SlideShare ist ein Scribd-Unternehmen logo

Password best practices and the last pass hack

Als ODP, PDF herunterladen
Kevin OBrien
Kevin OBrien

This presentation looks at the best practices for password security, and shows why LastPass is still one of the best tools for keeping you safe on the Internet

Internet
1 von 41
Password Best Practices and the LastPass hack Kevin O'Brien Washtenaw Linux Users Group
What Are Best Practices ● There is a lot of confusion here ● Average users don't have the right priorities ● Look to the pros ● http://arstechnica.com/security/2015/07/what-amateurs- can-learn-from-security-pros-about-staying-safe-online/
Average Users' Top Practices ● Use Anti-Virus Software ● Use Strong Passwords ● Change Passwords Frequently ● Only Visit Web Sites They Know ● Don't Share Personal Information
Pro's Top Practice ● Install Software Updates ● Use Unique Passwords ● Use Two-Factor Authentication ● Use Strong Passwords ● Use A Password Manager
Only Practice They Agree On Use Strong Passwords
Average Users Do Odd Things ● Change Passwords Frequently ● Only Visit Web Sites They Know
Changing Passwords Frequently ● OK, in their defense IT departments insist on this, but it makes no sense ● For what attack vector is this a defense? ● This is actually an example of how silly best practices frequently are
Only Visit Web Sites They Know ● Makes the Web virtually unusable ● With link rot they will soon run out of sites to visit ● The only things left to visit will be Google and ESPN
Look at the Pros again ● Install Software Updates ● Use Unique Passwords ● Use Two-Factor Authentication ● Use Strong Passwords ● Use A Password Manager
Install Software Updates ● This is number one on the Pro's list ● But many average users resist doing this ● It is OK to look at patches and triage them, but security patches should be installed unless you know very well what you are doing ● Most average users should automatically install them
Two-Factor Authentication ● This provides excellent security as part of a program ● But it requires just a little more effort ● I like solutions that push something to my phone to grant access ● Duo Security is one excellent solution
Strong & Unique Passwords ● These are two separate practices, but they work together to provide security ● Strong means long passwords with high entropy ● These are inherently difficult to remember ● The average user will never do this if it means memorizing
Use A Password Manager ● The only way most users can have strong and unique passwords is to use a Password Manager ● LastPass is one that is excellent ● But it was hacked recently ● https://blog.lastpass.com/2015/06/lastpass-security- notice.html/
Game Over for LastPass? ● I don't think so ● Security is a layered process ● You cannot with certainty prevent any intrusion ● The question is how you handle it ● LastPass handled it well, in my opinion
What They Said “In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.”
So Why Are They OK? ● First, they segregated their network ● User password vaults were never accessed ● Contrast with Sony, where once the North Koreans got in, they had access to everything ● This is a key security practice
Things They Had To Store ● Password Hint ● E-mail addresses ● Per-user password salts ● Hashed password values ● Encrypted database
What The Intruders Did Not Get ● Encrypted database – This was on a separate network segment ● This means an intruder would need a second successful attack to get the actual useful data ● If an intruder has for example a 1% chance of being successful, the joint probability of being successful in both attacks is .01% ● The actual percentages may be lower
What They Did Get ● E-mail addresses ● Password Hints ● Per-user Password salts ● Hashed password values
Why Is This Not So Bad? ● To really understand this you need think about the threat model and how security measures mitigate the threat ● As Bruce Schneier always says, the counter-measure needs to work against the threat you have identified ● See my article Sensible Security: The Schneier Model at http://www.zwilnik.com/?page_id=577
What Is The Threat? ● If the NSA was behind the intrusion and they have specifically targeted you as a “person of interest” you might be at risk here ● But realistically, if they are specifically going after you, your LastPass account is the least of your worries, and you should be studying Edward Snowden like a rabbi studies scripture ● The threat I worry about is someone trying to grab a bunch of passwords for criminal uses
This Threat Is Manageable! There is a story about two campers who hear a bear searching the campsite. One of them looks for sneakers to run away. The other one says “That is no use, you can't outrun a bear.” And the first one says “I know, but I only have to outrun you!”
Security Is Comparative ● So if the NSA is targeting you that is a problem ● But most times you just need to put up a speed bump so that they get other people instead ● That means stopping the most common attacks
