folder, then find it, the click share to share it? Why is there no way to tell the difference between a genuine LastPass user and a random phishing address when sharing secrets? The list goes on.

    6. ProperDave

      Re: Better alternatives...

      I've always been highly suspicious of on-line storage services and password vaults, so I'm running my own private OwnCloud instance off a PI at home. I've locked it down as best I can and keep it up to date, and I have a KeePass vault on it. Brilliantly the most popular KeePass app for Android supports opening a vault from OwnCloud as a data source. I'm really quite pleased, and now have most accounts online locked down with 32-char+ passwords.

      1. Adam JC

        Re: Better alternatives...

        Except of course the buffoons who insist on a ridiculously short max-char password (I'm looking at you, Microsoft...)

    7. leexgx

      Re: Better alternatives...

      i was trying to explain this issue with using a service that stores all your 2FA auth codes is very bad idea as if someone gets into your account (in this case authy) and has your username and password you can lose access to all your account

  2. adnim
    Meh

    256 bit AES encrypted plain text file

    Several copies:local disk, raid backup server and a couple of USB sticks.

    Use a pass phrase like a sentence of 30+ characters. "Why th@ fsck do ! n3Ed t0 b3 s0 P@r^noiD?"

    Why trust a third party? Trust no one.

    1. Anonymous Coward
      Anonymous Coward

      Re: 256 bit AES encrypted plain text file

      This is the answer I think. I use a GPG-encrypted TiddlyWiki but it's the same difference really. You can then sync it to everywhere with sime impunity, and anywhere there's GPG and something that will read a TW (or, better, plain text) you can read it if you have to.

      1. Charles 9

        Re: 256 bit AES encrypted plain text file

        That's one reason people like us like KeePass. It already uses strong encryption by default, let's you a file as a key, and it's FOSS.

    2. Orv Silver badge
      Coat

      Re: 256 bit AES encrypted plain text file

      Better type it by hand, then -- otherwise something might snoop it out of your copy/paste buffer. Wait, no, keyloggers...

  3. This post has been deleted by its author

    1. NonSSL-Login

      With all the database breaches the last few years, it's easy to spot and work out passwords for people who use these systems. I used such a system myself but now only use KeePass, considering myself wiser and more informed.

      As for LastPass...the major fails on their behalf makes me wonder time and time if they work with a certain government agency or not to introduce these fails. I mean the way someone could pull your password for any site with an iframe and a /www.site.com/ directory was just too bad to be true. To give them the seed for 2FA...just no!

      The majority will still use passwords like march46131, doggie12 or moimeme though...

      1. This post has been deleted by its author

    2. VinceH

      As NonSSL-Login says, algorithms like those can be reverse engineered fairly easily. Also, the example you give using first/last or second/fourth letters brings with it a serious limitation in the total number of computed passwords, and there will likely be a number of password clashes.

      Stick with KeePass.

    3. Anonymous Coward
      Anonymous Coward

      Straightforward algorithms

      are, unfortunately, straightforward to break. There really is no substitute for an 'algorithm' which is 'pick n random (really random, not pseudorandom) symbols from a sufficiently large alphabet'. This isn't actually an agorithm technically, hence the quotes.

      If you pick your alphabet to be 'printable ASCII' and n sufficiently large this yields strong passwords which you can't remember. If you pick your alphabet to be /usr/dict/words and n to be rather smaller (because the alphabet now contains tens or hundreds of thousands of symbols, rather than a few tens) this yields passphrases which are both strong and easy to remember. This trick was publicised by Randall Munroe. Note: it matters that you pick the words randomly: do not use a natural language or anything like it.

      1. Charles 9

        Re: Straightforward algorithms

        Even phrases become hard to remember past say ten or twenty sites. I always put it like this: "Was it CorrectHorseBatteryStaple or DonkeyEnginePaperclipWrong?" Especially if you refuse to leave grammar clues.

    4. Just Enough

      Not secure

      Everything about a "straightforward algorithm" is not secure by definition.

      "needs multiple passwords to at least stand a chance of figuring out how you build it, and every password is different..."

      .. but once someone has figured it out they have easy access to everything. The sad fact is that there are plenty of websites with shockingly bad security where your "straightforward algorithm" could be exposed, and you're saying maybe only two or three leaks would be enough to totally compromise every account you have?

      And using numbers in place of letters also ceased being a secure way of writing anything at least 15 years ago.

  4. Malcolm Weir Silver badge

    One challenge for those of us (like @Frank Long) who have devised a cunning scheme for generating passwords is that some total toss-winglers arbitrarily set moronic rules in the naive assumption that it improves security by increasing the sample space.

    Some of my favorites (read: "some of the first to go against the wall when the revolution comes") include those who only allow an arbitrary subset of special characters: so maybe "-" is allowed, but not "/", "%" but not "$", and so on.

    1. Number6

      If you look through the list of sites where I've had to reset the password, it's invariably the ones that try to impose a 'one of everything' rule. I guess I could learn to try 'expected password' and 'expected password plus this particular special character' before giving up, but normally it's try the password, try it again more slowly and carefully, then give up before the third failure locks the account.

    2. scrubber

      "an arbitrary subset"

      It may not be arbitrary, their backend system may be so poor that the ! character will break into a shell command, or a % will allow you to execute SQL.

      Never underestimate how crap some systems are or how stupid people are.

      1. Steven 1

        Re: "an arbitrary subset"

        Back in the day to change your password on Santander's site you'd have to enter your existing password all in upper case for it to accept it. Even though my actual password was upper and lowercase.

