This great password manager has been reviewed by our editor Rhiannon in one of her Tech Treats Bitwarden. Steve Gibson, (GRC.com) one of the world's top computer experts endorses LastPass in a blog, and BitWarden uses the same type of technology where your passwords never leave your computer or phone without first being totally encrypted. IOS Password Mis-Managers Description: After catching up with the week's news, Steve and Leo examine the inner workings of the most popular password managers for Apple's iOS devices to determine whether and to what degree they offer enhanced security for safe password storage. Thanks everyone for your input. I Googled +'Steve Gibson' +'password managers' and similar searches but did not find anything where password manager browser extension vulnerabilities are addressed. If anyone has a link to share, I'd much appreciate it.
LastPass, a company that offers users a way to centrally manage all of their passwords online with a single master password, disclosed Monday that intruders had broken into its databases and made off with user email addresses and password reminders, among other data.
In an alert posted to its blog, LastPass said the company has found no evidence that its encrypted user vault data was taken, nor that LastPass user accounts were accessed.
'The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised,' the company said. 'We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.'
Hosts: Steve Gibson with Leo Laporte HP's recent analysis of the (lack of) security in 'Internet of Things' appliances, BadUSB, Steve's analysis of browser-based password managers, and more! Download or subscribe to this show at twit.tv/sn.We invite you to read, add to, and amend our show notes.You can submit a question to Security Now! At the GRC Feedback Page. Browser Password Managers. Hosted by Leo Laporte, Steve Gibson. Steve Gibson summarizes his analysis of browser-based password manager research. Records live every Tuesday at 4:30pm Eastern / 1:30pm Pacific / 20:30 UTC. Hosts: Steve Gibson with Leo Laporte HP's recent analysis of the (lack of) security in 'Internet of Things' appliances, BadUSB, Steve's analysis of browser-based password managers, and more!
Parsing LastPass's statement requires a basic understanding of the way that passwords are generally stored. Passwords are 'hashed' by taking the plain text password and running it against a theoretically one-way mathematical algorithm that turns the user's password into a string of gibberish numbers and letters that is supposed to be challenging to reverse.
The weakness of this approach is that hashes by themselves are static, meaning that the password '123456,' for example, will always compute to the same password hash. To make matters worse, there are plenty of tools capable of very rapidly mapping these hashes to common dictionary words, names and phrases, which essentially negates the effectiveness of hashing. These days, computer hardware has gotten so cheap that attackers can easily and very cheaply build machines capable of computing tens of millions of possible password hashes per second for each corresponding username or email address.
Steve Gibson Password Manager Reviews
Parsing LastPass's statement requires a basic understanding of the way that passwords are generally stored. Passwords are 'hashed' by taking the plain text password and running it against a theoretically one-way mathematical algorithm that turns the user's password into a string of gibberish numbers and letters that is supposed to be challenging to reverse.
The weakness of this approach is that hashes by themselves are static, meaning that the password '123456,' for example, will always compute to the same password hash. To make matters worse, there are plenty of tools capable of very rapidly mapping these hashes to common dictionary words, names and phrases, which essentially negates the effectiveness of hashing. These days, computer hardware has gotten so cheap that attackers can easily and very cheaply build machines capable of computing tens of millions of possible password hashes per second for each corresponding username or email address.
Steve Gibson Password Manager Reviews
But by adding a unique element, or 'salt,' to each user password, database administrators can massively complicate things for attackers who may have stolen the user database and rely upon automated tools to crack user passwords.
Sqrl
'What a salt does it makes it hard to go after a lot of passwords at once as opposed to one users' password, because every user requires a separate guess and that separate guess is going to take a considerable amount of time,' said Steve Bellovin, a professor in computer science at Columbia University . 'With a salt, even if a bunch of users have the same password, like ‘123456,' everyone would have a different hash.'
More concerning in this particular breach, Bellovin said, is that users' password reminders also were stolen.
Bitwarden Steve Gibson
'I suspect that for a significant number of people, the password reminder — in addition to the user's email address — is going to be useful for an attacker,' he said. 'But password reminders are useful for targeted attacks, not massive attacks. That means that if your password reminder or hint is not particularly revealing to someone who doesn't know you, it probably doesn't matter much. Except in the case of targeted phishing attacks,' which might try to leverage data known about a specific target (such as a password hint) to trick the user into giving up the answer to their password reminder.
Squirrel Password Manager
So what's the takeaway here? If you entrust all of your passwords to LastPass, now would be a terrific time to change your master password.