Salted Hash ● This is your first level of defense ● It adds a random number to your password before it is hashed ● This “salt” must, perforce, be stored on the same server as the hash ● But, and this is crucial, it gives security against dictionary attacks
Dictionary Attacks ● Every known password is in a dictionary ● The dictionary is then hashed ● The hashes in the are then compared to the hashes in the web site database ● When they match, you know the password
How Salts Protect ● When there is a salt added to each password, even if the salt is known and tied to the user, it forces the intruder to create a dictionary for each salt they find ● This is so time consuming that most intruders will not bother ● They are looking for millions of passwords, so they would need millions of dictionaries ● Does not apply to the NSA if they are after you
So, LastPass Did Not Err ● Yes, the salts and the hashes were exposed ● But when you look at the threat model, the use of salts added significant security to protecting people's data ● The hashing algorithm added even more
Client-Side Algorithm ● You create a vault ● It is secured with a Master Password ● This password is hashed together with your user name ● The hashing uses SHA-256, an excellent hash ● This done multiple times, by default 5000, but you can change that
Server-Side Algorithm ● The Client-Side process creates a key, which is hashed again and sent to the server ● The server adds a random salt to this key, and then hashes another 100,000 times ● This is your encryption key, and is used to encrypt your password database ● LastPass does not have your key
LastPass Does Not Have Your Key ● This is worth repeating ● They really don't have it ● They can't turn it over to the government ● Worst-case scenario, they can turn over the random salt and the hash they have stored ● This could possibly be cracked if the government really tries and you were lazy
Losing Your Password ● I have done this experiment ● LastPass really cannot help you if you lose your password ● The best they can do is give you an earlier version of your encrypted database ● This will help if you remember your previous password ● Otherwise, you are SOL
Reversing Hashes ● Hashing is a well-defined algorithm that is completely reversible if you have all of the parameters ● Adding security means making those parameters hard to recover by your opponent ● Hashing does require resources ● Doing it for millions of passwords is not trivial
What Intruders Do ● They get the database of hashes ● They use a prepared dictionary of passwords that are already hashed ● They run a comparison ● And they get hits ● They don't need to find every password, just enough to be profitable
Success Percentages ● In 2013 a widely reported study found that 90% of passwords were cracked with little difficulty ● However, this study used MD5, which even then was not regarded as secure ● But if a database of hashes is done badly, success rates of over 70% are not too difficult ● Your objective is to the in 30% when the crackers give up
How To Erect Barriers ● Number one is your Master Password ● This is the most important thing to pay attention to ● Length and entropy matter here ● Remember, you only need one! ● LastPass will remember all the other ones for you!
Change Defaults ● Remember that LastPass does 5000 rounds of hashing by default ● That is information a cracker can use! ● Change the default to something bigger ● And don't make it a round number: 19,457 is better than 20,000 ● The cracker cannot get your password without knowing this, or else calculating every possible number
Unique! ● Your LastPass master password should be one you never use on any other site ● A common problem with re-used passwords is that if one site with bad security lets the bad guys get it, they will try it on other sites as well ● Let LastPass remember your Bank password, that is what it is there for
What your password does ● Every time you open LastPass you need to login with your Master Password ● Your Client software will then combine that with your user name, and hash it the number of times your specified to get your key ● This is sent to the server, where the known salt is added, and it is then hashed 100,000 times ● Then your password vault is opened
Is This Enough? ● You have a very strong master password ● You have changed the default settings for client side hashing ● LastPass uses a strong algorithm for hashing, SHA-256, not something like MD5 or SHA-1, which are deprecated for any serious security work ● This is all good
One More Thing ● There is one more thing you can do to stop anyone getting in ● You can have two-factor authentication for LastPass: https://helpdesk.lastpass.com/multifactor-authentication-options ● I use Duo Security for mine ● I cannot log in to LastPass without approving it on my phone
Conclusion ● 4 of the five top strategies used by security pros are addressed by this – Use Unique Passwords – Use Two-Factor Authentication – Use Strong Passwords – Use A Password Manager ● And that is why I still use LastPass, and pay for a premium account (all of $12/year)

