Slashdot Mirror

← Back to Stories (view on slashdot.org)

LastPass Reveals the Threats Posed By Passwords in the Workplace (betanews.com)

Posted by msmash on from the security-woes dept.

A reader shares a BetaNews report: A new report by LastPass -- The Password Expose -- reveals the threats posed, and the opportunities presented, by employee passwords. The report starts by pointing out that while nearly everyone (91 percent) knows that it is dangerous to reuse passwords -- with 81 percent of data breaches attributable to "weak, reused, or stolen passwords," more than half (61 percent) do reuse passwords. But the real purpose of the report is to "reveal the true gap between what IT thinks, and what's really happening." Jumping straight into the number, the report says that even in a 250-employee company, there are an average of 53,250 passwords in use -- a near-impossible number to keep track of and to know the strength of. LastPass found that people have nearly 200 passwords to remember, so it's little wonder that password reuse is an issue.

72 comments

  1. password management company publishes report... by Anonymous Coward · · Score: 2, Insightful

    extolling the virtues of using a password manager
    threat revealed, thanks lastpass

    1. Re:password management company publishes report... by ctilsie242 · · Score: 3, Interesting

      It is a balancing act. One one hand, if someone uses weak (but memorable) passwords, that can be brute-forced, that is far more likely than a password manager getting compromised, especially a password manager with 2FA.

      However, selecting a password manager is critical. LastPass is one that has had security intrusions succeed... but were mitigated. Some other PW managers which have, as of their latest versions, required cloud access (1Password, mSecure) not just don't have a proven track record... but don't even give any details on what security they actually bother with. For all we know, they could stash everything on a public S3 bucket.

      I like PW managers which piggyback on existing cloud providers and have decent encryption [1], like Enpass or Codebook. That way, not all eggs are in one basket, and Google Drive provides adequate 2FA protection.

      [1]: The idea would be separating the passphrase protecting the database on the cloud provider versus the encrypted copy, or even better, using public key encryption and "introducing" new devices, to make the copy sitting on the cloud provider as brute force resistant as possible.

    2. Re:password management company publishes report... by Average · · Score: 4, Informative

      I can't recommend PasswordStore (passwordstore.org) highly enough. ~400 lines of (quite readable) Bash. GPG. Git. That's the extent of it.

      Combined with my GPG credentials being on a smartcard, I feel like I'm doing the best I can.

    3. Re:password management company publishes report... by Anonymous Coward · · Score: 0

      Unfortunately there are plenty of systems out there which are password manager unfriendly.

      My router doesn't let me paste my strong generated password into it's password entry box.
      Similar problem just the other day with a website, emailed them to ask why they were forcing me to pick easy to key passwords rather than stronger generated password - got some bullshit response showing they didn't understand the issue. (Of course I'd just hit f12 in my browser and zapped the values directly in, but your average user is likely to give up and just key something far weaker)

      In my work setting we use 2FA, a smart card and pin. Prevents password sharing, integrate apps with SAML etc. and for the average user it all works pretty well.

    4. Re:password management company publishes report... by ilsaloving · · Score: 1

      1password used to work that way, and it is still possible to purchase the standalone version that lets you store your passwords on other cloud services, but I don't know how much longer that will be. As it is, they don't advertise the standalone version anymore. You have to specifically ask them for it.

      I am currently looking at Enpass as a possible alternative, however there are several dealbreakers that I am waiting to be resolved:
      1. It doesn't support multiple password vaults. Supposed to be in the next major version.
      2. They have not had a 3rd party audit done on their code. They have promised to do this after the next major release is done, as there is apparently a lot of refactoring work happening that makes doing the review now kinda pointless.

    5. Re:password management company publishes report... by Anonymous Coward · · Score: 0

      Unfortunately there are plenty of systems out there which are password manager unfriendly. My router doesn't let me paste my strong generated password into it's password entry box.

      Have you bothered telling the vendors as opposed to just whining on forums? I had the same problem with KeePass versus the login form on developer.apple.com and they fixed it within a day of me notifying them.

    6. Re:password management company publishes report... by Anonymous Coward · · Score: 0

      Have you bothered telling the vendors as opposed to just whining on forums?