        Very worrying. I ceased having anything to do with them shortly after pointing that out and them not realising the significance of the problem. No idea if that's still a 'feature'.

    3. Anonymous Coward
      Anonymous Coward

      include those who only allow an arbitrary subset of special characters: so maybe "-" is allowed, but not "/", "%" but not "$", and so on.

      My favorite gripe here is inconsistent handling of ASCII control characters, especially ^C ^V and ^U. I've seen several cases where the password-change prompt will accept ^U as a valid character, but the login prompt will interpret it as an ASCII NAK control input, promptly erasing the input so far. Much hillarity ensues.

    4. gnasher729 Silver badge

      "One challenge for those of us (like @Frank Long) who have devised a cunning scheme for generating passwords is that some total toss-winglers arbitrarily set moronic rules in the naive assumption that it improves security by increasing the sample space."

      As an example, the Safari browser can suggest reasonably safe passwords that look like ABC-DEF-GHI-JKL-123 or something like that. Random obviously and not in alphabetical order. HMRC doesn't like it. First, it needs at least two digits (quite often these random passwords have only one) and it definitely doesn't like the hyphens. What's worse, I think (but I'm not 100% sure) they changed their rules, and my old password wasn't accepted anymore.

      I think the first step would be to check what passwords from popular and safe password generators look like, and always accept those.

    5. Ben Tasker

      include those who only allow an arbitrary subset of special characters: so maybe "-" is allowed, but not "/", "%" but not "$", and so on.

      Yep, it's one of my bugbears too, but actually, so are the majority of complexity rules - especially when the buggers don't tell you what they are head of time.

      Mind you, there's quite a lot wrong with a lot of things people think are "standard practice", or that they will improve security.

      Making it harder to come up with an acceptable password doesn't automatically make those passwords harder to crack, the rules often make it easier because they exclude a huge number of (otherwise) acceptable passwords.

      1. Whitter
        Paris Hilton

        Reuse security?

        I have occasionally wondered if the more obscure rule sets imposed by some sites were more to do with avoiding password reuse (and therefor potential breach from any half-assed site the user has a password with).

        Mind you, the 8-character maximum limit from Virgin Media is just madness.

  5. Anonymous Coward
    Anonymous Coward

    "Nothing can go wrong with this"

    There seems to be two clear factions: Those who believe pen and paper is decrepit, inflexible and open to abuse from someone close to you unless a cipher get used. Then there's the camp who believe if it can be hacked- it will.

    Pity there's no stats to see who will be proven right. But whatever your dogma, probably best if we don't all march off a cliff to the Cloud. Face time at banks / financial institutions is still worth something! Think 2016 Tesco bank hack!

    http://www.itproportal.com/features/lessons-from-the-tesco-bank-hack/

    1. Ben Tasker

      Re: "Nothing can go wrong with this"

      Those who believe pen and paper is decrepit, inflexible and open to abuse from someone close to you unless a cipher get used. Then there's the camp who believe if it can be hacked- it will.

      The two aren't mutually exclusive. It's about assessing the risk you're trying to counter.

      Whilst it'd be easy for someone nearby to nab your password book and take photos, it requires physical proximity, so as long as you're actually securing the book you've probably got a low risk of that happening (outside of being deliberately targeted). Post-it notes on the back of your keyboard are another matter though, as you've not taken steps to secure them.

      Stored online, on the other hand, there's no physical proximity required and anyone with an internet connection can have a go (though not all will have the ability to be successful). It takes away the advantage of physical proximity (leaving aside people should-surfing your master password) but opens the number of possible culprits from a select few to potentially billions of people.

      There's also another risk inherent with trusting a third party with your credentials - they might, without malice, make a mistake that leads to credential leakage. That's another risk that isn't present with a little book of passwords.

      To be honest, I see it more as a convenience trade-off than a security decision. If passwords are in a little book, and you haven't got that book with you, you're out of luck. If their online, then you can get at them any time (the problem being, that others could too).

      If you were after ultimate password storage security (with convenience not being a consideration), you'd generate long random passwords, write them in a book and lock that book in a safe that no-one else can open. Of course, you're screwed if you need a password while at work, or if the house burns down.

      Cloud based password managers are still better than memorising (and re-using) a small number of less complex passwords, but anyone who tells you they're more secure than pen, paper and a little bit of effort is an idiot.

      1. Anonymous Coward
        Anonymous Coward

        Re: "Nothing can go wrong with this"

        Agreed, but non-cloud based managers trump all - see KeePass with mobile app, where you store an encrypted file on your own flavour of cloud storage.

        If your cloud storage credentials are exposed, your password file is still (hopefully) encrypted with other more complex credentials. Also targeted attacks would have to break two authentication walls, one being 2FA cloud to get to your passwords.

        Why trust one login to a single cloud provider with all your logins seems nuts to me.

        1. Ben Tasker

          Re: "Nothing can go wrong with this"

          > Agreed, but non-cloud based managers trump all

          Nope, you're still trading security for convenience there.

          As others have said, a single keylogger (or malware targeting password lockers) and you're toast.

          They're better than a purely cloud-based storage solution, sure, but don't compare to the security of a properly secured offline record.

          Whether it's worth that trade, of course, is something else - I'd argue it should actually vary by the importance of (and ramifications of losing) the password. Social media logins and stuff? Get a bit of convenience. Credentials to access your life savings? Maybe give up a bit of that convenience

          > Why trust one login to a single cloud provider with all your logins seems nuts to me.