Empfohlen

Minding the Metacognitive Gap - BSides NOLA
Minding the Metacognitive Gap - BSides NOLAMinding the Metacognitive Gap - BSides NOLA
Minding the Metacognitive Gap - BSides NOLAchrissanders88
 
PASSWORD BEST PRACTICES
PASSWORD BEST PRACTICESPASSWORD BEST PRACTICES
PASSWORD BEST PRACTICESRazorpoint Security
 
Android Attacks
Android AttacksAndroid Attacks
Android AttacksMichael Scovetta
 
Strategic Surprise
Strategic SurpriseStrategic Surprise
Strategic SurpriseMichael Scovetta
 
Stackjacking
StackjackingStackjacking
StackjackingMichael Scovetta
 
Consumer Password Worst Practices
Consumer Password Worst PracticesConsumer Password Worst Practices
Consumer Password Worst PracticesMichael Scovetta
 
Peter Norvig - NYC Machine Learning 2013
Peter Norvig - NYC Machine Learning 2013Peter Norvig - NYC Machine Learning 2013
Peter Norvig - NYC Machine Learning 2013Michael Scovetta
 
Modern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesModern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesMichael Scovetta
 

Empfohlen

Minding the Metacognitive Gap - BSides NOLA
Minding the Metacognitive Gap - BSides NOLAMinding the Metacognitive Gap - BSides NOLA
Minding the Metacognitive Gap - BSides NOLAchrissanders88
 
PASSWORD BEST PRACTICES
PASSWORD BEST PRACTICESPASSWORD BEST PRACTICES
PASSWORD BEST PRACTICESRazorpoint Security
 
Android Attacks
Android AttacksAndroid Attacks
Android AttacksMichael Scovetta
 
Strategic Surprise
Strategic SurpriseStrategic Surprise
Strategic SurpriseMichael Scovetta
 
Stackjacking
StackjackingStackjacking
StackjackingMichael Scovetta
 
Consumer Password Worst Practices
Consumer Password Worst PracticesConsumer Password Worst Practices
Consumer Password Worst PracticesMichael Scovetta
 
Peter Norvig - NYC Machine Learning 2013
Peter Norvig - NYC Machine Learning 2013Peter Norvig - NYC Machine Learning 2013
Peter Norvig - NYC Machine Learning 2013Michael Scovetta
 
Modern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesModern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesMichael Scovetta
 
Passwords
PasswordsPasswords
PasswordsKevin OBrien
 
An Introduction to Hashing and Salting
An Introduction to Hashing and SaltingAn Introduction to Hashing and Salting
An Introduction to Hashing and SaltingRahul Singh
 
All Your Password Are Belong To Us
All Your Password Are Belong To UsAll Your Password Are Belong To Us
All Your Password Are Belong To UsCharles Southerland
 
Passwords good badugly181212-2
Passwords good badugly181212-2Passwords good badugly181212-2
Passwords good badugly181212-2Iftach Ian Amit
 
11 Commandments of Cyber Security for the Home
11 Commandments of Cyber Security for the Home11 Commandments of Cyber Security for the Home
11 Commandments of Cyber Security for the Homezaimorkai
 
Care and feeding of your website
Care and feeding of your websiteCare and feeding of your website
Care and feeding of your websiteShawn DeWolfe
 
Password Cracking
Password CrackingPassword Cracking
Password CrackingHajer alriyami
 
OSMC 2015 | Testing in Production by Devdas Bhagat
OSMC 2015 | Testing in Production by Devdas BhagatOSMC 2015 | Testing in Production by Devdas Bhagat
OSMC 2015 | Testing in Production by Devdas BhagatNETWAYS
 
OSMC 2015: Testing in Production by Devdas Bhagat
OSMC 2015: Testing in Production by Devdas BhagatOSMC 2015: Testing in Production by Devdas Bhagat
OSMC 2015: Testing in Production by Devdas BhagatNETWAYS
 
Identifying a Compromised WordPress Site
Identifying a Compromised WordPress SiteIdentifying a Compromised WordPress Site
Identifying a Compromised WordPress SiteChris Burgess
 
Word camp pune 2013 security
Word camp pune 2013 securityWord camp pune 2013 security
Word camp pune 2013 securityGaurav Singh
 
Security is not a feature
Security is not a featureSecurity is not a feature
Security is not a featureElizabeth Smith
 
Heartbleed Explained & LastPass Demo
Heartbleed Explained & LastPass DemoHeartbleed Explained & LastPass Demo
Heartbleed Explained & LastPass DemoWilliam Mann
 
2 Laymans Course - LAMP V2.pptx
2 Laymans Course - LAMP V2.pptx2 Laymans Course - LAMP V2.pptx
2 Laymans Course - LAMP V2.pptxssuser2f0fb0
 
Password Attack
Password AttackPassword Attack
Password AttackAliaqa Hosainy
 
How to Protect Yourself From Heartbleed Security Flaw
How to Protect Yourself From Heartbleed Security FlawHow to Protect Yourself From Heartbleed Security Flaw
How to Protect Yourself From Heartbleed Security FlawConnectSafely
 
