@LastPass and Password Management
This blogpost is about my recent escapades in password reset and password management. Before I dive in I need to fess up. Despite decades of experience, I have over time seriously miss-managed my passwords. That’s despite having used tools like Lastpass for a couple of years. I haven’t been naughty such as writing down passwords on PostIT notes, but I have re-used similar or same passwords across multiple websites – even though I knew this exposed me to so-called “weaker sister” style breaches – that is to say that if you use the same password across multiple site, it’s the one that is most vulnerable to attack which then allows access (assuming the same user ID is in use) to all the rest. So this New Year I decided to put a stop once and for all to this bad practise. What follows is a description of what that was like, how bad/easy it was, and some general thoughts about the nature of security in the modern world. I might add the recent 1B breach of user ID by Yahoo was a wake-up call. I wasn’t personally hacked and I believe my account was secure (after all 1B accounts takes some going thru even by modern computing standards). I guess the operative word there is ‘believe’
Firstly, if you a LastPass user – check out how many websites you have listed, and run the security challenge. This does a good job of flagging up how bad your situation is, as well as flagging – compromised passwords, weak paswords, reused passwords and old passwords. You can see the result of my score above. Actually, this was in terrible state until I set about resetting the passwords. I had bad reports for Step1/2/3/4. My master password (the one that allows access to the LastPass word vault) was the same as one of the websites I had saved. Lastpass does warn you about doing this – but I foolishly ignored it and never got round to resetting it…
Secondly, where possible use Lastpass ‘Change Password Automatically’ feature to reset bum entries. This feature works well with the website it works with (paypal, twitter, amazon). However, it DOES NOT work with the vast majority of other websites. This is NOT Lastpass fault, but because we have no uniform standard for how password reset webpages should be constructed and formatted. This means authenticating individually to each and every site, and doing the password reset manually. I had over 240 sites. A follower on twitter had over 600 (admittedly he said he was okay as everyone was unique)
Note: Incidentally, I found “Change Password Automagically” is available for Yahoo, it didn’t work. I also found it got confused with the multiple Google accounts I have. I think this is because both Yahoo and Google have their own special UI and method of handling logins. I found Lastpass would reset the wrong accounts password.
Thirdly, let LastPass generate new passwords for you. But beware that not all websites support special characters (!@£%^&*_), and some require things like 2 numbers and two letters with Upper-Case. Also I found occasionally that Lastpass would not ‘see’ the password reset, and it wouldn’t prompt to update the username/password stored in the Vault. I took to copying the password to the clipboard, just in case – and doing manual updates. This is because there are really no standards for how password resets are managed for web-pages.
Lastly, Lastpass creates a little icon in the username and password areas – this works on Yamaha’s website for example but not for Hertz’s website.
Also I spent many minutes trying to find the place to reset my password in some websites which slowed the process down. This is because there is no standardisation really for where this information is held. Sometimes it’s easier to pretend you’ve forgotten your password, to get an easy to click reset link. However, this isn’t standardised either – as some websites reset your password to a value which you have to subsequently change (which means you wind up having to locate and work with their password reset feature).
Fourthly, rinse and repeat for every single login ID – I ended up running down my 240 stored usernames/passwords to about 160. This is because some of the websites no longer exists or I couldn’t access them. For instance I had username/password combo for internal systems at vmware.com stored behind a VPN accessible firewall. This does raise the spectre of bad username/password combinations that can never be fixed. However, I take the view that if ALL of the existing websites I do have access to – each have their own unique password – I’m as safe as I could ever be. And in comparison to my poor rating before – I now have a much better situation. It does raise the issue of remembering to delete accounts or reset passwords on systems you are not using anymore. The Yahoo warning was about an email address I have not used in years….
Firstly, You will notice that the word ‘standardisation’ comes up a number of times. It’s my belief that this lack of standardisation in the industry concerning password management significantly reduces the value of tools like Lastpass. This isn’t Lastpass fault, they must work with the reality they find. However, given recent breaches I think pressure should be put on the large stakeholders to adopt uniform standards.
Secondly, I shocks me that today in 2017, many website use your ’email address’ as the username. I doubt very much if the average joe/Josephine creates a bogus email address simply for the purpose of logins. This means the very means by which people requests password resets can be hacked. I see no reason why folks can’t have a user ID that is distinct and separate from their email. It would make swapping out email when they change infinitely easier. If I change my email address many hundreds of entries in my Lastpass vault become stale or invalid.
Thirdly, given this a manual process cared out me a monkey with an oversized wet brain – mistake can and do happen. There are couple of website where I screwed up their password reset process and found myself locked out. This means I have to request a password reset email (or in the case of outllook.com/live.com get codes sent to other email addresses or my phone).
Finally, although Lastpass has an automatic password reset feature, it’s not supported uniformly. This makes the process very labourious, and is a dissensitivity to fix the problem – but also reset passwords. It’s common standard in the enterprise environments to change passwords on a 30/60/90 cycle. No such standard exists in the private internet space. It took me ALL DAY to fix my problem – starting at 9am and finishing at nearly 11pm. It’s unacceptable to me to have carve out a whole day annually, quarterly or monthly to reset all 160 entries. The only ‘reasonable thing is once a week do a block of 10 or alternatively – make a folder of the MOST sensitive accounts (email, banking and anything that processes money – paypal and ebay for instance) and put them on a more frequent cadence of resets.