          Me too. Not to say that LastPass haven't put an impressive amount of effort into trying to ensure that a compromise of them doesn't mean a compromise for you, but it's still an exorbitant amount of trust to place in a 3rd party.

          1. Orv Silver badge

            Re: "Nothing can go wrong with this"

            Whether it's worth that trade, of course, is something else - I'd argue it should actually vary by the importance of (and ramifications of losing) the password. Social media logins and stuff? Get a bit of convenience. Credentials to access your life savings? Maybe give up a bit of that convenience.

            That's where I am. I use LastPass for all the random stupid passwords shopping, commenting, and social media sites want. But my bank password is only in my head.

    2. Anonymous Coward
      Anonymous Coward

      "non-cloud based managers trump all"

      ...."see KeePass with mobile app, where you store an encrypted file on your own flavour of cloud storage"....

      Sure, every account got hacked @ Yahoo etc. If that ever happens to a Cloud based Password-Manager it'll be a serious clusterfuck! Especially if users only find out years after because LastPass etc is taken over, and corporate due diligence means they must fess up!

      However, if any of your devices with KeePass gets hit by keyloggers / slurp-happy Malware, won't you be screwed too? Example: WAGS borrows your device in the car to look up directions to 'Hotpoint'. Hotpoint site gets compromised again... Game-Over, no???

      1. Charles 9

        Re: "non-cloud based managers trump all"

        "However, if any of your devices with KeePass gets hit by keyloggers / slurp-happy Malware, won't you be screwed too? Example: WAGS borrows your device in the car to look up directions to 'Hotpoint'. Hotpoint site gets compromised again... Game-Over, no???"

        If a point of entry gets pwned, you're screwed no matter what. Things like KeePass at least make it hard to pwn you OUTSIDE the point of entry. If LastPass gets hacked, you can get pwned outside the point of entry.

  6. big_D Silver badge

    Banking

    A comment to the bank sends a code comment in the article - mine doesn't, I need to generate a unique token using my debit card and card reader, plus the payee account number and the amount. This generates a unique code, which is used to verify the transaction. This is, for me, real 2 factor authentication.

    1. Anonymous Coward
      Anonymous Coward

      Re: Banking

      Every time I use my bank's 2FA code generator device - I make sure that all the numeric keys are pressed an equal number of times. Even if someone gets hold of the keypad and card - they can't do any wear analysis to work out which set of numbers are used. The pin is only in my head and that card is never used outside the house.

      1. harmjschoonhoven

        @AC: Re: Banking

        Be careful about what you wish. https://xkcd.com/538/

      2. Charles 9

        Re: Banking

        "The pin is only in my head and that card is never used outside the house."

        So what happens when (not if) Murphy strikes and you FORGET your PIN?

        1. Orv Silver badge

          Re: Banking

          So what happens when (not if) Murphy strikes and you FORGET your PIN?

          If it's like my bank, I go to the local branch, show my ID, and ask for it to be reset.

          1. Charles 9

            Re: Banking

            Unless, of course, it's an extended weekend (coming up here in the US) and/or you're far from the nearest local branch (assuming they HAVE brick-and-mortar branches)? Or worse, they refuse to believe you?

    2. fruitoftheloon
      Happy

      @big_D: Re: Banking

      big_D,

      likewise [in the UK] my bank allows two types of e-banking logon, if I don't generate a string on the little gizmo in my wallet, I cannot setup any new payee destinations, if I logon to e-banking with the gizmo, I can.

      And it uses part of the a/c code for the generation of the unique key that I have to type back into the browser.

      So pretty good, not a pain in the butt and works!

      Obvs I have no clue how robust the underlying schema and approach is, but there is only so much you can do...

      Cheers,

      Jay,

      1. julian.smith

        Re: @big_D: Banking

        And your bank is HSBC?

        They seem to have a good system but don't lose your gadget on an overseas holiday,

        1. Ben Tasker

          Re: @big_D: Banking

          They seem to have a good system but don't lose your gadget on an overseas holiday,

          They had a good system, but they seem increasingly desperate to ruin it by having everyone generate a code through their (shoddy) app instead.

          I'd guess it's probably to do with the cost of getting RSA tokens, but they seem to be pushing the app generator harder and harder, so I've a feeling when the batteries give out on my dongle it may be hard to replace.

        2. fruitoftheloon
          Happy

          @julian.smith: Re: @big_D: Banking

          Julian,

          First Direct, which is owned by HSBC.

          Cheers,

          Jay

    3. Doctor Syntax Silver badge

      Re: Banking

      " I need to generate a unique token using my debit card and card reader, plus the payee account number and the amount. This generates a unique code, which is used to verify the transaction."

      Or, in the case of the card reader my bank sent me, is used to fail to verify the transaction. However the use cases needing this are very few; the only one I encountered was changing the email address. So the security device is a piece of crap but the good news is I don't have to use it!

  7. big_D Silver badge

    2FA and OTP

    Using a OTP as part of 2 factor authentication is a reasonably good method. BUT, if you are using it to authenticate an account on the mobile device where the 2FA is generated, then you completely lose any benefit of 2FA.

  8. Pompous Git Silver badge

    "detect if anyone is anyone"

    Oddly enough "anyone" isn't in the OED. Anyon is, but I don't think we are discussing particle physics here.