      Have you bothered reading my post rather than just whining about it? You know the bit where I state "emailed them to ask why...". There's a clue somewhere in that as to perhaps I do bother, my problem is that few it any in my experience bother to even try and understand why their blocking of paste is a screwed up policy.

    7. Re:password management company publishes report... by Anonymous Coward · · Score: 0

      Lose the password manager = you fucked up something terrible.

      Do not use password managers. Do not save your password in the web browser. That is where most password theft comes from.

      Your safest password is to create your own mnemonic for remembering things. For example "fuckyou2slashdot!" might be my password for slashdot, and other social media like facebook "hateyou2facebook", and basically that narrows down memorizing passwords from gibberish, to longer passwords that you can remember by integrating the service/site name into the password to pad it out. I've found that passwords that I associated with profanities I easily remember. Your mileage may vary.

  2. LastPass knows your passwords? by Train0987 · · Score: 0

    LastPass employees have access to everyone's passwords? I think that'd be a bigger story.

    1. Re:LastPass knows your passwords? by AvitarX · · Score: 2

      I assume they're encrypted, but they can easily tell if they're the same. It doesn't say they have statistics in complexity, only reuse.

      I suppose this would mean that they're not salted though, or the same salt is used for every password in an account.

      --
      Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
    2. Re:LastPass knows your passwords? by Anonymous Coward · · Score: 0, Troll

      You should learn how LastPass works before talking out your rear end!

    3. Re:LastPass knows your passwords? by Kielistic · · Score: 1

      You shouldn't be able to tell if two encrypted strings are the same unless they are encrypted with the same key. And they should not be for that reason among many others.

      You appear to be talking about hashing which is not what a password manager does.

    4. Re:LastPass knows your passwords? by SecState · · Score: 2

      I'm not going to register to read the full report. But, based on the article, it seems likely they're using two sources of data: 1) a survey (which probably has an item asking about password re-use), and data from the corporate version of the app that shows, in aggregate, how many passwords a person has stored.

    5. Re:LastPass knows your passwords? by Anonymous Coward · · Score: 1

      Even hashed passwords should be salted, preventing you from knowing which ones are the same.

    6. Re:LastPass knows your passwords? by Anonymous Coward · · Score: 0

      No, you shouldn't be able to tell if two encrypted strings are the same unless they are encrypted with the same key and IV. Reusing keys is common for a single user. Every blob should have a different IV though.

    7. Re:LastPass knows your passwords? by zlives · · Score: 1

      source?

    8. Re:LastPass knows your passwords? by AvitarX · · Score: 1

      You're right, I was thinking of one way hashing, which would be pretty stupid for a password manager.

      --
      Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
  3. THAT is exactly why I have a password vault. by sehlat · · Score: 1

    I only have to remember the vault password. The three keys to making it work in the long run are backup, backup, and backup.

    1. Re:THAT is exactly why I have a password vault. by Trax3001BBS · · Score: 1

      I only have to remember the vault password. The three keys to making it work in the long run are backup, backup, and backup.

      I use Acerose password manager. It's weak spot is any back-up of the database is readable with any text editor. I've used it for so long, having many log-ins I stick with it.

    2. Re:THAT is exactly why I have a password vault. by sehlat · · Score: 1

      I use KeePass. The database (including backup copies) are encrypted. The password is in a sealed envelope inside our family safe deposit box, and both my wife and son have access.

    3. Re:THAT is exactly why I have a password vault. by Trax3001BBS · · Score: 1

      I use KeePass. The database (including backup copies) are encrypted. The password is in a sealed envelope inside our family safe deposit box, and both my wife and son have access.

      Good to see you have a plan. So few do.

  4. I have 3+ passwords. by Anonymous Coward · · Score: 2, Interesting

    One for I don't give a shit - like a Reddit account and every other dipshit website that requires a login so that they can use their registered users for advertising and revenue - and that's why I will never register for Slashdot.

    One for it'd suck if someone got a hold of it, but life goes on.

    One for my money and other important shit.

    My wife on the other hand, takes this password shit too seriously. She creates a new a special one for every dipshit login. And as a result, is constantly forgetting them and requesting new passwords.