West Chester Staff Technology Training - Website,LastPass and Tips!
West Chester Staff Technology Training - Website,LastPass and Tips!West Chester Staff Technology Training - Website,LastPass and Tips!
West Chester Staff Technology Training - Website,LastPass and Tips!William Mann
 
Honeywords - BSides London 2014
Honeywords - BSides London 2014Honeywords - BSides London 2014
Honeywords - BSides London 2014Gavin Holt
 
Naked and Vulnerable - A Cybersecurity Starter Kit from Camp IT Dec 2016
Naked and Vulnerable - A Cybersecurity Starter Kit from Camp IT Dec 2016Naked and Vulnerable - A Cybersecurity Starter Kit from Camp IT Dec 2016
Naked and Vulnerable - A Cybersecurity Starter Kit from Camp IT Dec 2016Ted Wentzel
 
Improving Password Based Security
Improving Password Based SecurityImproving Password Based Security
Improving Password Based SecurityRare Input
 
American icon pmi
American icon pmiAmerican icon pmi
American icon pmiKevin OBrien
 
Tls 1.3
Tls 1.3Tls 1.3
Tls 1.3Kevin OBrien
 

Weitere ähnliche Inhalte

Ähnlich wie Password best practices and the last pass hack

An Introduction to Hashing and Salting
An Introduction to Hashing and SaltingAn Introduction to Hashing and Salting
An Introduction to Hashing and SaltingRahul Singh
 
All Your Password Are Belong To Us
All Your Password Are Belong To UsAll Your Password Are Belong To Us
All Your Password Are Belong To UsCharles Southerland
 
Passwords good badugly181212-2
Passwords good badugly181212-2Passwords good badugly181212-2
Passwords good badugly181212-2Iftach Ian Amit
 
11 Commandments of Cyber Security for the Home
11 Commandments of Cyber Security for the Home11 Commandments of Cyber Security for the Home
11 Commandments of Cyber Security for the Homezaimorkai
 
Care and feeding of your website
Care and feeding of your websiteCare and feeding of your website
Care and feeding of your websiteShawn DeWolfe
 
OSMC 2015 | Testing in Production by Devdas Bhagat
OSMC 2015 | Testing in Production by Devdas BhagatOSMC 2015 | Testing in Production by Devdas Bhagat
OSMC 2015 | Testing in Production by Devdas BhagatNETWAYS
 
OSMC 2015: Testing in Production by Devdas Bhagat
OSMC 2015: Testing in Production by Devdas BhagatOSMC 2015: Testing in Production by Devdas Bhagat
OSMC 2015: Testing in Production by Devdas BhagatNETWAYS
 
Identifying a Compromised WordPress Site
Identifying a Compromised WordPress SiteIdentifying a Compromised WordPress Site
Identifying a Compromised WordPress SiteChris Burgess
 
Word camp pune 2013 security
Word camp pune 2013 securityWord camp pune 2013 security
Word camp pune 2013 securityGaurav Singh
 
Security is not a feature
Security is not a featureSecurity is not a feature
Security is not a featureElizabeth Smith
 
Heartbleed Explained & LastPass Demo
Heartbleed Explained & LastPass DemoHeartbleed Explained & LastPass Demo
Heartbleed Explained & LastPass DemoWilliam Mann
 
2 Laymans Course - LAMP V2.pptx
2 Laymans Course - LAMP V2.pptx2 Laymans Course - LAMP V2.pptx
2 Laymans Course - LAMP V2.pptxssuser2f0fb0
 
How to Protect Yourself From Heartbleed Security Flaw
How to Protect Yourself From Heartbleed Security FlawHow to Protect Yourself From Heartbleed Security Flaw
How to Protect Yourself From Heartbleed Security FlawConnectSafely
 
West Chester Staff Technology Training - Website,LastPass and Tips!
West Chester Staff Technology Training - Website,LastPass and Tips!West Chester Staff Technology Training - Website,LastPass and Tips!
West Chester Staff Technology Training - Website,LastPass and Tips!William Mann
 
Honeywords - BSides London 2014
Honeywords - BSides London 2014Honeywords - BSides London 2014
Honeywords - BSides London 2014Gavin Holt
 
Naked and Vulnerable - A Cybersecurity Starter Kit from Camp IT Dec 2016
Naked and Vulnerable - A Cybersecurity Starter Kit from Camp IT Dec 2016Naked and Vulnerable - A Cybersecurity Starter Kit from Camp IT Dec 2016
Naked and Vulnerable - A Cybersecurity Starter Kit from Camp IT Dec 2016Ted Wentzel
 