    1. Wensleydale Cheese

      Re: "detect if anyone is anyone"

      "Oddly enough "anyone" isn't in the OED."

      It's in the macOS Dikshunry, which I thought was based on the OED.

      Its entry contains this note on usage:

      usage: The two-word form any one is not the same as the one-word form anyone and the two forms cannot be used interchangeably. Any one means ‘any single (person or thing)’, as in: not more than twelve new members are admitted in any one year.

      1. Pompous Git Silver badge

        Re: "detect if anyone is anyone"

        "It's in the macOS Dikshunry, which I thought was based on the OED."
        There are several Oxford English dictionaries: The Pocket, the Concise, the Shorter... The Oxford English Dictionary is the 20 volume monster Mrs Git purchased me for my birthday several years ago when it was half-price. I already had the electronic version. I also have lots of dictionaries and an interesting book about dictionaries. I like words and was fascinated to discover a word in common use that wasn't in the OED. It's a first for me. Great one for a quiz night :-)

    2. Martin Cable

      Re: "detect if anyone is anyone"

      "Anyone" is in the Shorter OED (Sixth Edition, page 95) - can't vouch for any others.

      1. Ben Tasker
        Joke

        Re: "detect if anyone is anyone"

        > "Anyone" is in the Shorter OED (Sixth Edition, page 95) - can't vouch for any others.

        In my head, Pompous has read that and is in the process of reenacting a very specific blackadder scene as he realises there's a word missing from his dictionary

    3. Anonymous Coward
      Anonymous Coward

      Re: "detect if anyone is anyone"

      According to "publication history" for the entry at oed.com:

      anyone, pron.

      First published in OED First Edition (1885) as a subentry of “any, adj., pron., n., adv.”

      OED Third Edition (March 2016) - fully updated and upgraded to full entry

      1. Pompous Git Silver badge

        Re: "detect if anyone is anyone"

        I have the CD-ROM second edition. It has anyon, n. followed by anyplace, adv. Can't comment on dead-tree version at the moment; it's in storage. It does have any one under the entry for any (note the space between words). This can be found by typing anyone in the search box, but that's not how I usually use it. If you copy a word to the clipboard, the OED automagically looks it up for you.

  9. Anonymous Coward
    Big Brother

    Amateurs!

    Keymat handling is where peeps fail hard on crypto.

  10. Malcolm 1

    2FA migration

    I can sort of see the appeal of this, given the proliferation of sites supporting 2FA. You can easily imagine a situation where most sites require 2FA and we've just moved the "too many passwords" problem somewhere else.

    Having just recently bought a new phone, had it develop a fault, and send it back I've had to go through the pain of migrating about ten 2FA registrations three times and it is a complete pain, even when most sites use compatible mechanisms. Seems there's a good opportunity to make it easier to transfer these in a secure fashion without storing them in the cloud.

    1. Pompous Git Silver badge

      Re: 2FA migration

      "Having just recently bought a new phone, had it develop a fault, and send it back I've had to go through the pain of migrating about ten 2FA registrations three times... "
      No backup then? Me and Mrs Git have three phones though only two in use at any one time. Actually, we have four but Mrs Git lost hers "somewhere in the house". Why was it turned off? To conserve electricity of course!

      1. Charles 9

        Re: 2FA migration

        One, you can't properly back up a stock phone. Two, most OTP generators are keyed to both phone and Android serial, which can change on a restore. Used to happen to me with Authy.

        1. Orv Silver badge

          Re: 2FA migration

          At one point I got a cheap Chinese phone (a Doogee Valencia) and was puzzled to find I couldn't get Google Authenticator to produce working codes at all. Turns out the math library on the phone had a bug in one of its functions, producing incorrect results.

  11. K.o.R

    You can also require 2FA to get into LastPass in the first place. So I keep my other TOTP in that authenticator instead.

    1. Adam 52 Silver badge

      Being a bit pedantic LastPass doesn't do 2FA. Because LastPass in non-2FA mode doesn't do any authentication, it just lets anyone who knows the decryption key decrypt, LastPass's 2FA is their one and only means of authentication.

      1. Orv Silver badge

        I'm not sure I see the distinction. Normally authentication works by running the user's input through a hashing function and seeing if it matches the stored hash. How is trying to use the users input as a decryption key, and seeing if it works, any less authenticating?

  12. JimmyPage Silver badge
    Flame

    Once again: WE NEED A STANDARD !!!!

    Before arsing about with AMP or HTML6 or whatever nonsense the marketing guys want, for the love of God can we not have an RFC or W3C devised standard on password generation, usage and storage ? It might address some of the problems highlighted above this comment ?

    1) Password length

    2) Allowed characters

    3) Encrypted storage

    4) Lost password reset (i.e. no emailing password in plaintext !!!!!)

    etc etc

    all of which should have been address BEFORE we started worrying about rounded edges in CSS.

    1. gnasher729 Silver badge

      Re: Once again: WE NEED A STANDARD !!!!

      Well, that would be easy:

      Password length - Any. Don't stop me from creating a 100 character password.

      Allowed characters - Any. Don't stop me from using Cyrillic letters.

      Encrypted storage - No. No storage at all. You don't store passwords, not even encrypted. You store a salted hash. Everything else, the CEO of the company, the manager allowing it, and the developer deserve their balls to be cut off, with something equivalent if they are female.

      Lost password reset: Well, that means anyone can get into your account with one factor less :-(

    2. Doctor Syntax Silver badge

      Re: Once again: WE NEED A STANDARD !!!!

