Change your LastPass passwords now

Forums › Off topic › Change your LastPass passwords now

1 | 2 | 3 | 4

3523 posts

Uber Geek

Trusted

#1326117 16-Jun-2015 21:38

richms: Time for a new masterpassword.

Good thing too because I was getting sick of the one I had with its too many alternating symbols and letters. Pain on the phone.

+1

I ended up changing some of the symbols on my master password because the old ones weren't on the number screen of my keyboard - had to go numbers then additional symbols. It's surprising just how niggly one extra keypress can be.

mdf

3523 posts

Uber Geek

Trusted

#1326120 16-Jun-2015 21:45

freitasm: As I said I've installed Intel TrueKey. Basically you create an account and register your face. It is then your unlock key - it works on Windows (Internet Explorer and Chrome) and Android. It can also be used to log into Windows - activate it, lock Windows, unlock using your face then enter the Windows password. This associates it with your account.

Passwords are synchronised between devices but they don't have the key. Add 2FA where available (LinkedIn, Google account, Twitter, Facebook, Microsoft account, Dropbox, etc, etc) and you are getting closer to being safer. And remember not to repeat your password between services.

I've been waiting for my Nymi for a while now. I really hope it doesn't end up being vaporware. It's a mini ECG bracelet. Authenticates you by your "unique" cardiovascular signature.

My father-in-law is an exercise cardiologist and has confirmed that your ECG is unique. He was skeptical at just how good a reading you're going to get out of a sensor the size of a watch. It's entirely probable that someone in the world has a similar enough ECG to me that they could pretend to be me (particularly with a "low res" sensor). But the chances of that person getting their hands on my authentication token (and password - it's 2FA) are pretty slim.

markl

348 posts

Ultimate Geek

#1326210 17-Jun-2015 00:28

Personally, I'm super surprised by how many of these "password keepers" there are out there, and even more surprised by the number of people who USE them!

I'm sorry, I'm not trying to troll, but come on, really people? Have you not heard of the good ol' passPHRASE? One phrase or mnemonic, you substitute in the name of the site or whatever it relates to, and a number somewhere. Make sure you include a capital letter or two and it'll work for ANY site. Well, except maybe ASB's internet banking, where you can't have a password longer than 8 characters - yes, SERIOUSLY!

JamesL

956 posts

Ultimate Geek
Inactive user

#1326213 17-Jun-2015 00:51

Yeah, I have over 150 sites in my database. There's no way I'm using a phrase with different numbers or something related to the site itself in the password.

Also, back in May ASB made changes so you can have up to 100 characters, might want to update your asb12345 passphrase now.

mattwnz

20181 posts

Uber Geek

#1326214 17-Jun-2015 01:03

markl: Personally, I'm super surprised by how many of these "password keepers" there are out there, and even more surprised by the number of people who USE them!

I'm sorry, I'm not trying to troll, but come on, really people? Have you not heard of the good ol' passPHRASE? One phrase or mnemonic, you substitute in the name of the site or whatever it relates to, and a number somewhere. Make sure you include a capital letter or two and it'll work for ANY site. Well, except maybe ASB's internet banking, where you can't have a password longer than 8 characters - yes, SERIOUSLY!

So you manually type in passwords? the big benefit of lastpass, is that it automatically fills in the password details, and you set it to create random password, so you never need to ever know the password for any website. No risk of keyloggers intercepting it. I think it is a far safer system. If people don't trust these type of systems, then they should disconnect from the internet now, and not use any cloud based systems, including data backups, and put on their tin foil hat.

markl

348 posts

Ultimate Geek

#1326215 17-Jun-2015 01:04

JamesL: Yeah, I have over 150 sites in my database. There's no way I'm using a phrase with different numbers or something related to the site itself in the password.

Also, back in May ASB made changes so you can have up to 100 characters, might want to update your asb12345 passphrase now.

Thanks for the smartass reply mate. A phrase, in case you didn't do English in secondary school, usually consists if more than one word.

For example you could use "Iamlogginginto___12", where the ___ is the name of the website, system, etc. that it's protecting. Don't want to use a phase? Turn it into an acronym perhaps: Iali___12 - easy enough to remember either of those for hundreds and hundreds if sites. If you can remember the name of the site or system you're logging into, then you can remember the password.

WRT ASB and their (firmer) restrictions, it's great that they've done that - a whole month ago...good on them

markl

348 posts

Ultimate Geek

#1326216 17-Jun-2015 01:05

mattwnz:
markl: Personally, I'm super surprised by how many of these "password keepers" there are out there, and even more surprised by the number of people who USE them!

I'm sorry, I'm not trying to troll, but come on, really people? Have you not heard of the good ol' passPHRASE? One phrase or mnemonic, you substitute in the name of the site or whatever it relates to, and a number somewhere. Make sure you include a capital letter or two and it'll work for ANY site. Well, except maybe ASB's internet banking, where you can't have a password longer than 8 characters - yes, SERIOUSLY!

So you manually type in passwords? the big benefit of lastpass, is that it automatically fills in the password details, and you set it to create random password, so you never need to ever know the password for any website. No risk of keyloggers intercepting it. I think it is a far safer system. If people don't trust these type of systems, then they should disconnect from the internet now, and not use any cloud based systems, including data backups, and put on their tin foil hat.

Yeah, clearly I'm less lazy than the rest of the universe...I don't mind typing a few characters on my keyboard...

Quic Broadband

Move to New Zealand's best fibre broadband service (affiliate link). Free setup code: R587125ERQ6VE. Note that to use Quic Broadband you must be comfortable with configuring your own router.

mattwnz

20181 posts

Uber Geek

#1326217 17-Jun-2015 01:12

markl:
mattwnz:
markl: Personally, I'm super surprised by how many of these "password keepers" there are out there, and even more surprised by the number of people who USE them!

I'm sorry, I'm not trying to troll, but come on, really people? Have you not heard of the good ol' passPHRASE? One phrase or mnemonic, you substitute in the name of the site or whatever it relates to, and a number somewhere. Make sure you include a capital letter or two and it'll work for ANY site. Well, except maybe ASB's internet banking, where you can't have a password longer than 8 characters - yes, SERIOUSLY!

So you manually type in passwords? the big benefit of lastpass, is that it automatically fills in the password details, and you set it to create random password, so you never need to ever know the password for any website. No risk of keyloggers intercepting it. I think it is a far safer system. If people don't trust these type of systems, then they should disconnect from the internet now, and not use any cloud based systems, including data backups, and put on their tin foil hat.

Yeah, clearly I'm less lazy than the rest of the universe...I don't mind typing a few characters on my keyboard...

I can see your logic, but the problem is that many websites require you to regually change you password, so using your system may mean that you have to invent a new one, and you may not know which version you are using. Also entering passwords on a touchscreen device is painful. Really any password system like the current ones, are not the solution for the future.

markl

348 posts

Ultimate Geek

#1326219 17-Jun-2015 01:20

mattwnz: Really any password system like the current ones, are not the solution for the future.

Oh I quite agree. Saying that and making it happen are two different things though - Jo/Joe Average needs to be convinced to make a change away from passwords, and so far that's not looking like happening any time soon...

freitasm

BDFL - Memuneh
79316 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1326285 17-Jun-2015 09:30

markl: Personally, I'm super surprised by how many of these "password keepers" there are out there, and even more surprised by the number of people who USE them!

I'm sorry, I'm not trying to troll, but come on, really people? Have you not heard of the good ol' passPHRASE? One phrase or mnemonic, you substitute in the name of the site or whatever it relates to, and a number somewhere. Make sure you include a capital letter or two and it'll work for ANY site. Well, except maybe ASB's internet banking, where you can't have a password longer than 8 characters - yes, SERIOUSLY!

Many people already commented but. I have about 600 services in my LastPass. Some require change every 30 days, some I change because I want to keep it random. A passphrase is ok if you have one service and don't change often. Other than this, it's not humanly possible to keep on top of things.

On another note, a bit more polite replies here people or temporary bans will be handed out.

mdf

3523 posts

Uber Geek

Trusted

#1326302 17-Jun-2015 09:43

freitasm: Many people already commented but. I have about 600 services in my LastPass. Some require change every 30 days, some I change because I want to keep it random. A passphrase is ok if you have one service and don't change often. Other than this, it's not humanly possible to keep on top of things.

On another note, a bit more polite replies here people or temporary bans will be handed out.

600!? Are all those regularly used, or are some from stupid webstores that insist on you creating an account even though the chances of you ever shopping there again are next to zero (I hate hate hate this - let me check out as a guest if I want!).

I thought I had a lot with ~100. And even that includes a lot of duplicates for things like work and personal log ons, and several kids library cards. I'd use about 10% of those stored details about 90% of the time, I reckon.

freitasm

BDFL - Memuneh
79316 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1326319 17-Jun-2015 10:05

A very few are regularly used, of course. Now and then I look at these and if I can't remember a service being used I try and close the account. Most of these disappear over time - the number of SaaS offering the popup and disappear/merge/pivot is incredible.

fizzychicken

313 posts

Ultimate Geek

#1326327 17-Jun-2015 10:17

mdf: 600!? Are all those regularly used

I thought similar...just how many porn sites can one man be a member of?
In Lastpass there is a security check tool which gives you a score based on password 'strength', uniqueness and other categories (it also checks your known email addresses against security breach lists etc), but one bit I didn't like was a score based on how many services you had stored. I got a percentage deduction in that area simply because I only have 20 services. Part of me doesn't like them wanting more info...almost made it feel like they were fishing for my info...the details of the score break down and your actual position has now gone and been replaced by percentages which seems better (though less informative)

I currently get

93% - Your Security Score

Top 1% - Your LastPass Standing

100% - Master Password Score

One bit I really like here is how it shows you which sites support auto changing of passwords, so you can click one button and Lastpass will log in and change your password for you (very similar to how automated testing tools work), it is very impressive.

https://keybase.io/fizzychicken

amanzi

Amanzi
1302 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#1326334 17-Jun-2015 10:24

Most security researchers agree that using a password manager is better than remembering individual passwords, though there are still a large number of security professionals that would put forward a strong case against using them. Personally, I think I'm far more secure only remembering one master password than lots of individual passwords.

Something interesting about the LastPass hack is that the hackers didn't manage to get hold of the Vault data which means that it's being stored in a separate system to the user accounts which is another sign of good security from LastPass. I think they've done about as well as can be expected in this circumstance so I'm comfortable sticking with LastPass for now.

markl

348 posts

Ultimate Geek

#1326348 17-Jun-2015 10:33

amanzi: Something interesting about the LastPass hack is that the hackers didn't manage to get hold of the Vault data which means that it's being stored in a separate system to the user accounts which is another sign of good security from LastPass. I think they've done about as well as can be expected in this circumstance so I'm comfortable sticking with LastPass for now.

That is a good point - on the strength of that report, they do clearly take the security of the data they're storing very seriously, as they should. I guess it's best to treat it as virtually inevitable that any service on the internet is hackable - it's just a fact of life. Whether it will or not is really just a question of how much effort the hacker would need to go to do it, and how much they'd gain from having done so.

1 | 2 | 3 | 4