The password manager LastPass had been my password manager of choice before I switched to the Open Source password manager KeePass. LastPass supports multifactor authentication systems for some time now, for instance with the help of Yubikeys. But those usually came with a cost.

LastPass back in November introduced support for Google’s Authenticator app to add another multifactor authentication option to the service.

Google Authenticator is a mobile application for Android, iOS, Blackberry and Symbian devices that generates a temporary verification code that users need to enter when they log into LastPass from untrusted devices.

Google Authenticator needs to be linked to LastPass before the new security feature can be used. Here is how this is done.

• Google Authenticator needs to be installed on a mobile device. Google offers installation instructions for Android, iOS and Blackberry devices. Please note that you need to enable 2-step verification using the phone number as Google Authenticator cannot be setup otherwise.
• Once Google Authenticator is up and running properly, LastPass users need to visit this link to link the authenticator with their LastPass account. This is done by either scanning the displayed barcode with the mobile device, or by entering the Google Authentication key displayed on the website manually.

LastPass will from now on display a Google Authenticator Authentication page for log ins to the service from untrusted devices.

LastPass users then need to open the Google Authenticator app to generate a one-time verification code that they need to enter on the LastPass website. Users who require offline access to their LastPass password database can configure this during configuration. It is also possible to trust devices to avoid having to generate and enter verification codes on every log in.

Additional information about the setup are available on the LastPass Support website.

The new multifactor authentication adds a second layer of protection to the LastPass login process that makes it a lot harder for attackers to access a user’s password database.

Sony scrambled to give its customers something like an explanation after PSN went down. It was not very successful. It tried to relate just enough info to ease its customers without going into too much detail. In fact, it spent the day before the suspension of Sony Online Entertainment telling its customers that everything was under control and would be back up soon. Oh, and by the way, members could have a month’s service free for their trouble.

LastPass is a utility for storing passwords. You only have to remember a master password, and it remembers all the rest. If you’re not good at creating secure, I.E. non dictionary passwords, it can create them for you. It has support for all of the major browsers, and most of the mobile platforms as well.

When LastPass saw a potential problem, the company explained to its customers exactly what was going on. There was a post up before anything bad happened. Service wasn’t even interrupted when customers were notified that there was a potential problem.

Let’s talk about Sony and security for a moment shall we? When the company discovered that PSN was hacked, Sony released the information that customer names, numbers and addresses had been taken, but couldn’t be sure whether or not credit card info was stolen. When Sony Online Entertainment was hacked, the company told customers that thousands of credit card numbers were taken as well.

LastPass was much more aware of security, it seems, than Sony. The company let customers know that there may have been a hacking incident before it was certain that there had been one. Someone noticed increased traffic on a database and didn’t know why, so the company played it safe. They recommended that customers change their master password just in case the database was hacked.

LastPass has shown itself both in terms of openness with its customers and in its business practices to really care about the security of the information it’s been given. Sony, on the other hand, has shown that it has trouble dealing with this kind of security issue. Granted, LastPass is in the security field, but considering the amount of your info and money Sony has, the company should be more aware of potential risks and be more prepared for them, don’t you think?

Are you a user of LastPass? Are you on PSN? What are your views on the way the two companies have dealt with their security issues? What could either company have done better in your view in terms both of relations with their customers and in terms of security? Am I being unfair to Sony?

For some time now, I had been thinking about switching to an offline password management solution. Not necessarily because I think that online password managers are inherently less secure, but because it give me more control over my passwords.

I therefor made the decision to migrate all my LastPass account information to KeePass, a free password management software. But simply migrating the data was not enough. If someone did actually manage to steal data from LastPass servers, they might have all my login accounts by now. The chance is slim, especially if you take into account what LastPass has communicated so far, but since I earn my living on the web I wanted to be on the safe side here.

The decision was born to change all my account passwords after the migration. I knew that this would not be easy, with 500+ accounts listed in the LastPass database.

This guide explains how I imported my LastPass login database to KeePass, and how to change all your account passwords in record breaking time. Don’t get me wrong, you will still spend hours and hours doing repetitive boring tasks.

Exporting LastPass database

The first task is to export the LastPass database. The information within act as a reference, so that you know how far you got with changing your account passwords. Open the LastPass website and click Sign In to LastPass to log into your account.

Once you are logged in select Export and enter your account’s master password again.