      "can we not have an RFC or W3C devised standard on password generation, usage and storage ?"

      Which everyone will implement with their own little amendments. Like IE implemented HTML.

    3. AbortRetryFail
      Joke

      Obligatory XKCD (was: Once again: WE NEED A STANDARD !!!!)

      https://xkcd.com/927

      (No, not 'Correct Horse Battery Staple', the one about standards)

      1. D@v3

        Re: Obligatory XKCD (was: Once again: WE NEED A STANDARD !!!!)

        one of my favourites

  13. Anonymous Coward
    Anonymous Coward

    Last weeks "outage"

    Lastpass does keep a local vault too, so I wasn't too affected.

  14. Anonymous Coward
    Anonymous Coward

    I prefer being cryptic about something only I know

    In my computers I have a list of hints to phrases or details that only I would think of -often from deep in my childhood-(with the odd substituted letter or number). As in "That phrase your deputy head always used to quote" or "What dad used to call his first car with its number". And frankly, if anyone could work those out I have worse things to worry about than being hacked. With 2FA for password resets if I get too cryptic.

    1. Pompous Git Silver badge

      Re: I prefer being cryptic about something only I know

      "In my computers I have a list of hints to phrases or details that only I would think of -often from deep in my childhood-(with the odd substituted letter or number)."
      Some years ago I created a Yahoo! account, but when the need for it ceased, didn't use it for some considerable period of time. When attempting to use it again, was told I needed to change my password. I was presented with my "secret questions" and discovered I no longer knew my grandfather's name, the school I went to etc.

      Ya gotta laugh:-)

      1. Pascal Monett Silver badge

        I have standard responses for those kind of questions, and the answers have obviously nothing to do with historical fact.

        My first pet's name is something like "chicken", my first school could be Cygnus 1B and so on.

        It helps that I have a password database to keep all that stuff in.

    2. Wensleydale Cheese

      Re: I prefer being cryptic about something only I know

      "What dad used to call his first car with its number".

      Beware that old photo surfacing online.

      1. Anonymous Coward
        Anonymous Coward

        Re: I prefer being cryptic about something only I know

        Beware that old photo surfacing online

        True, but I don't quite use that one. And it was a long time ago And there is no one who would be in the business of scanning such a photo, even if it existed, to put online, and it wouldn't be identifiable with me anyway.

  15. Anonymous IV
    Happy

    Date of birth

    When, for no obvious reason, I am asked to give my birth date, I will usually put 01/01/1980 - the lowest possible date in the FAT file system. This is clearly when obesity started...

    1. Rusty 1
      Coat

      Re: Date of birth

      But "01/01/1980" isn't a date - it's an incomprehensible string of decimal digits and slashes. A date has the format "yyyy-mm-dd".

      https://xkcd.com/1179/

      1. Charles 9

        Re: Date of birth

        So you say all your dates (xxxx, mm dd)?

        What about all the hispanics and so on that say "dd de mm, yy" (or simply English who say "ddth of mm, yyyy")?

        Anyway, the mm/dd/yyyy format is consistent with Americans and many other English speakers who say "mm ddth, yyyy".

        The ISO date format is as much a mishmash of letters and dashes as any other date format. The ONLY reason it's so useful in computers is that it AUTOMATICALLY sorts dates chronologically if you perform a simple ASCII sort (to the second if you use the extended format which includes a 24-hour time).

  16. elDog

    But we still have that first-factor snafu

    I'll admit I've typed my password into the login box more than once - plain-text, unmasked. I think that happens because I'm old and that some sites come with pre-filled username fields (thanx, browser) and others don't.

    Or when I accidentally type in a password from one site into another's password field. Not hard to do at work when I'm switching between 3-4 login screens.

    PEBKAC

  17. Anonymous Coward
    Anonymous Coward

    Adding 2fa to LastPass with 2fa active is exactly like adding a password to Lastpass there is no extra risk.

    As for Lastpass breaches, unless someone had a really easy master PW (without 2fa) the passwords in the vault should be safe.

    I never activate (or deactivate) auto fill I usually have multiple logins for sites so auto fill doesn't work for me anyway.

  18. aceshundat

    Adding 2fa to LastPass with 2fa active is exactly like adding a password to Lastpass there is no extra risk.

    As for Lastpass breaches, unless someone had a really easy master PW (without 2fa) the passwords in the vault should be safe.

    I never activate (or deactivate) auto fill I usually have multiple logins for sites so auto fill doesn't work for me anyway.

  19. WolfFan Silver badge

    New password system

    I am currently implementing a new universal password system, one I feel confident will cause the vast majority of would-be hackers to go find someone easier to hack. It's not impossible to hack, nothing is, but I want to make it sufficiently difficult to hack that noxious persons go after lower-hanging fruit.

    1 create a base passcode. The base is a ten-digit combination of uppercase, lowercase, numbers, and special characters. It is split into two parts (and no, I will not be telling how many characters are in each part.) It is chosen specifically to have absolutely nothing to do with any of my personal info, or with any particular site, or anything at all that I can think of. It's as nearly random as I can make it.

    2 generate a unique passcode for each site, typically eight to ten characters, uppercase, lowercase, numbers, and special characters. Because the unique passcode is set up specifically for each site, it is chosen in a way that makes sense to me, and probably not to anyone else.

    3 put part of the base code, then the unique code, then the rest of the base code. Note that the leading few characters and the trailing few characters are always the same, but the characters in the middle, and the total number of characters, changes for each site.