    And it's amazing that to get a new password, one can get that information by just looking at her facebook page and seeing who her "friends" are - and all the idiots who wish her a happy birthday on her real birthday.

    I could steal any facebook user's identity and get your banking passwords.

    1. Re:I have 3+ passwords. by XXongo · · Score: 2

      One for I don't give a shit - like a Reddit account and every other dipshit website that requires a login so that they can use their registered users for advertising and revenue - and that's why I will never register for Slashdot.

      I don't get it-- why don't you use your "I don't give a shit" account password, here, too, if you use it on Reddit?

    2. Re:I have 3+ passwords. by Anonymous Coward · · Score: 0

      oh no dont hack my gibson internet batman
      with your shit operational secuirity

    3. Re:I have 3+ passwords. by fibonacci8 · · Score: 1

      http://bash.org/?244321

      --
      Inheritance is the sincerest form of nepotism.
    4. Re:I have 3+ passwords. by AvitarX · · Score: 1

      My bank would require you have access to my e-mail or phone.

      My e-mail would require you have access to my phone.

      I don't think it'd be as easy as you think in general.

      --
      Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
    5. Re:I have 3+ passwords. by Lost+Race · · Score: 1

      He thinks he's stigginit to Slashdot by not adding to their registered users count.

  5. Single Sign On Fiasco by 140Mandak262Jamuna · · Score: 1
    We kept complaining about the password explosion. Especially since so much of the office functions are outsourced and we end up logging into so many servers. They rolled in with great fartfare Single Sign On. With TFA to boot.

    Now after we go through the painful microsoft applications access panel, we click on any thing, it pops up the same password dialog. The only thing has changed is now we can not directly log in to the third party service. First we sing on here and then sign on again. Single Sign on ended up being One More Sign On.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    1. Re:Single Sign On Fiasco by Anonymous Coward · · Score: 0

      My company has been using Azure AD for SSO and TFA for about a year. It was a bit rocky at first, unsurprisingly with a change of this magnitude. But it's been mostly invisible since. Heck our sales people now even use it to sign in to Salesforce, and dev team for Slack. Maybe it isn't working for you but LastPass sure AF is not the answer!

  6. advertisement is an advertisement by phantomfive · · Score: 1

    If everyone had a password manager, then IT would spend all their time replacing passwords for people who forgot the password to their password manager.

    And if the passwords are stored in the cloud, they are almost guaranteed to not be secure.

    --
    "First they came for the slanderers and i said nothing."
    1. Re:advertisement is an advertisement by nine-times · · Score: 2

      In fairness, it's much easier to remember one password for your password manager than 150 unique strong passwords, so IT would be getting fewer calls. Plus, a big part of the problem is that people won't remember hundreds of unique passwords, so they instead reuse passwords, which is one of the major ways that accounts get compromised.

      I'm not saying that this isn't an advertisement in disguise, but they're not wrong.

    2. Re:advertisement is an advertisement by phantomfive · · Score: 1

      I'd be willing to bet that password reuse isn't the problem so much as weak passwords in the first place.
      For example, in moderately large places (greater than 100 people) where passwords are required to change every quarter, you can be fairly certain that someone will use the password scheme "Spring2017"

      --
      "First they came for the slanderers and i said nothing."
    3. Re:advertisement is an advertisement by sls1j · · Score: 1

      Even strong passwords have a problem when you re-use them. If you get Phished you've just comprimised all your sites not just one. Where as a with a password manager you don't enter your strong password into a web page (at least not the PM I use) so you won't loose everything with one mistake. I also use my PM enough to remember the strong password.

    4. Re: advertisement is an advertisement by Anonymous Coward · · Score: 0

      There's a bit of security through obscurity in that the attacker needs to also know the account at other specific sites you have. None the less, the fact every shitty service wants authentication these days and every shitty service demands strong passwords makes it nearly impossible to function without password reuse or a storage mechanism. Take Cisco WebEX for me, I have just enough WebEx meetings per month (1) to forget my password every single time and go through a reset process, every single time. It's about worthless. This stuff used to be manageable before many sites started to needlessly require auth.