Improving Password Based Security
Improving Password Based SecurityImproving Password Based Security
Improving Password Based SecurityRare Input
 

Ähnlich wie Password best practices and the last pass hack (20)

Passwords
PasswordsPasswords
Passwords
 
An Introduction to Hashing and Salting
An Introduction to Hashing and SaltingAn Introduction to Hashing and Salting
An Introduction to Hashing and Salting
 
All Your Password Are Belong To Us
All Your Password Are Belong To UsAll Your Password Are Belong To Us
All Your Password Are Belong To Us
 
Passwords good badugly181212-2
Passwords good badugly181212-2Passwords good badugly181212-2
Passwords good badugly181212-2
 
11 Commandments of Cyber Security for the Home
11 Commandments of Cyber Security for the Home11 Commandments of Cyber Security for the Home
11 Commandments of Cyber Security for the Home
 
Care and feeding of your website
Care and feeding of your websiteCare and feeding of your website
Care and feeding of your website
 
Password Cracking
Password CrackingPassword Cracking
Password Cracking
 
OSMC 2015 | Testing in Production by Devdas Bhagat
OSMC 2015 | Testing in Production by Devdas BhagatOSMC 2015 | Testing in Production by Devdas Bhagat
OSMC 2015 | Testing in Production by Devdas Bhagat
 
OSMC 2015: Testing in Production by Devdas Bhagat
OSMC 2015: Testing in Production by Devdas BhagatOSMC 2015: Testing in Production by Devdas Bhagat
OSMC 2015: Testing in Production by Devdas Bhagat
 
Identifying a Compromised WordPress Site
Identifying a Compromised WordPress SiteIdentifying a Compromised WordPress Site
Identifying a Compromised WordPress Site
 
Word camp pune 2013 security
Word camp pune 2013 securityWord camp pune 2013 security
Word camp pune 2013 security
 
Security is not a feature
Security is not a featureSecurity is not a feature
Security is not a feature
 
Heartbleed Explained & LastPass Demo
Heartbleed Explained & LastPass DemoHeartbleed Explained & LastPass Demo
Heartbleed Explained & LastPass Demo
 
2 Laymans Course - LAMP V2.pptx
2 Laymans Course - LAMP V2.pptx2 Laymans Course - LAMP V2.pptx
2 Laymans Course - LAMP V2.pptx
 
Password Attack
Password AttackPassword Attack
Password Attack
 
How to Protect Yourself From Heartbleed Security Flaw
How to Protect Yourself From Heartbleed Security FlawHow to Protect Yourself From Heartbleed Security Flaw
How to Protect Yourself From Heartbleed Security Flaw
 
West Chester Staff Technology Training - Website,LastPass and Tips!
West Chester Staff Technology Training - Website,LastPass and Tips!West Chester Staff Technology Training - Website,LastPass and Tips!
West Chester Staff Technology Training - Website,LastPass and Tips!
 
Honeywords - BSides London 2014
Honeywords - BSides London 2014Honeywords - BSides London 2014
Honeywords - BSides London 2014
 
Naked and Vulnerable - A Cybersecurity Starter Kit from Camp IT Dec 2016
Naked and Vulnerable - A Cybersecurity Starter Kit from Camp IT Dec 2016Naked and Vulnerable - A Cybersecurity Starter Kit from Camp IT Dec 2016
Naked and Vulnerable - A Cybersecurity Starter Kit from Camp IT Dec 2016
 
Improving Password Based Security
Improving Password Based SecurityImproving Password Based Security
Improving Password Based Security
 

Mehr von Kevin OBrien

Diffie_Hellman-Merkle Key Exchange
Diffie_Hellman-Merkle Key ExchangeDiffie_Hellman-Merkle Key Exchange
Diffie_Hellman-Merkle Key ExchangeKevin OBrien
 
Linux Directory Structure
Linux Directory StructureLinux Directory Structure
Linux Directory StructureKevin OBrien
 
Hardware Discovery Commands
Hardware Discovery CommandsHardware Discovery Commands
Hardware Discovery CommandsKevin OBrien
 
Introduction to linux
Introduction to linuxIntroduction to linux
Introduction to linuxKevin OBrien
 
Help, my computer is sluggish
Help, my computer is sluggishHelp, my computer is sluggish
Help, my computer is sluggishKevin OBrien
 
Installing Software, Part 3: Command Line
Installing Software, Part 3: Command LineInstalling Software, Part 3: Command Line
Installing Software, Part 3: Command LineKevin OBrien
 
Installing Software, Part 2: Package Managers
Installing Software, Part 2: Package ManagersInstalling Software, Part 2: Package Managers
Installing Software, Part 2: Package ManagersKevin OBrien
 
Installing Software, Part 1 - Repositories
Installing Software, Part 1 - RepositoriesInstalling Software, Part 1 - Repositories
Installing Software, Part 1 - RepositoriesKevin OBrien
 
Installing Linux: Partitioning and File System Considerations
Installing Linux: Partitioning and File System ConsiderationsInstalling Linux: Partitioning and File System Considerations
Installing Linux: Partitioning and File System ConsiderationsKevin OBrien
 
The ifconfig Command
The ifconfig CommandThe ifconfig Command
The ifconfig CommandKevin OBrien
 
Find and Locate: Two Commands
Find and Locate: Two CommandsFind and Locate: Two Commands
Find and Locate: Two CommandsKevin OBrien
 
The Shell Game Part 4: Bash Shortcuts
The Shell Game Part 4: Bash ShortcutsThe Shell Game Part 4: Bash Shortcuts
The Shell Game Part 4: Bash ShortcutsKevin OBrien
 
The Shell Game Part 3: Introduction to Bash
The Shell Game Part 3: Introduction to BashThe Shell Game Part 3: Introduction to Bash
The Shell Game Part 3: Introduction to BashKevin OBrien
 
The Shell Game Part 2: What are your shell choices?
The Shell Game Part 2: What are your shell choices?The Shell Game Part 2: What are your shell choices?
The Shell Game Part 2: What are your shell choices?Kevin OBrien
 

Mehr von Kevin OBrien (20)

American icon pmi
American icon pmiAmerican icon pmi
American icon pmi
 
Tls 1.3
Tls 1.3Tls 1.3
Tls 1.3
 
Forward Secrecy
Forward SecrecyForward Secrecy
Forward Secrecy
 
Diffie_Hellman-Merkle Key Exchange
Diffie_Hellman-Merkle Key ExchangeDiffie_Hellman-Merkle Key Exchange
Diffie_Hellman-Merkle Key Exchange
 
SSL certificates
SSL certificatesSSL certificates
SSL certificates
 
Encryption basics
Encryption basicsEncryption basics
Encryption basics
 
Linux Directory Structure
Linux Directory StructureLinux Directory Structure
Linux Directory Structure
 
Hardware Discovery Commands
Hardware Discovery CommandsHardware Discovery Commands
Hardware Discovery Commands
 
Introduction to linux
Introduction to linuxIntroduction to linux
Introduction to linux
 
Help, my computer is sluggish
Help, my computer is sluggishHelp, my computer is sluggish
Help, my computer is sluggish
 
The ps Command
The ps CommandThe ps Command
The ps Command
 
Installing Software, Part 3: Command Line
Installing Software, Part 3: Command LineInstalling Software, Part 3: Command Line
Installing Software, Part 3: Command Line
 
Installing Software, Part 2: Package Managers
Installing Software, Part 2: Package ManagersInstalling Software, Part 2: Package Managers
Installing Software, Part 2: Package Managers
 
Installing Software, Part 1 - Repositories
Installing Software, Part 1 - RepositoriesInstalling Software, Part 1 - Repositories
Installing Software, Part 1 - Repositories
 
Installing Linux: Partitioning and File System Considerations
Installing Linux: Partitioning and File System ConsiderationsInstalling Linux: Partitioning and File System Considerations
Installing Linux: Partitioning and File System Considerations
 
The ifconfig Command
The ifconfig CommandThe ifconfig Command
The ifconfig Command
 
Find and Locate: Two Commands
Find and Locate: Two CommandsFind and Locate: Two Commands
Find and Locate: Two Commands
 
The Shell Game Part 4: Bash Shortcuts
The Shell Game Part 4: Bash ShortcutsThe Shell Game Part 4: Bash Shortcuts
The Shell Game Part 4: Bash Shortcuts
 
The Shell Game Part 3: Introduction to Bash
The Shell Game Part 3: Introduction to BashThe Shell Game Part 3: Introduction to Bash
The Shell Game Part 3: Introduction to Bash
 
The Shell Game Part 2: What are your shell choices?
The Shell Game Part 2: What are your shell choices?The Shell Game Part 2: What are your shell choices?
The Shell Game Part 2: What are your shell choices?
 