    Should the bad guys by some miracle manage to figure out what I use for the leading few and trailing few, they still have to work out that stuff in the middle. And the password is, overall, an 18 to 20 character password. Lots of luck breaking it. It can be done, but there are other people who have far weaker passwords. If someone were to work out what I use for the first x characters and the last y characters, they would then only have to break the middle 8-10 characters. Quite possible. But first they gotta have enough examples of my stuff to work out the base code. That would be a non-trivial exercise. If the Feds are actively hunting me, specifically, they can gather the info necessary. (Or, more likely, get a search warrant and haul me before the courts when I decline to provide them the password.) The majority of criminal gangs won't bother. And I can always make things interesting for anyone trying to break my password by altering the split in the base passcode, or by simply adding a character or two.

    There are, unfortunately, some places which restrict the maximum number of characters in a password, and some places which don't allow all of the special characters, and some places which do both. I let the admins at those places know that they have an insecure site (and they just love me for it, they do) and generate a unique passcode just for them. They are the ones who case me trouble to remember the password, as they don't fit the normal pattern. I try to avoid sites like that.

    There are sites which are simply not worth the effort involved in generating a secure password. (I'm looking at you, El Reg.) They get a much simpler generic eight to ten character passcode.

  20. Anonymous Coward
    Anonymous Coward

    2FA -> 1FA

    It's called two factors, because it combines something you know with something you possess.

    The thing you know is your login/password combination. The thing you possess is a device that can generate an authentication code, via a secret seed.

    Of course, the whole point of a 2FA machine is lost if you DON'T KEEP IT A SECRET! Why are you storing it with your username/password, eh? :v

  21. Kevin McMurtrie Silver badge

    2FA has been broken for a while

    You log in from your phone and a verification token is pushed to your phone. That's not 2FA anymore. It just means that the malware needs to be put on your phone rather than your desktop computer.

    Token generator key fobs are a bit better because it must be physically stolen and used before the owner deactivates it.

    1. Charles 9

      Re: 2FA has been broken for a while

      Oh? What if they steal the secrets needed to crack the algorithm? Wasn't that what the RSA attack was about?

      PS. If they pwn the login point, then no amount of security will work because it can hijack anything at the point of entry. Even OTPs.

    2. Orv Silver badge

      Re: 2FA has been broken for a while

      The separate token generator doesn't help if your endpoint is compromised, either; they can just intercept the token when you type it in. Granted, it has to be used immediately, but that's a minor hurdle.

      The real weakness of most 2FA schemes isn't the 2FA scheme itself, but the session token generated once you log in. The session token is effectively a 1FA, since no one wants to type in a token number every single time they click a button on the site. Anything that allows stealing or predicting that token will result in a security hole. (Both Twitter and Discord have suffered attacks based on this.)

  22. McDragon

    How would you then solve the problem of having multiple 2FA accounts and you loose/change/factory reset your phone. You get locked out of your accounts or you manually uninstall 2FA on each accounts. Every time.

    By the way... Authy does 2FA backups also.

    1. Orv Silver badge

      For my GMail account I have an OTP that I printed out as an alternative form of 2FA. Once I log in with that, I can add my new phone.

  23. Anonymous Coward
    Thumb Up

    scott

    tiger

  24. bex

    I agree

    I noticed lastpass was wittering on about my problem of typing in 6 digits. I think I will carry one using authenticator plus and suffer from the "Real" hassle it causes.

  25. Hoe

    Don't get why people would move because of this silly feature, surely the easy option is just don't use the feature?

  26. Bastard Sheep

    Lastpass Authenticator is made by the same company, but it's a different product. A separate app. You install it on your phone, it operates no differently and no less secure than using Google, Microsoft, Duo, or anybody elses authenticator app on the same phone.

  27. mr_souter_Working
    Black Helicopters

    One of the biggest issues

    Most people use the same username on all sites - and usually the same email address

    personally, I use a different (and random) email address (from one of the 3 domains that I own) for most sites, together with a unique password for that site. It gives me the advantage of knowing if a site has been hacked (or has just sold my information), as I then see spam coming to an address that was only ever used on that single site.

    Never sign in with any Social credentials (Facebook, Google+, Microsoft, etc...)

    I also use a combination of KeePass for day to day stuff (several copies stored in different locations and synced every few weeks), encrypted text files contained in encrypted zip files on an encrypted USB stick for truly important stuff (with encrypted backups on my home NAS and at least one offline USB drive).

    Me? paranoid? never! who said that I was?

    1. Anonymous Coward
      Anonymous Coward

      Re: One of the biggest issues

      "personally, I use a different (and random) email address (from one of the 3 domains that I own) for most sites, together with a unique password for that site."

      I used to do that - and could alert suppliers when their unique address appeared in spam. Then Vodafone outsourced the Demon email service to a Microsoft 365 service. That now limits the addresses in your Demon subdomain to a maximum of 100 - and you have to register a new one before you can use it.

      1. To Mars in Man Bras!
        Headmaster

        Re: One of the biggest issues

        >>I use a different (and random) email address (from one of the 3 domains that I own)...

        [engage Michael Caine voice]

        Not a lot of people know this. But, if you use Gmail, you can also do this by adding +<something> to your gmail address and the emails will still get to you.

        So, if your email is fred@gmail.com, you can sign up at Acme Widgets website with fred+acme@gmail.com. Then when you start getting spam at that address, you'll know exactly who sold on your data. I. have a junk Gmail address for exactly this purpose.