    5. Re:advertisement is an advertisement by phantomfive · · Score: 1

      Password managers have the problem that if you are compromised, every password is lost. So which is the more likely scenario?

      Passwords are not good security, even with a password manager.

      --
      "First they came for the slanderers and i said nothing."
    6. Re:advertisement is an advertisement by sexconker · · Score: 1

      Password managers have the problem that if you are compromised, every password is lost. So which is the more likely scenario?

      Passwords are not good security, even with a password manager.

      If your password manager is compromised, you have a neat and tidy list of every password you need to reset. Hopefully you do it after figuring out how your password manager was compromised. Hint: You either used the wrong password manager (i.e., anything other than KeePass), you used a shitty master password, or you opened your password database on a compromised box.

    7. Re:advertisement is an advertisement by phantomfive · · Score: 1

      What makes KeePass so good?

      --
      "First they came for the slanderers and i said nothing."
    8. Re: advertisement is an advertisement by Anonymous Coward · · Score: 0

      But we simply don't have 200 passwords at work. Where do such fantasies come from? I can count my work passwords on one hand. Most stuff authenticate against AD, so one passwd for all that. And the passwd on my linux pc is the same as the AD passwd, which is ok. Then, a couple of new webapps not yet integrated with AD. But they will be, before more webapps appear.

      I have way more passwds than that, but not work related.

    9. Re: advertisement is an advertisement by Anonymous Coward · · Score: 0

      KeePass keeps everything local. No cloud involved.
      The security of your encrypted password database is entirely in your hands and no one else's.

    10. Re: advertisement is an advertisement by kaatochacha · · Score: 1

      but..... you can store the keepass database file in the cloud if you wish. I sync mine with dropbox and access through multiple devices. and store a backup copy in a safe.

  7. Lastpass takes dangerous... by Zurkeyon3733 · · Score: 1

    And Ramps it up to LUDICROUS! Why go small? LoL :-P

  8. Stupid Password Rules by Anonymous Coward · · Score: 5, Insightful

    When the rules are "must contain 1 lower case, 1 upper case, 1 number, 1 special character, cannot reuse any of the past 20 passwords, must change every 30 days, etc etc etc", no shit we end up picking a pattern and recycling old passwords.

    1. Re:Stupid Password Rules by Anonymous Coward · · Score: 2, Interesting

      must change every 30 days

      This one in particular infuriates me. We have a finance system which demands a change every 60 days but also won't let you re-use passwords (I assume it keeps a record of the hash because it won't even let you recycle from several years ago), and locks you out on the third failed attempt. After a lockout you have to email the finance department and wait several days for someone there to manually reset it and email you a new one, at which point it immediately demands a brand new password.

      We can't afford to wait several days for finance to get back to us after a lockout (of course, they'll never admit it takes this long) and we can't remember these passwords on top of all of the others, so of course it leads to us using predictable patterns of passwords and keeping records of them somewhere. By making security a pain in the ass and difficult for a user you just encourage the user to find fast and easy workarounds, and those often come at the expense of security.

    2. Re: Stupid Password Rules by Anonymous Coward · · Score: 0

      Very good point. Forced passwd change is a security risk. I shot down an attempt to demand passwd change at work. I teach network security, so they actually listened.

    3. Re:Stupid Password Rules by pnutjam · · Score: 1

      Most sites allow spaces in passwords now. I tend to pick a lyric from a song, or something related to a character from a movie or book, for example, "The postman is a terrible move, great b00k".
      Pretty easy to remember, long enough, and meets complexity requirements. Sometimes my AD Linux integration chokes on special characters, so I'll simplify it to something like this "Dune_is_0verated".

      --
      Cheap storage VM.
    4. Re: Stupid Password Rules by kaatochacha · · Score: 1

      They've actually, sort of officially, decided that you are correct and constantly changing them is a bad idea. I totally agree.
      https://qz.com/981941/the-us-s...

  9. What I really want to read today by rsilvergun · · Score: 1

    is a brilliant expose on the dangers of Slashvertisements.

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
  10. 200 passwords? by Anonymous Coward · · Score: 0

    I call BS on that.

    1. Re:200 passwords? by sexconker · · Score: 1

      My personal KeePass database has 260 entries. Some are defunct, but not many.

    2. Re:200 passwords? by Anubis+IV · · Score: 2

      You think 200 is unreasonable? I currently have 265 logins listed in my password manager, and I'd wager that I'm not even in the top quartile here. I had over 300 of them just a few months back, but then I went through and cleaned out several dozen. Oh, and that list is missing dozens more, such as:
      - Logins to my numerous home and work computers
      - Passcodes for numerous mobile devices
      - PINs to credit and debit cards (not so numerous)
      - PINs to parental settingsand the like on gaming consoles and other set-top boxes

      All-in-all, I'd estimate that I had over 400 logins to various services and systems prior to the cleanup a few months back, and I'm by no means as heavy of a user as some, such as teens who're willing to create new accounts with new services every other week. To say the least, it's not at all unreasonable that someone might be expected to be able to login to 200 different systems, hence why password reuse is as much of a problem as it is.

    3. Re:200 passwords? by HiThere · · Score: 1

      I'd have to check, but I've probably got over 1000 passwords. Most of them are defunct, but sometimes I'm surprised that one I haven't used for a decade will still work. Some of them predate commercial access on the internet. Some of them are from when I was sysadmining a multi-user CP/M machine (with 16 processors!). But there are far too many to remember, especially for sites that I haven't accessed in a decade...and, surprise!, sometimes I need access again, and it's really nice if the old password still works. And you can't predict which ones.

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
  11. Smartcards by Anonymous Coward · · Score: 0

    PKI and smartcards, optionally with SSO if you're generous.

  12. And lastPass themselves have been hacked before by Anonymous Coward · · Score: 0

    With all the passwords stored on their own service being stolen, so really, using a password at all is not safe.

    1. Re:And lastPass themselves have been hacked before by Anonymous Coward · · Score: 0

      "... 81 percent of data breaches attributable to "weak, reused, or stolen passwords,""

      It's funny how they make that claim, but don't break the actual numbers out.
      My guess is:
      ~0.1% Weak
      ~0.1% Reused
      ~99.8% Stolen

      Once Corporate is compromised, all the Password precaution in Meatland is wasted. This is just the usual deflection of blame by asswipes like LastPass. There are no such thing as Password Ninjas who sneak in at night, poking through Post-Its attached to the top of monitors searching for clues. This is nearly always Corporate Negligence.
      So IT screws up YET AGAIN, and we all have to do the Password Do-Si-Do, ending up just right where we began, only to wait for it to start all over again.
      I'm fed up with this dance.

  13. Alternate Headline: LastPass Reveals Marketing by chispito · · Score: 1

    Seriously, I'd be really interested to know how they arrived at their 200/user figure. I'm assuming that includes service accounts whose passwords never need to be remembered by an individual.

    Now, by all accounts (zing!) their software is pretty user friendly and better than a not using a vault... but this is just marketing. Why slashvertise it?

    --
    The Daddy casts sleep on the Baby. The Baby resists!
  14. There are passwords, and passwords by OneHundredAndTen · · Score: 2

    Not all passwords are created equal. For example, my Facebook password is probably a very weak one, for I use Facebook only when I am forced to register to some site where I want to write a comment. I don't really know (or care) about the contents of this account, which I opened under false credentials long ago. You see, Facebook can be useful, after all. This aside, the truth is that the bad guys all too often obtain passwords simply by asking for them. Well, not so simply, for the theater involved to get the victim to relinquish their password can be quite elaborated. But, this seems to work pretty well; having seen the process in action a few times, I couldn't help but feeling impressed. Articles like this amount to little more than marketing for someone (LastPass, in this case) or mental masturbation. The people who select easy-to-crack passwords are, most likely, those who are going to relinquish their password when properly asked to do so, anyway. And, quite frankly, I for one couldn't care less if somebody gains knowledge of my Facebook password. Which I have forgotten, at any rate - only my browser knows it.

    1. Re:There are passwords, and passwords by PCM2 · · Score: 1

      Let me understand this ...