Kürzlich hochgeladen

Gram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaGram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaimessage0108
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsstephieert
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Servicesexy call girls service in goa
 
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls KolkataLow Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Servicegwenoracqe6
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Delhi Call girls
 
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607dollysharma2066
 
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts servicevipmodelshub1
 
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Roomdivyansh0kumar0
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)Damian Radcliffe
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxellan12
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Roomdivyansh0kumar0
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceDelhi Call girls
 

Kürzlich hochgeladen (20)

Gram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaGram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of india
 
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girls
 
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
 
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls KolkataLow Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
 
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
 
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
 
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
 

Password best practices and the last pass hack

  • 1. Password Best Practices and the LastPass hack Kevin O'Brien Washtenaw Linux Users Group
  • 2. What Are Best Practices ● There is a lot of confusion here ● Average users don't have the right priorities ● Look to the pros ● http://arstechnica.com/security/2015/07/what-amateurs- can-learn-from-security-pros-about-staying-safe-online/
  • 3. Average Users' Top Practices ● Use Anti-Virus Software ● Use Strong Passwords ● Change Passwords Frequently ● Only Visit Web Sites They Know ● Don't Share Personal Information
  • 4. Pro's Top Practice ● Install Software Updates ● Use Unique Passwords ● Use Two-Factor Authentication ● Use Strong Passwords ● Use A Password Manager
  • 5. Only Practice They Agree On Use Strong Passwords
  • 6. Average Users Do Odd Things ● Change Passwords Frequently ● Only Visit Web Sites They Know
  • 7. Changing Passwords Frequently ● OK, in their defense IT departments insist on this, but it makes no sense ● For what attack vector is this a defense? ● This is actually an example of how silly best practices frequently are
  • 8. Only Visit Web Sites They Know ● Makes the Web virtually unusable ● With link rot they will soon run out of sites to visit ● The only things left to visit will be Google and ESPN
  • 9. Look at the Pros again ● Install Software Updates ● Use Unique Passwords ● Use Two-Factor Authentication ● Use Strong Passwords ● Use A Password Manager
  • 10. Install Software Updates ● This is number one on the Pro's list ● But many average users resist doing this ● It is OK to look at patches and triage them, but security patches should be installed unless you know very well what you are doing ● Most average users should automatically install them
  • 11. Two-Factor Authentication ● This provides excellent security as part of a program ● But it requires just a little more effort ● I like solutions that push something to my phone to grant access ● Duo Security is one excellent solution
  • 12. Strong & Unique Passwords ● These are two separate practices, but they work together to provide security ● Strong means long passwords with high entropy ● These are inherently difficult to remember ● The average user will never do this if it means memorizing
  • 13. Use A Password Manager ● The only way most users can have strong and unique passwords is to use a Password Manager ● LastPass is one that is excellent ● But it was hacked recently ● https://blog.lastpass.com/2015/06/lastpass-security- notice.html/
  • 14. Game Over for LastPass? ● I don't think so ● Security is a layered process ● You cannot with certainty prevent any intrusion ● The question is how you handle it ● LastPass handled it well, in my opinion
  • 15. What They Said “In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.”
  • 16. So Why Are They OK? ● First, they segregated their network ● User password vaults were never accessed ● Contrast with Sony, where once the North Koreans got in, they had access to everything ● This is a key security practice
  • 17. Things They Had To Store ● Password Hint ● E-mail addresses ● Per-user password salts ● Hashed password values ● Encrypted database
  • 18. What The Intruders Did Not Get ● Encrypted database – This was on a separate network segment ● This means an intruder would need a second successful attack to get the actual useful data ● If an intruder has for example a 1% chance of being successful, the joint probability of being successful in both attacks is .01% ● The actual percentages may be lower
  • 19. What They Did Get ● E-mail addresses ● Password Hints ● Per-user Password salts ● Hashed password values
  • 20. Why Is This Not So Bad? ● To really understand this you need think about the threat model and how security measures mitigate the threat ● As Bruce Schneier always says, the counter-measure needs to work against the threat you have identified ● See my article Sensible Security: The Schneier Model at http://www.zwilnik.com/?page_id=577
  • 21. What Is The Threat? ● If the NSA was behind the intrusion and they have specifically targeted you as a “person of interest” you might be at risk here ● But realistically, if they are specifically going after you, your LastPass account is the least of your worries, and you should be studying Edward Snowden like a rabbi studies scripture ● The threat I worry about is someone trying to grab a bunch of passwords for criminal uses