        Also works on your own domains, if you use Google's mx servers to handle your email for those domains.

        [Of course, needless to say, some eejit websites' email validators won't accept an email address with a + in it as being legit]

  28. Anonymous Coward
    FAIL

    Non issue?

    "However, many companies, including Google, Facebook and Dropbox also offer the ability to generate one-off access codes from a device or app. You usually scan a barcode unique to your account, and this is used to calculate a sequence of access codes, with a new code every minute or so."

    Yeah, if someone manages to get into your LastPass account, sure. But wasn't that advantage already removed the very moment when the user themselves opted not to use a device such as a phone but instead opted for a one-off access code which is being sent to the same machine which they used to provide their username and password on?

    How is this any different?

    1. Charles 9

      Re: Non issue?

      If they can pwn the point of entry, then any other kind of entry screening is moot since they still have to go through the point of entry. IOW, 2FA isn't going to work not because it's going to the same point as the pwned point of entry but because it'll have to go through the pwned point of entry anyway.

  29. William 3 Bronze badge

    Complex passwords stuck on a post it note under your desk

    Is quite simply the best security policy.

    The reason being that if someone has physical access to your computer then all bets on security are off.

    That inch of wood between your keyboard and the password fools any and all internet hackers.

    If someone is in your house, you have bigger fish to fry then your facebook/the register forum passwords.

    1. Anonymous Coward
      Anonymous Coward

      Re: Complex passwords stuck on a post it note under your desk

      "If someone is in your house, you have bigger fish to fry then your facebook/the register forum passwords."

      I wouldn't do that in the office - but I totally agree about using the method at home. My bank account is secured by a stand-alone 2FA device to which the pin is in my head.

      1. Charles 9

        Re: Complex passwords stuck on a post it note under your desk

        So what if you have a bad day and FORGET the PIN?

    2. Orv Silver badge

      Re: Complex passwords stuck on a post it note under your desk

      I always told people if they had to write down the password, to stick it in their wallet. Most people are very careful to not let their wallet out of their sight, and if it's ever stolen they'll know it and can change the password.

      1. Charles 9

        Re: Complex passwords stuck on a post it note under your desk

        Unless, of course, you're MUGGED and they take advantage while in an unconscious heap.

  30. Anonymous Coward
    Anonymous Coward

    Is this really 2FA?

    I don't really understand how these mechanisms can claim to be 2FA, if the second factor can be reduced to a piece of information that can be digitally duplicated into your LastPass. It's two things you know: your password and the seed value. Thats 1FA, not 2FA.

    For it to be a real "something you have" factor, the key needs to be hidden inside some kind of hardware, like an RSA key or one of those bank PIN devices.

    1. Charles 9

      Re: Is this really 2FA?

      And what if you LOSE it? Or they break the system like in the RSA attack? People lose their keys already, let's not try to add something ELSE to lose?

      1. Anonymous Coward
        Anonymous Coward

        Re: Is this really 2FA?

        @Charles 9: if you lose your physical token, you're locked out until the administrator issues you a new one.

        If your data is not sensitive enough to justify the extra hassle of 2-factor authentication, don't use 2-factor authentication.

        I just don't like seeing people claiming their authentication system is 2FA when it's not.

        1. Charles 9

          Re: Is this really 2FA?

          What happens when you routinely have to handle sensitive data BUT you're also highly prone to losing things like your keys, meaning you're likely to lose the fob?

          1. Anonymous Coward
            Anonymous Coward

            Re: Is this really 2FA?

            If the data's sensitive enough to require 2-factor authentication, and you can't work 2-factor authentication, then the only answer is to give the job to someone else.

            1. Anonymous Coward
              Anonymous Coward

              Re: Is this really 2FA?

              And if there's NO ONE else because you're also the highly-trained (but eccentric) specialist? Don't diss edge cases and Murphy. They don't stay that way for long.

              1. Anonymous Coward
                Anonymous Coward

                Re: Is this really 2FA?

                If 2FA is impractical in your contrived edge case, then I suppose you'll have to fall back to using 1 factor authentication. But don't kid yourself that your 1FA scheme is 2FA.

                1. Charles 9

                  Re: Is this really 2FA?

                  I'm not. I'm just saying that for many 2FA smacks of "hoop jumping," and you know how people think about hoop jumping.

    2. Orv Silver badge

      Re: Is this really 2FA?

      RSA keys also use a seed value, so in that sense it's all information. The distinction between "something you have" and "something you know" is subtle. I have an RSA key, which has a seed on it. I have my phone, which has a seed on it. The only distinction is that one of them is a specialized computing device, and the other is general-purpose.

      1. Anonymous Coward
        Anonymous Coward

        Re: Is this really 2FA?

        These pseudo-2FA systems use a seed that an end user can access, copy and put into another program. Real 2FA systems use a seed that's sealed inside tamper-resistant hardware, and can't be accessed without physically possessing and destroying the hardware. That seems a clear distinction to me.

  31. icefyre127

    The analysis in this article is incomplete and misses the mark...

    I understand the worry about "putting your eggs in one basket" however the argument against Lastpass's support of 2FA is incomplete. If you decide to use the absolutely worst configuration for lastpass then yes, the article is correct. However, most LastPass users use 2FA to access lastpass and the more security conscious among us also make sure LastPass sessions are not perpetual.