      You use your Facebook account solely as a method of authenticating yourself into multiple accounts all over the web? And for that reason you chose weak credentials for your Facebook account?

      --
      Breakfast served all day!
    2. Re:There are passwords, and passwords by Anonymous Coward · · Score: 0

      He said it was in order to post comments. So why would the security be a big deal? Someone might crack the password and post comments under the fake name he uses? Seems unlikely to happen and not the stuff of nightmares if it did.

    3. Re:There are passwords, and passwords by kaatochacha · · Score: 1

      Can you elaborate on the "process in action"?

  15. Title correction by 93+Escort+Wagon · · Score: 1

    Given LastPass' track record, perhaps we need a companion article:

    "LastPass Reveals the Threats Posed By Using LastPass in the Workplace"

    --
    #DeleteChrome
    1. Re:Title correction by Anonymous Coward · · Score: 0

      LastPass has an intrusion that they reported and mitigated, but there has never been any evidence that they have had their user passwords compromised. An intruder may potentially have gained access to the binary blobs, at the end of the day that's the reason we encrypt them instead of "safely" storing them in a text file.

      Dropbox allowed access to any account with no password and KeePass also has had vulnerabilities, including a man in the middle on the updater that could have allowed some hostile third party to replace the application itself. Should we now determine that KeePass with Dropbox is some huge security threat, or just be reasonably careful with our data?

    2. Re:Title correction by Anonymous Coward · · Score: 0

      Good comment, chum. I have been getting peeved at people who drag companies through the mud for properly disclosing and mitigating breeches lately. There is a world of difference between a company like LastPass reporting a minor breech and a company like Equifax hiding their massive breech for months as their execs insider trade themselves some nice fluffy golden parachutes.

      By dragging all major companies with breeches (that is, all major companies) through the mud equally, we are ENCOURAGING Equifax-style breech responses. Think about that the next time you want to chastise a company for responsibly disclosing a data breech.

  16. LastPass should shut up... by Anonymous Coward · · Score: 0

    ...and fix their Xmarks Firefox plugin. 4.5.0.4 is still broken.

  17. He who stores passwords in the cloud is a fool. by Anonymous Coward · · Score: 0

    sudo apt-get install pass
    man pass

    That is all.

  18. If only.... by ben_kelley · · Score: 1

    ... there was some product that could help solve this problem!

  19. Keepass is the Answer by Anonymous Coward · · Score: 0

    Use keepass. You only need to remember your login password, and your keepass password. The advantages are:

    Keepass can generate random passwords for you
    Keepass will remember those passwords for you
    You never have to re-use a password
    Your password database never travels over the wire
    Makes your brain invulnerable rubber hose decryption since you don't know the password
    By using sneakernet to copy your password database, your database never needs to travel over the wire or be stored on a computer you don't trust.

    I have 179 different passwords including long banking, wifi, and veracrypt passwords. I don't remember any of them. I never even knew any of them.

    Oh wait, this was a slashvertizement for lastpass? Woops. Never heard of lastpass.

  20. Re: password management company publishes report.. by Anonymous Coward · · Score: 0

    Keepass is open source so bugs will get fixed a lot quicker than with closed source proprietary Asian firmware. Asian companies generally don't believe is software updates aside from Samsung and a few others, especially for anything made last year or before that.

  21. IT isn't the problem - it's Management. by wardrich86 · · Score: 1

    reveal the true gap between what IT thinks, and what's really happening

    IT tries to implement decent security, then Management cries because they can't handle remembering 4 different passwords and refuse to purchase licenses for password management software.

  22. Might SSO be the password reuse stats? by ripvlan · · Score: 1

    We are SSO and use LastPass. Many of our systems are SSO - and LastPass thinks that each is a different site, but happily records my SSO password. And then LastPass puts up a warning "you have reused the same password at multiple sites - this is bad"

    But wait -- they are all the same system, or at least have SSO integration. I wonder if that skews their results at all?!

    Which is the pitfall of SSO: - one password to remember -- and only one to guess.

  23. LastPass Reveals they Read Your Passwords in Plain by Anonymous Coward · · Score: 0

    FIFY