I know many of you at one time or another have forgotten your damn password to the multitude of websites out there that require a password. It seems like everyone and your mother needs a password in order to use any given site ANNNNNNNNNND each site has different requirements to make a password that fits with rules for “password strength.” You need numbers and letters…now you need numbers, lower case letters and uppercase letters (but no special characters). How many times do you select “forgot password” at the login prompt?
For me it’s almost every time I log into my AT&T wireless account. Why is it so hard to remember? I went through a period in my life where I exponentially strengthened passwords throughout all websites I access. The thing about strengthening my password is I generally pick a special character. AT&T doesn’t like those special characters. Gah…so I can’t ever remember my password for that particular site.
“Forgot password?” the URL almost asks, laughing at my stupidity.
“WHY YES I DID THANK YOU VERY MUCH!” while I click on the link.
A co-worker recently mentioned LastPass and I vaguely remember seeing posts regarding LastPass awhile back. It wasn’t until I started digging last night that I became familiar with the site’s premise once more. I fell in instantaneous love (not lust). Wow…MAYBE this site is for you too!
LastPass is a password management website/application existing in the “cloud.” Ahhh…that proverbial cloud. Everyone seems to be putting things there and no one really grasps what cloud based computing does for the end user. Screw having to back your data up…screw having to manage your effing LIFE! Let the web do it for you…let these vendors deal with your data and make it accessible on whatever computer you sit on.
According to the technology section of their site:
LastPass is an evolved Host Proof hosted solution, which avoids the stated weakness of vulnerability to XSS as long as you’re using the add-on. LastPass strongly believes in using local encryption, and locally created one way salted hashes to provide you with the best of both worlds for your sensitive information: Complete security, while still providing online accessibility and syncing capabilities. We’ve accomplished this by using 256-bit AES implemented in C++ and JavaScript (for the website) and exclusively encrypting and decrypting on your local PC. No one at LastPass can ever access your sensitive data. We’ve taken every step we can think of to ensure your security and privacy.
So how to break everything down? Gosh…ok…bear with me:
LastPass stores everything in relation to all of your logins and passwords on a local encrypted file embedded within your desktop or laptop. You have the ability to choose auto-fill or not to auto-fill (btw I select NO on auto-filling) at each sub account’s login screen. For me it’s merely a password database existing in the cloud. LastPass helps you create one strong master password for your master account then every sub account inside your master account contains whatever websites you added either via the application or any browser extension. Going forward you only have to remember 1 master password. Seems simple, right?
I know the security aspect still remains. Salted hash, aye? Sounds like something you buy at the movies before seeing the next Harry Potter movie. What is it?
From the Wikipedia entry for salt:
In cryptography, a salt consists of random bits that are used as one of the inputs to a one-way function. The other input is usually a password or passphrase. The output of the one-way function can be stored rather than the password, and still be used to authenticate users. The one-way function typically uses a cryptographic hash function.
…
The benefit provided by using a salted password is that a simple dictionary attack against the stored values becomes impractical if the salt is large enough. That is, an attacker would not be able to create a precomputed lookup table (a rainbow table) of hashed values (password + salt), because it would take too much space.
Small bits of your data exist on LastPass’ servers. Those bits are sprinkled around like salt (get where the name came from?) and do not live close to each other on LastPass’ technology back end. In order for all data to be meaningful, a corresponding piece is required from your local computer before the data can be read (i.e. a combination of your master password and identifiers from previous cached logins or a correctly supplied password if you find yourself on a different computer other than your primary machine). Additionally, those corresponding pieces are encrypted (well the file on your desktop/laptop is at least, every other piece requires you remembering your master password). Plus if you create an exceptionally strong master account, no one can get in aside from you. Simple dictionary attacks will not suffice and normal hacking will not fill in the missing encrypted pieces for the whole puzzle (thank you hashes). A salted hash is like trying to find a needle in a haystack. Hackers have better things to do (surprisingly). In the end, there’s not much a hacker can do to grab your LastPass account information.
Dude try it out already! It’s flippin’ awesome. I will be recommending this site over and over for folks who ask me about applications that effectively organize password information in one place.