  • 22. This Threat Is Manageable! There is a story about two campers who hear a bear searching the campsite. One of them looks for sneakers to run away. The other one says “That is no use, you can't outrun a bear.” And the first one says “I know, but I only have to outrun you!”
  • 23. Security Is Comparative ● So if the NSA is targeting you that is a problem ● But most times you just need to put up a speed bump so that they get other people instead ● That means stopping the most common attacks
  • 24. Salted Hash ● This is your first level of defense ● It adds a random number to your password before it is hashed ● This “salt” must, perforce, be stored on the same server as the hash ● But, and this is crucial, it gives security against dictionary attacks
  • 25. Dictionary Attacks ● Every known password is in a dictionary ● The dictionary is then hashed ● The hashes in the are then compared to the hashes in the web site database ● When they match, you know the password
  • 26. How Salts Protect ● When there is a salt added to each password, even if the salt is known and tied to the user, it forces the intruder to create a dictionary for each salt they find ● This is so time consuming that most intruders will not bother ● They are looking for millions of passwords, so they would need millions of dictionaries ● Does not apply to the NSA if they are after you
  • 27. So, LastPass Did Not Err ● Yes, the salts and the hashes were exposed ● But when you look at the threat model, the use of salts added significant security to protecting people's data ● The hashing algorithm added even more
  • 28. Client-Side Algorithm ● You create a vault ● It is secured with a Master Password ● This password is hashed together with your user name ● The hashing uses SHA-256, an excellent hash ● This done multiple times, by default 5000, but you can change that
  • 29. Server-Side Algorithm ● The Client-Side process creates a key, which is hashed again and sent to the server ● The server adds a random salt to this key, and then hashes another 100,000 times ● This is your encryption key, and is used to encrypt your password database ● LastPass does not have your key
  • 30. LastPass Does Not Have Your Key ● This is worth repeating ● They really don't have it ● They can't turn it over to the government ● Worst-case scenario, they can turn over the random salt and the hash they have stored ● This could possibly be cracked if the government really tries and you were lazy
  • 31. Losing Your Password ● I have done this experiment ● LastPass really cannot help you if you lose your password ● The best they can do is give you an earlier version of your encrypted database ● This will help if you remember your previous password ● Otherwise, you are SOL
  • 32. Reversing Hashes ● Hashing is a well-defined algorithm that is completely reversible if you have all of the parameters ● Adding security means making those parameters hard to recover by your opponent ● Hashing does require resources ● Doing it for millions of passwords is not trivial
  • 33. What Intruders Do ● They get the database of hashes ● They use a prepared dictionary of passwords that are already hashed ● They run a comparison ● And they get hits ● They don't need to find every password, just enough to be profitable
  • 34. Success Percentages ● In 2013 a widely reported study found that 90% of passwords were cracked with little difficulty ● However, this study used MD5, which even then was not regarded as secure ● But if a database of hashes is done badly, success rates of over 70% are not too difficult ● Your objective is to the in 30% when the crackers give up
  • 35. How To Erect Barriers ● Number one is your Master Password ● This is the most important thing to pay attention to ● Length and entropy matter here ● Remember, you only need one! ● LastPass will remember all the other ones for you!
  • 36. Change Defaults ● Remember that LastPass does 5000 rounds of hashing by default ● That is information a cracker can use! ● Change the default to something bigger ● And don't make it a round number: 19,457 is better than 20,000 ● The cracker cannot get your password without knowing this, or else calculating every possible number
  • 37. Unique! ● Your LastPass master password should be one you never use on any other site ● A common problem with re-used passwords is that if one site with bad security lets the bad guys get it, they will try it on other sites as well ● Let LastPass remember your Bank password, that is what it is there for
  • 38. What your password does ● Every time you open LastPass you need to login with your Master Password ● Your Client software will then combine that with your user name, and hash it the number of times your specified to get your key ● This is sent to the server, where the known salt is added, and it is then hashed 100,000 times ● Then your password vault is opened
  • 39. Is This Enough? ● You have a very strong master password ● You have changed the default settings for client side hashing ● LastPass uses a strong algorithm for hashing, SHA-256, not something like MD5 or SHA-1, which are deprecated for any serious security work ● This is all good
  • 40. One More Thing ● There is one more thing you can do to stop anyone getting in ● You can have two-factor authentication for LastPass: https://helpdesk.lastpass.com/multifactor-authentication-options ● I use Duo Security for mine ● I cannot log in to LastPass without approving it on my phone
  • 41. Conclusion ● 4 of the five top strategies used by security pros are addressed by this – Use Unique Passwords – Use Two-Factor Authentication – Use Strong Passwords – Use A Password Manager ● And that is why I still use LastPass, and pay for a premium account (all of $12/year)