Hacking - Time to do something about it

There has been a lot of hacks happening recently, with Kickstart being the one in the news lately. But this got me thinking that I should do something as online identity can easily be compromised. We cannot do anything about these security breaches but we can do something about using strong passwords that are all different around the net and are not easily guessable.

I recently had someone in Poland that tried to hack into my dormant Yahoo! account, which lucky I had two factor authentication on so they could not get in. But with all the hacks recently and that having an identity online easily compromised I needed to do something about it.

I have been thinking about using LastPass for a few months/years and I do hear rave reviews for them but I always felt a bit scared if LastPass was compromised. After all these hacks I thought I better do some research and see what is so good about services like LastPass. After researching I finally switched to LastPass. Here are some reasons why.

It's Free!!!

That is always good, but there is a premium version as well.

LastPass doesn't know what you have stored

It is technically wrong what I said above, but after I explain how it works you can kinda see why I made this claim. Basic encryption uses keys, and that is what LastPass uses. However your key that is used to encrypt and decrypt are all stored and generated locally. This is all done by using Hashing SHA-256.

SHA-265 was developed by the NSA, but hold on it is not all bad. It is widely known that this algorithm will generate a hash that is unique based on the values used, but you cannot reverse engineer it (Google it if you want more detail on it). This hash, which is based on your username and password plus some salt (random characters) is used by LastPass to encrypt and decrypt the data passed between you and the server. Because SHA-256 can be used anywhere means that locally on your PC you can generate your own unique SHA-256 hash for your encryption which does not need to be shared. Brilliant, but how does LastPass know who you are?

What LastPass does it takes your encryption hash and hash it again with your password and some other information (salt) which creates another Hash and this Hash is then sent to LastPass for identity.

Now LastPass knows who you are, and you have your own encrypt and decrypt key you can now send information to LastPass servers securely and pretty much anonymously which is brilliant.

Even if say the NSA or the MI6 comes snooping for your data, even if they get hold of the data from LastPass, LastPass does not have the key to decrypt the data because it is held by you. The only way to get the data is to brute force and guess the decryption key. LastPass has that covered as well. On default they used a password iterator PBKDF2 which has 5000 passes. What this means that when you come to the hash, the hash goes through 5000 iteration. When brute forcing, 1 attempt to guess what the hash is requires 5000 computation operation which slows the process of brute force. As there is 2 to the power of 256 different combination available for SHA-256 it is going to take a long time to brute force the hash.

Generator

Pretty cool if you cannot think of one, but it allows up to 100 characters for a password. I won't recommend that long but it is good that you can have a generator with that length.

Available everywhere

Using Windows, Blackberry, Android or whatever LastPass is everywhere. This is a must if you are relying on a password manager and LastPass has that covered.

Available locally

You can download the database that is stored by LastPass locally on your machine in its same encryption format. Because the keys are generated locally for decryption it will work in the exact same way as it does online. Brilliant!

Multi Authentication

This is a biggy. I used two factor but LastPass offers a wide range of different types, from usb sticks, mobile app generator to a weird graph paper grid with numbers on. Basically this is key to saving all your passwords in one place as having something you know (master password) and something you have (the second authentication) is pretty much a must.

There are other solutions out there like 1Password, Keeper but I opted for LastPass. I am pretty sure they work in the same way. This may not stop website having security breaches but at least we can do a little bit to protect ourselves.

Resources
http://twit.tv/sn256 - Security Now (video) from Steve Gibson - Must Watch!!!
https://helpdesk.lastpass.com/getting-started/introduction/why-is-lastpass-safe/
http://webapps.stackexchange.com/questions/11361/how-does-lastpass-store-my-passwords-on-their-website
https://forums.lastpass.com/viewtopic.php?f=12&t=76344
http://perezbox.com/2012/06/is-lastpass-secure/



Popular posts from this blog

Android UX: Should the "Up" button die???

Currency Converter Version 1.1.3 - Android App