    If you are on my lastpass it means you are either me (as I have used 2FA to authenticate) or you have hijacked my machine. However, if you've hijacked my machine, you can just steal my session cookies or route your connection through my device to get into any account requiring 2FA not to mention you probably already have a keylogger installed. If your device is insecure, your accounts are toast. If your device is secure, then there is no threat to your other accounts protected by 2FA. Why do you need to juggle 7 different seeds instead of securely authenticating once with 2FA and then accessing your accounts? BTW, the argument used by this article can also be leveled at any application that aggregates 2FA seeds, for example, Google Authenticator...

    If someone hacks your google authenticator they have access to all of the 2FA seeds stored in that application. To hack Google Authenticator you would need to compromise the device (same as lastpass). What is the solution? Would storing your authentication tokens on 7 different authentication apps make you more secure? Most likely not. If the device is compromised, all of those apps are likewise probably compromised. The only thing you've done is made people less likely to use 2FA because no one wants to juggle 7 different authentication apps (any one of which could contain security vulnerabilities which further decreases your device's security).

  32. icefyre127

    The other side of the argument

    I understand the worry about "putting your eggs in one basket" however the argument against Lastpass's support of 2FA is incomplete. If you decide to use the absolutely worst configuration for lastpass then yes, the article is correct. However, most LastPass users use 2FA to access lastpass and the more security conscious among us also make sure LastPass sessions are not perpetual.

    If you are on my lastpass it means you are either me (as I have used 2FA to authenticate) or you have hijacked my machine. However, if you've hijacked my machine, you can just steal my session cookies or route your connection through my device to get into any account requiring 2FA not to mention you probably already have a keylogger installed. If your device is insecure, your accounts are toast. If your device is secure, then there is no threat to your other accounts protected by 2FA. Why do you need to juggle 7 different seeds instead of securely authenticating once with 2FA and then accessing your accounts? BTW, the argument used by this article can also be leveled at any application that aggregates 2FA seeds, for example, Google Authenticator...

    If someone hacks your google authenticator they have access to all of the 2FA seeds stored in that application. To hack Google Authenticator you would need to compromise the device (same as lastpass). What is the solution? Would storing your authentication tokens on 7 different authentication apps make you more secure? Most likely not. If the device is compromised, all of those apps are likewise probably compromised. The only thing you've done is made people less likely to use 2FA because no one wants to juggle 7 different authentication apps (any one of which could contain security vulnerabilities which further decreases your device's security).

    1. Charles 9

      Re: The other side of the argument

      Unless, of course, they just hack LastPass itself, steal the contents, AND figure out ways to crack or hack them, which is not outside the realm of possibility. Then they can pwn you without hacking you.

      1. icefyre127

        Re: The other side of the argument

        They are free to hack lastpass. The way the architecture works Lastpass only stores an encrypted blob so the contents can't feasibly be obtained unless the master password is very weak. Lastpass doesn't even hold your master password. The only problem I see is if hackers somehow manage to replace the lastpass add-on with a malicious version in the app store and make people update to it. That means that Lastpass's certificate was compromised and that someone had the credentials to upload to the store and that there was no control to detect that a new extension/app was deployed without the relevant change control. I would say that the risk of all of that is much lower than the risk of having one password compromised and then having multiple accounts compromised because you were using the same password.

        1. Charles 9

          Re: The other side of the argument

          But because all the eggs are in one basket, so to speak, someone could be motivated enough to try to break LastPass's system so as to get at the motherlode. Look at the attack on RSA for the level of motivation available to a determined hacker.

  33. JimmyPage Silver badge
    Stop

    A lot of overthinking here ...

    I would bet it's a given that no one here will be affected by any sort of "hack" - almost by definition El Reggers are the 5%.

    It will be the 95% who haven't a clue that will fall victim, because not only are criminals stupid, but they are lazy and stupid.

  34. Reliance

    Fewer Secrets

    I feel it helps to limit on-line access to financial accounts. I can logon to my bank, but my account type won't let me move money around. The hacker in Moldavia can't transfer fund from my bank to his.

    So the weakest point is online shopping. If they can logon and ship something from Amazon to their place, they got me. But Amazon has the address. Not a good way for the Moldovan hacker to get rich.

    So what's left? They can hack into my Register account and put comments in under my name. So maybe, worst case, this message is from the hacker, not "Me".

    1. Charles 9

      Re: Fewer Secrets

      OR they can glean your details and use that in social engineering to get better access to your more-sensitive stuff through identity theft.

  35. MrPete

    It's not as if people tend to jump to conclusions either :)

    Note that the guy who reported "serious problems" with LastPass Authenticator app later had to retract his primary concern: NO, it never was possible to hack in and gain access. That was his own misunderstanding based on an invalid test (using a local image rather than the actual LP-site-based image.)

    Their only real vulnerability was to remote turn-off of 2FA. And that's been fixed.

    Interestingly, LastPass has proven the security of their system the hard way: their central servers were hacked... and nothing useful was obtained or obtainable about their customers! They don't know, and don't have access to, your passwords, keys or anything else of use to a hacker.

    I agree with others, based on experience: NO technology is completely secure. Everything has bugs, everything can in some way be hacked given sufficient time and knowledge of the humans involved. At this point, after extensive testing, I am using LP personally and with family.

    LP certainly is not perfect: I have found numerous bugs in the UI, pain-in-the-neck feature implementations, etc etc. But nothing that exposes confidential information. (The main thing I don't like: I can share a record with another account, but the actual password is locked from visibility. In many use cases, that is unacceptable.)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon