With that incident in mind, I thought it would be pretty cool if you could run a check on all of your passwords and login information to see which of your accounts may have been affected by the hack. While that’s unfortunately not possible, the next best thing is. The developers of the popular online password manager and synchronizer Last Pass have created an online tool that evaluates the strength and other information about all passwords stored in a user’s vault.

This way, you can assess all of your passwords and logins at once, and make changes to the accounts that receive a weak rating. It begins with an overall score and rank at the top. Detailed results are then displayed when you start scrolling down, and this is where it gets interesting.

The results screen displays various information about your passwords. This includes the average password length, number of duplicate passwords and sites with those passwords, number of weak passwords or number of blank passwords. While those results are nice to know, they are not that helpful as you do not yet know which sites and log ins share the same password or use a weak passwords.

Those information are displayed when you scroll down to the Analyzed Sites listing. Last Pass’ Security Challenge lists all sites with duplicate passwords, unique passwords and no passwords in list form on that page.

You see on first glance which sites share a password. Even better, the password strength is shown on the very same page ranging from 0% (very bad) to 100% (very strong).

A visit site link is provided next to each entry which makes it even more comfortable to visit those sites and change the passwords.

It may take a while to go through all duplicate or weak password sites that are shown, but it is well worth it. Chance is, you find duplicate site listings as well, which is for instance the case if a service uses the same log in on more than one domain, or if you use it to access a site by domain name and IP address.

You can run the test again at anytime, and the score gets automatically updated. Last Pass displays test history information where you can see how the score improves or drops based on your changes.

A low score does not necessarily mean that you do not care about your account security. I for one use the very same username, email, password combination on many sites that force me to register to check out their service. These accounts are in no way linked to me and it would not be problematic if they would get hacked. More or less like a private Bug Me Not password if you like.

Tips on how to improve the overall security score are displayed at the very bottom of the page.

Last Pass users who want to run the test can do it on the Last Pass website. They need to be logged into their Last Pass account for that. (via Caschy)

I recently stumbled upon LastPass Sesame by chance. It is a free tool for 32-bit and 64-bit editions of Windows, Linux and Mac operating systems (that’s what the help file states, I was only able to find the Windows download on site) that can be used to add multifactor authentication to Last Pass.

It has been specifically designed for USB Thumb Drives and situations where you cannot “trust” the PC you are working on. Ideal for libraries, Internet Cafes, connections via wireless networks and other public places that offer access to computer systems or networks.

Read on to find out how Last Pass Sesame is setup and used. It begins with the authorization of Last Pass accounts in the software. This is done by entering the Last Pass username and password into the authorization prompt that opens on first start.

Each user account that is authorized this way is shown in the main program window. Here it is then possible to click on the Generate One Time Password button to create a one-time password for that account.

Each new account needs to verify participation before it becomes available in the software program. An email is automatically send to the account’s email address. The email contains a link that needs to be clicked on to activate Last Pass 2-step verification log ins.

The account from that moment on will be protected by the default username and password, and the one-time password that needs to be generated whenever you want to log into your Last Pass account.

Sesame can be deactivated at anytime. An email with a link to deactivate Sesame is send to the registered email address which again needs to be confirmed (by clicking on a link).

Take a look at the video below to see the whole process in action.

Last Pass Sesame adds a new layer of protection to the account. The procedure is definitely more secure than the standard Last Pass authentication method. That alone should be reason enough to give it a try, especially if you put it on a secure USB stick that supports data encryption.

Last Pass Premium users who would like to give Sesame a try can download it from the official website.

Experts who look closely at both services notice at least one feature that is supported by Last Pass and Xmarks: Password synchronization. Both Last Pass and Xmarks can synchronize passwords, and it seems that the new owners have made the decision to remove the password sync feature from Xmarks.

The Foxmarks Wiki reads:

The Xmarks Password Sync feature will be removed January 30, 2011. We are strongly encouraging all users migrate to LastPass for this feature!

While this has to be taken with a grain of salt, as everyone can add and edit pages, it would make sense from a business point of view. the benefits should be clear:

• The majority of users who are using password sync in Xmarks will likely migrate to Last Pass.
• The developers do not have to support and develop the same feature in two different applications.

Another indication that password sync will be removed from Xmarks is an entry in the changelog which reads: “LastPass’ password sync is now preferred”.

Password Sync is working fine in Xmarks as of now, even though there was a problem with the recent Chrome extension which the developers fixed soon thereafter.

What should users do who use Xmarks to sync their passwords? They should wait for an official confirmation first before they do anything.

The wiki entry suggests to install LastPass for Firefox and import the data from Firefox. This way all Xmark’s passwords are automatically imported into the Last Pass password manager. Xmarks obviously needs to be installed as well. (via)

According to information posted on Mediaite nearly 1.25 million user accounts were dumped from the databases by a group called Gnosis. The group is currently cracking the database and managed to retrieve 273k passwords so far, some of which are linked to government sites.

The group promised to release the full site source code and full database dump in the next days. They did release a partial dump already. A total of 2650 users of the database have been using the password “password” or “qwerty”, two of the most insecure passwords ever. Of those users one had a gov, three a mil and 52 an edu email address.

Now, what do users need to do that had an account over at Lifehacker. They need to assume that their account was hacked along with the others, and that attackers were able to crack the password.

First step is to change the password over at the Gawker media site. That’s all if the username / password combination was only used on that one site. Problems arise for users who use the same username and password combination on all of their web accounts. These users need to change the password on all of their accounts.

Our tip: Install a password manager like Last Pass that can help in the generation of secure passwords and the storage of them. It is imperative to use a username / password combination only once on the web.

More information about the hack are available at Download Squad and Lifehacker.

Last Pass Pocket is a tool from the developer’s of Last Pass that offers desktop access to all information stored at the Last Pass servers, including log in information but also generated passwords, search results and secure notes.

For that, the application displays a prompt where the master login needs to be entered. The passwords and other information are downloaded to the local system from where they can be accessed as long as the application stays open.

If you close the program again the information are not available anymore, unless they are exported to the local system. The option to export all passwords is available by clicking on File > Export.

The passwords can be saved in an encrypted file, that is protected by the LastPass master password, or a plain text copy that is not protected and readable by anyone with access to the computer. Once the passwords have been exported they can be loaded back into the password manager at anytime, even if there is no Internet access available at that time.

All information can be copied to the clipboard for use in other programs or services.

Last Pass Pocket is an interesting tool for Last Pass users who need offline access to their passwords. The password manager is available for Windows and Mac only. Windows users can download a 32-bit or 64-bit edition of the portable program. (via)

But how do passwords have to look like to be considered secure? And who determines that? There is no authority with guidelines on the creation of secure passwords. Companies, organizations, software developers and end users all have their own definition of secure passwords.

While some may think it is sufficient to select a password with numbers in it, others demand a password with upper and lower case chars, numbers, special characters and a minimum length of 16 or more.

Defining the format of a secure password is however only one side of the medal. It does not do anything good if the software, website or service is not compatible with those settings. A website that restricts the password to a length of 10 characters without special characters would be incompatible with a secure passwords policy that requires at least 14 chars and one special character.

Generally speaking, a password becomes more secure with the length of characters it contains, and the different types of characters used.

Several companies have created online tools that give the user feedback on the complexity of the password. Is that password secure is a common search term for those services. Lets take a closer look at some of them, but before that, lets define some typical passwords that we will feed them.

password 1: password
password 2: 4wOe409r
password 3: !S8I5U39YDnt8f
password 4: E&4!74mneGrTmOJ!HIr0
password 5: DP12c*0J!dM5mfdq2r!&WmMi!#g3

Microsoft password checker: Offers a simple form field which accepts a password. The ratings go from weak to best.

check your password

password 1: weak
password 2: weak
password 3: strong
password 4: strong
password 5: best

How Secure Is My Password: Does not display a rating, but tries to estimate the time it would take to crack the password.

password 1: One of the 500 most common passwords, It would be cracked almost instantly
password 2: It would take About 252 days for a desktop PC to crack your password
password 3: It would take About 564 billion years for a desktop PC to crack your password
password 4: It would take About 100 sextillion years for a desktop PC to crack your password
password 5: It would take About 100,603,110 nonillion years for a desktop PC to crack your password

The Password Meter: Compiles a list of all characters used and rates the passwords accordingly.

password strength

password 1: Very Weak, score 7%
password 2: Very Strong, score 81%
password 3: Very Strong, score 100%
password 4: Very Strong, score 100%
password 5: Very Strong, score 100%

The three password security checkers seem to disagree on the strength of some of the passwords used. All see the first password as a weak password, but similarities end there, as the second password is considered weak by Microsoft, but very strong by Password Meter.

