Slashdot Mirror

← Back to Stories (view on slashdot.org)

LastPass Reveals the Threats Posed By Passwords in the Workplace (betanews.com)

Posted by msmash on from the security-woes dept.

A reader shares a BetaNews report: A new report by LastPass -- The Password Expose -- reveals the threats posed, and the opportunities presented, by employee passwords. The report starts by pointing out that while nearly everyone (91 percent) knows that it is dangerous to reuse passwords -- with 81 percent of data breaches attributable to "weak, reused, or stolen passwords," more than half (61 percent) do reuse passwords. But the real purpose of the report is to "reveal the true gap between what IT thinks, and what's really happening." Jumping straight into the number, the report says that even in a 250-employee company, there are an average of 53,250 passwords in use -- a near-impossible number to keep track of and to know the strength of. LastPass found that people have nearly 200 passwords to remember, so it's little wonder that password reuse is an issue.

12 of 72 comments (clear)

  1. password management company publishes report... by Anonymous Coward · · Score: 2, Insightful

    extolling the virtues of using a password manager
    threat revealed, thanks lastpass

    1. Re:password management company publishes report... by ctilsie242 · · Score: 3, Interesting

      It is a balancing act. One one hand, if someone uses weak (but memorable) passwords, that can be brute-forced, that is far more likely than a password manager getting compromised, especially a password manager with 2FA.

      However, selecting a password manager is critical. LastPass is one that has had security intrusions succeed... but were mitigated. Some other PW managers which have, as of their latest versions, required cloud access (1Password, mSecure) not just don't have a proven track record... but don't even give any details on what security they actually bother with. For all we know, they could stash everything on a public S3 bucket.

      I like PW managers which piggyback on existing cloud providers and have decent encryption [1], like Enpass or Codebook. That way, not all eggs are in one basket, and Google Drive provides adequate 2FA protection.

      [1]: The idea would be separating the passphrase protecting the database on the cloud provider versus the encrypted copy, or even better, using public key encryption and "introducing" new devices, to make the copy sitting on the cloud provider as brute force resistant as possible.

    2. Re:password management company publishes report... by Average · · Score: 4, Informative

      I can't recommend PasswordStore (passwordstore.org) highly enough. ~400 lines of (quite readable) Bash. GPG. Git. That's the extent of it.

      Combined with my GPG credentials being on a smartcard, I feel like I'm doing the best I can.

  2. Re:LastPass knows your passwords? by AvitarX · · Score: 2

    I assume they're encrypted, but they can easily tell if they're the same. It doesn't say they have statistics in complexity, only reuse.

    I suppose this would mean that they're not salted though, or the same salt is used for every password in an account.

    --
    Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
  3. I have 3+ passwords. by Anonymous Coward · · Score: 2, Interesting

    One for I don't give a shit - like a Reddit account and every other dipshit website that requires a login so that they can use their registered users for advertising and revenue - and that's why I will never register for Slashdot.

    One for it'd suck if someone got a hold of it, but life goes on.

    One for my money and other important shit.

    My wife on the other hand, takes this password shit too seriously. She creates a new a special one for every dipshit login. And as a result, is constantly forgetting them and requesting new passwords.

    And it's amazing that to get a new password, one can get that information by just looking at her facebook page and seeing who her "friends" are - and all the idiots who wish her a happy birthday on her real birthday.

    I could steal any facebook user's identity and get your banking passwords.

    1. Re:I have 3+ passwords. by XXongo · · Score: 2

      One for I don't give a shit - like a Reddit account and every other dipshit website that requires a login so that they can use their registered users for advertising and revenue - and that's why I will never register for Slashdot.

      I don't get it-- why don't you use your "I don't give a shit" account password, here, too, if you use it on Reddit?

  4. Stupid Password Rules by Anonymous Coward · · Score: 5, Insightful

    When the rules are "must contain 1 lower case, 1 upper case, 1 number, 1 special character, cannot reuse any of the past 20 passwords, must change every 30 days, etc etc etc", no shit we end up picking a pattern and recycling old passwords.

    1. Re:Stupid Password Rules by Anonymous Coward · · Score: 2, Interesting

      must change every 30 days

      This one in particular infuriates me. We have a finance system which demands a change every 60 days but also won't let you re-use passwords (I assume it keeps a record of the hash because it won't even let you recycle from several years ago), and locks you out on the third failed attempt. After a lockout you have to email the finance department and wait several days for someone there to manually reset it and email you a new one, at which point it immediately demands a brand new password.

      We can't afford to wait several days for finance to get back to us after a lockout (of course, they'll never admit it takes this long) and we can't remember these passwords on top of all of the others, so of course it leads to us using predictable patterns of passwords and keeping records of them somewhere. By making security a pain in the ass and difficult for a user you just encourage the user to find fast and easy workarounds, and those often come at the expense of security.

  5. Re:LastPass knows your passwords? by SecState · · Score: 2

    I'm not going to register to read the full report. But, based on the article, it seems likely they're using two sources of data: 1) a survey (which probably has an item asking about password re-use), and data from the corporate version of the app that shows, in aggregate, how many passwords a person has stored.

  6. Re:advertisement is an advertisement by nine-times · · Score: 2

    In fairness, it's much easier to remember one password for your password manager than 150 unique strong passwords, so IT would be getting fewer calls. Plus, a big part of the problem is that people won't remember hundreds of unique passwords, so they instead reuse passwords, which is one of the major ways that accounts get compromised.

    I'm not saying that this isn't an advertisement in disguise, but they're not wrong.

  7. There are passwords, and passwords by OneHundredAndTen · · Score: 2

    Not all passwords are created equal. For example, my Facebook password is probably a very weak one, for I use Facebook only when I am forced to register to some site where I want to write a comment. I don't really know (or care) about the contents of this account, which I opened under false credentials long ago. You see, Facebook can be useful, after all. This aside, the truth is that the bad guys all too often obtain passwords simply by asking for them. Well, not so simply, for the theater involved to get the victim to relinquish their password can be quite elaborated. But, this seems to work pretty well; having seen the process in action a few times, I couldn't help but feeling impressed. Articles like this amount to little more than marketing for someone (LastPass, in this case) or mental masturbation. The people who select easy-to-crack passwords are, most likely, those who are going to relinquish their password when properly asked to do so, anyway. And, quite frankly, I for one couldn't care less if somebody gains knowledge of my Facebook password. Which I have forgotten, at any rate - only my browser knows it.

  8. Re:200 passwords? by Anubis+IV · · Score: 2

    You think 200 is unreasonable? I currently have 265 logins listed in my password manager, and I'd wager that I'm not even in the top quartile here. I had over 300 of them just a few months back, but then I went through and cleaned out several dozen. Oh, and that list is missing dozens more, such as:
    - Logins to my numerous home and work computers
    - Passcodes for numerous mobile devices
    - PINs to credit and debit cards (not so numerous)
    - PINs to parental settingsand the like on gaming consoles and other set-top boxes

    All-in-all, I'd estimate that I had over 400 logins to various services and systems prior to the cleanup a few months back, and I'm by no means as heavy of a user as some, such as teens who're willing to create new accounts with new services every other week. To say the least, it's not at all unreasonable that someone might be expected to be able to login to 200 different systems, hence why password reuse is as much of a problem as it is.