Lastpass was down today apparently.


Recommended Posts

You would if all digital copies failed you.

 

if all the digital copies of a well thought-out backup plan failed you, not having online account passwords probably isn't going to be a concern

Link to comment
Share on other sites

Not understanding the complaints here.. There are always going to be issues that might cause a problem with access to online services outside the control of the company providing the services. Be it an isp issue for some users, be routing issues outside control of the company providing the services, be it DC issues where company provides services. From their blog post it sure seems like they are on top of the issue.

If you use the browser ext, it would not been an issue you would of just used your offline cache. If your not using browser ext then you clearly are not using the tool as designed, but you could always access your passwords with the use of their offline tool https://helpdesk.lastpass.com/lastpass-on-the-go-2/lastpass-pocket/

As to the debate of printing out passwords. While this might be useful in a company, old company we did it when we changed all the local admin accounts. But these passwords were never used, and I was really the only one that knew what they were changed too. They were locked in the safe at the facility that you even needed controlled access to even get to the safe, and then you needed the safe combo.

As to printing out your personal passwords and putting in safe at a bank, this clearly makes it a pain to change passwords and update your backup list. You might be better off just storing this backup hard copy at your location.

Is printing out passwords and leaving them on your desk a bad idea - sure!! But if your going to print out your passwords as part of a emergency DR or Backup I don't see a problem with it - as long as this hardcopy is stored securely with controls on who has access. The pain here is keeping this list updated when you change your passwords.

Link to comment
Share on other sites

Is printing out passwords and leaving them on your desk a bad idea - sure!! But if your going to print out your passwords as part of a emergency DR or Backup I don't see a problem with it - as long as this hardcopy is stored securely with controls on who has access. The pain here is keeping this list updated when you change your passwords.

 

The_fonz_thumbs_up.jpg

Link to comment
Share on other sites

Do yourself a favour and just use KeePass.

 

But. KeePass is horrible. almost as horrible as roboform... so... no.

So I'm guessing you do not regularly change any of your 350 passwords?  There's some good security.

 

Changing passwords frequently or even regularly does not inherrently make them safer or more secure. it's a fallacy. in fact regularly changing password are more likely to make them less secure. 

Link to comment
Share on other sites

Changing passwords frequently or even regularly does not inherrently make them safer or more secure. it's a fallacy. in fact regularly changing password are more likely to make them less secure.

Agree 100% with this statement, the only time passwords to be honest need to be changed is if there is a chance they have been compromised. Person leaves or is no longer authed to access something that they might have passwords for, etc.

The one good reason to change passwords on a reg basis is if there is chance that over a period of time passwords are exchanged with people that shouldn't have them.. Let say for example a tech your working with is given a password, now normal controls should mean this password is then changed right after his access is no longer required. But this process may or may not happen. If that is the case then a reg change to the passwords could now remove that unauthed access.

Changing passwords say every 90 days for the sake of changing them agreed is a bit of fallacy, and forcing users to change their password every X days for no reason other than changing it doesn't buy you much security. If your worried about someone brute forcing the password then you should make it very frequent that the passwords need to be changed, etc. Better security would be lock out policies that require manual unlock by someone who will look into the reason for the lock out. Control on how many attempts per second, alerts on such attempts, etc. etc.

If the password is secure, and has controlled access to has it.. Say only YOU!! Then changing it on schedule can be more pain and could even be debated that the process could cause lost hours, lock outs, people writing them down be cause they can't remember it because they have to change it so often, etc.

Now in light of such things as a site you visit has been compromised, or things like heart bleed that come to light or hackers have a billion accounts, etc. It might be a good idea to not only change your passwords but re-evaluate the overall security of your passwords. If using a tool like lastpass they have a built in security scan that will list all your sites that have duplicate passwords, score on security of them, are you using multifactor, etc.

Since your not having to type these passwords with such a tool, make sure that all your passwords are using max length a site allows for - make sure your sites are not using duplicates, etc.

Every single time I had to change all the local passwords I would bitch about how it was a pointless waste of time - they are all 20 characters long, they are not even used (so no chance of leakage by someone watching them be typed in or exchanged with people who then leak them since they are locked in a safe and nobody knows them in the first place). You have to gain access to a controlled room to even use them since they are "local" you can not even use them across the network. But they had to be changed just the same for "audit" reasons..

Link to comment
Share on other sites

Interestingly Lastpass being down exposes what Is pretty much a massive flaw in their multifactor setup in that if you permit offline login you can completely bypass multifactor authentication.

Link to comment
Share on other sites

Interestingly Lastpass being down exposes what Is pretty much a massive flaw in their multifactor setup in that if you permit offline login you can completely bypass multifactor authentication.

 

Expalin more, is it some sort of exploit?? I just tested, switched off router and couldn't login to lastpass (browser extension) without inserting my yubikey.

Link to comment
Share on other sites

There's a checkbox in the preferences of the Android app to allow offline access. I wouldn't call that an exploit.

 

I have premit offline access enabled but it still requires (in my case) my yubikey to be inserted.

Link to comment
Share on other sites

Changing passwords frequently or even regularly does not inherrently make them safer or more secure. it's a fallacy. in fact regularly changing password are more likely to make them less secure. 

 

Very true, too many people equate "frequent change" with "secure". Although, frequent password changes carry no risk in reduction of security if you're already using a password manager. It just becomes merely inconvenient for very little gain.

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.