The question now is how you can come up with a password policy to make sure that you only use secure passwords. The answer is simple: Always use a password that comes close to the maximum length allowed. That value is highly software and site specific. Here are a few suggestions:

• Never use a password with less than 16 chars unless the site limits the maximum character length to less than that
• Always use upper and lower case characters
• Always use at least one number in the password
• Always use at least one special character in the password
• Never use dictionary words as part of the password or the password

This leads to a problem: Remembering the passwords. The easiest way is to use a password manager like Last Pass for this. Password managers can create passwords based on the user’s parameters. Last Pass users for instance only need to press Alt-G to open the password creation window in the web browser.

password creation

The password can then be copied and entered during account creation. These passwords can also be used for non-web services, and stored in the password manager for retrieval.

Password managers will automatically save passwords and accounts that have been created, so that there is no need to remember the password. Only the master password, which is the password providing access to the password manager’s database needs to be remembered.

A simpler solution is to write down the passwords locally, and either carry them with you all the time, or store them in a secure location so that third parties cannot use them to access the accounts.

Do you have a password policy? Let us know in the comments.

Since this is not the first time Firefox acted up I started to troubleshoot the issue by disabling all add-ons to see if an add-on was the culprit. Firefox ran fine with no add-ons running in the background. I then enabled one add-on at a time to see which one was causing the hangs.

I found out that the password manager add-on Last Pass was the problem. I then remembered that I had the same problem about a month ago (see Fix Firefox With Last Pass Not Responding), and checked the Last Pass forums for news on the topic.

Some users were reporting problems with Last Pass, most of them were running a 64-bit edition of Windows 7, just like I do.

The solution was simple. Download the non binary version of the Last Pass add-on, and drag and drop it into the Firefox interface to install it. You need to disable the Last Pass add-on first so that the web browser starts up normally.

I’m not sure what the problem is exactly but the Last Pass guys should consider fixing it, as it is an annoying experience to witness the freezes every time the add-on updates automatically in Firefox.

Tests with Firefox 3.7 alphas showed the exact same stability problems. Firefox would sometimes hang on loading tabs after startup, hang when using a file browser of a WordPress blog to load an image and seemingly random at other times.

Disabling all add-ons seemed to solve the freezing issues and some further testing revealed that it was the Last Pass add-on that was responsible for the freezes in Firefox.

Several threads in the Last Pass forum point to other Firefox users who have experienced the same problems with the latest version of the password management extension.

The Last Pass developers have created a non binary version of the Firefox add-on which solved the stability problems that users were experiencing.

This add-on can simply be installed like any other Firefox add-on and will replace the existing Last Pass version in the browser. Cautious users might want to uninstall the add-on first and install the new version afterwards.

The new Last Pass version can be downloaded from the official Last Pass site.

The Chrome developers have now added an autofill feature to the Google Chrome 5 browser which is enabled by default but can be disabled right away in the web browser if it is not used by the Internet user.

Autofill is basically another feature that – just like the Google Translate option – has been offered in the Google Toolbar for quite some time.

There are two options on how to add profile information so that the data can later be used to autofill web forms. The first option is to fill out a form. This is recognized by Google Chrome which then suggests to store the entered data for future uses.

The second option is to create a profile right in the options of the browser. The autofill feature supports multiple profiles which each can store names, email addresses, addresses, phone and fax numbers as well as separate credit card information. The information can naturally be deleted as well in the same menu.

The profile information that can be stored by the Autofill option are not as sophisticated as those that the extension Last Pass offers. Last Pass can for instance save bank account information and custom fields which Google Chrome Autofill cannot.

Last Pass users might therefor prefer to turn off Chrome Autofill to continue using the autofill provided by their extension.

Autofill is only available in the latest development releases of Google Chrome 5. Those can be downloaded from this page. (via Techie Buzz)

The Account Manager is described as an evolution of the password manager that is integrated in Firefox and the identity components used in Weave. What it actually will do is to allow users to manage their logins and profiles for each website.

The Account Manager is provided as a prototype add-on that can be downloaded from the project’s homepage over at Mozilla Labs.

It displays a new key icon in the Firefox address bar by default which can be clicked on to access the functionality provided.

The prototype works only on a few sites currently including Google, Yahoo, Facebook, Mozilla Add-Ons, Mozilla Bugzilla and Personas. Saved login information need to be available in the Firefox password manager as well for it to function.

Several features are currently in the making including global profiles, automatic website registrations using the global profile, a detailed account viewer and auto login support for configured services and websites.

This sounds a lot like the functionality of password managers like Last Pass. There is a striking resemblance when the features are compared. The main difference between a password manager and the Account Manager is the Account Manager’s requirement that websites and services implement the draft specs (and later specs) to be included.

This alone makes it unlikely that the majority of websites will implement that feature.

Interested users can visit the Mozilla Labs page that contains information and downloads, take a look at the draft document or visit the Mozilla Wiki page for additional information and status information. (via Techie Buzz)

The best protection against those kind of attacks are strong passwords, an up to date computer system with security software installed and an open educated mind that uses caution and common sense whenever passwords or other personal information are entered on the Internet.

Some security software programs can aid the user in protecting the data. Software programs like Last Pass or KeePass, a password manager that can generate secure passwords and remember them for the user, are examples of this.

But those applications do not change the system itself. All that is needed to log into a service are the username and password of a user. Yubico changes this.

Yubikey is an USB key that offers strong authentication by adding an extra layer of authentication to the login process of several popular applications and Internet services. Supported are for instance password managers like Last Pass or KeePass, content management systems like WordPress or Drupal, the popular encryption software True Crypt and other services like Google Apps or OpenID.

Features:

• Requires no driver or software installation
• Compatible with Windows, Linux, Mac OSX and Solaris
• Robust, waterproof, crush-safe, no batteries required.
• Open-source client-side SDK available.
• Yubico offers a free validation service, or you can run it on your own server.
• Customization options like labeling the keys
• RFID and OATH Yubikeys available as well

How does it work?

Yubico basically adds another layer of security to the login process in most cases. A login to the Last Pass master server for instance will still require the user’s Last Pass email address and password but will display a Yubico prompt afterwards. The user then needs to enter the Yubikey into an USB port. The Yubikey comes with a button on the device that will send a password to the computer whenever it is pressed. This password is used in the authorization process.

The Yubikey password consists of a static and dynamic part which makes this solution excellent of battling keyloggers and other eavesdropping techniques as the password is only valid for one time and void afterwards. This password can be changed to a very long static password for offline usage (for example required to make it work with True Crypt during system boot).

This means that an attacker would need access to the user’s email address and password but also access to the USB key to gain access to the service.

Take a look at this video for additional details

Yubikey adds another security layer to the authentication process. It is Open Source, does not require installation, is compatible will most popular operating systems, works with lots of popular services and can be easily carried around in a wallet or on a key chain.

This is the perfect device for web users who work with WordPress, Google Apps, password managers, OpenID or other services and applications listed at the Yubikey Wiki.

Giveaway and Discount

The Yubico guys were nice enough to give us ten of their Yubikeys that we can give away to you. If you want to win a Yubikey post a comment and let us know what you think of the device.

We were also able to get a 40% discount for a pair of Yubikeys that are usually sold for $50 at the store. If you do not trust your luck you might want to buy them with the discount code instead. Simply enter ghacks in the coupon code field during checkout to get the 40% discount.

Update: The Yubikey coupon code is no longer valid.

Microsoft determined that the attack was not a breach of internal Microsoft data and believes that the account data was gained by a phishing attack. Phishing attacks are common ways these days to lure users into entering their account data on websites that look like the real deal but are not.

Hotmail users are encouraged to immediately change their account password to protect the account from unauthorized access. It is furthermore recommended to change the account password on other websites if the same password was used for accounts there as well.

A good tool that can help users create and use secure passwords is the Last Pass extension which is available for Firefox,Internet Explorer and Google Chrome.

I want to go beyond the usual recommendations to discuss PC security issues that many users do not think about at all or not enough.

Update

You can install a secure operating system, an award winning anti-virus software and firewall and still fall prey to attackers through outdated system components. Programs that are used on the computer system need to be up to date. That is especially true for the operating system and programs that connect to the Internet. This includes the web browser (including web browser plugins like Flash), email client, instant messengers, but also the security software programs (which usually come with automatic updates turned on). The computer is vulnerable if the operating system and programs are not up to date.

Email

There are only three rules for emails: Do not open attachments, do not click on links and do not use HTML emails. Email attachments can contain malicious software. They usually do if the sender is unknown or by a company that never send you attachments before. Links can be disguised to look as if they point to a trustworthy website when in fact they lead to a phishing website to grab your username and password. HTML emails can be used to exploit the browsing engine and are also used for tracking users.

Here is how I handle these three risks. Attachments send by friends are usually safe. It is important to check the extension of the attachment. I’m cautious if it is an executable (even when send by a friend). Executables send by senders I do not know are deleted instantly. I check the remaining executable attachments at the online service Virus Total. If I’m still unsure I contact the friend asking about the attachment and why it was send to me.

I never click on links in the email client. If it points to a site I know I open the site manually in my web browser. I otherwise check if the link text and the link are pointing to the same url. If they do I copy and paste the link in my web browser (Firefox with Noscript, so barely any risk here). I do not have to supply username and password since I do not know the service so no fear of phishing in this case.

HTML can be disabled in most email clients.

The Web

I use Firefox mainly for the add-ons and in particular because of the NoScript add-on which provides an excellent layer of security (it disables all scripts by default with the option to enable them individually again). NoScript takes care of most threats on the Internet if it is used in the right way. Someone who always enables all scripts on a website (because it is faster than enabling only some) is not more protected than someone without NoScript. If you enable scripts only on websites that you trust then you are well protected (yes there is always a tiny chance that you are attacked on these sites as well e.g. through malicious banner advertisement).

Another add-on that I have come to love is Last Pass. A password manager and secure password generator that can create and remember passwords and profile information. Last Pass connects urls and passwords which is an excellent phishing protection as well. Say you have username and password saved in Last Pass for PayPal.com. If you open a phishing website that mimics the PayPal website you will notice that Last Pass will not automatically fill out the username and password. Something that the add-on would have done on the real PayPal website.

Files that can be executed are another threat on the Internet. A good way of dealing with those files is to use Virus Total again to check them out before executing them on the local system. It is advised to only download these files from trustworthy sources (big download portals, websites of trusted developers).

Verdict

The majority of attacks can be rendered useless with the right PC security. Updates are probably the most important part of every PC security strategy but caution is a close second. It is always advised to double-check a file or site. This might take more time but it can prevent attacks on a computer system which will save the user lots of time in the end.

It is for example possible to access the passwords on other computer systems without having to carry them around on storage devices like USB sticks. And since Last Pass is not only compatible with Internet Explorer it comes also handy for users who work with web browsers like Firefox. It is basically possible to share passwords and other data between Internet Explorer and Firefox this way.

The download of the password management software is cross-browser compatible. It can install the add-on in both Internet Explorer and Mozilla Firefox at the same time. New users can create an account during the installation while existing users need to supply their login credentials to end the installation.

Last Pass adds a button to the Internet Explorer toolbar that provides quick access to most of the features offered by the password management software. It is for example possible to open some of the recently opened websites, switch identities, edit the preferences or add secure notes.

Password Management is not the only feature offered by Last Pass. The program can store notes in the password vault and offers an option to create form profiles to fill out forms on websites more easily.

The add-on will automatically recognize username and password forms on websites and act accordingly. It can fill out the form automatically if the login credentials are already stored in its database. New passwords can be generated with the versatile password generator. Last Pass is definitely one of the best password management tools.