LastPass outputs all of your account information in one large list. Select all with Ctrl-a, and then Ctrl-c to copy the information to the clipboard. Save them in a text file on the local system. The list contains all urls, usernames, passwords and other information that you have stored in LastPass’s password manager.

Importing Passwords Into KeePass

Download the latest version of KeePass from the developer website. Please note that it is only available for Windows and many mobile devices. I have installed the password manager on an encrypted hard drive for extra protection.

Start KeePass after installation or extraction and select File > Import from the menubar. Select Generic CSV Importer from the options and load the text document with your account information. A click on OK imports the data into KeePass.

Please note that the url is added as the title of each individual password, which is not a big problem. The url field is left blank, which we will utilize soon.

Changing Passwords With KeePass

Now that you have all your LastPass passwords in KeePass it is time to change all of them. Here are a few tips to get you started with that:

• Disable the LastPass add-on in your browser. If you do not do this you will get a “we noticed a password change prompt” all the time.
• A big screen helps you. I had Firefox open in one half, Keepass and the password list in the other, which meant that I did have all information visible on screen all the time.
• Move all Generated Passwords entries to the old group
• Create password groups to sort passwords into. You can create new groups with a click on Edit > Add Group, or a right-click and Add Group.
• Start with your email accounts. Why? Because if they get compromised they may be used to reset passwords that you have just changed. Create a new group emails and change them right away.
• Now think about your most important accounts, e.g. financial, web hosting, shopping. Change those after you have changed the email accounts.
• Open a blank text document and use Tools > Generate Password List to generate a list of secure passwords. I suggest 20+ characters including upper- and lower-case, digits, minus and underline. You may add some special characters to it that are often allowed, for instance !?%&. Copy paste the full list into the text document. You will work through the list when you change accounts.
• Never use the same password for more than one account
• If you are a webmaster, you may have access to multiple accounts from one admin interface. For many WordPress sites, I have an admin account and an author account which both needed changing. To speed things up, you can log in with the admin, change the admin account first, and then change the author account while still logged in as the admin. The same is true for web hosting accounts if you host multiple domains and websites under that account.
• To keep track of things, I always added the url to accounts that I have changed the password for. I also moved those accounts to an appropriate group. This way, it was easier to keep track of the password changing progress.

The biggest drawbacks that you will encounter are sites that limit the number of password characters. I encountered more than one site that only accepted six characters in total. That’s crazy.

My routine looked like the following:

• Double-click the next entry in the KeePass database, copy the url, paste it into the web browser.
• While it is loading copy the username from the KeePass database.
• Paste the username
• Copy the password with a right-click
• Paste the password
• Locate the account settings or password change options on the page.
• Paste the old password in if the site required it.
• Copy the next password from the password list and paste it into the new password form, submit.
• Double-click the entry in the KeePass database, paste the new password in there as well.
• Copy the url and paste it into the url field.
• Move the account to one of the groups
• Repeat

You may be able to speed things up further by installing a plugin like KeeFox which brings KeePass functionality to Firefox. Similar extensions are available for other web browsers. I’m currently managing about 50-60 accounts per hour with this system. You may be even faster if you use a browser plugin.

Instead of sweeping that incident under the table, the developers decided to assume the worst case scenario: That an attacker managed to breach the security and download user data from the database. The traffic amount was large enough to include user emails, server salt and salted password hashes.

This data can be used by the attacker to brute force passwords which would then give access to a user’s Last Pass vault with all stored passwords.

The company as a consequence asks its users to change their master password as a precautionary measure.

Some users may have received notifications to change their master password, or other notifications related to the incident (an error has been encountered while loading your sites lastpass). Only users who try to connect and log in with a new IP address, one that they have not been using in the past weeks, are asked to do that.

I did change my master password and I’m currently seeing an anomaly on all sites. The autofill username and password feature appears to be broken. Even a right-click and the selection of LastPass > Copy Username or Copy Password does not reveal any entries.

I could not find any information about this on the LastPass website or in the user comments. I suppose it is a temporary thing that will resolve automatically.

Last Pass are rebuilding the boxes and have moved services to other servers for now. They also compared the code on the live servers with code from their repositories to make sure it was not tampered with.

If you read through the comments you notice that the majority of users that comment have log in problems. Some because their browser appears to be detected as a mobile device which they cannot log in with.

I for one am happy that LastPass did communicate the issue right away with their users, unlike other companies that we know of (hust, Sony, hust). Yes, it may be inconvenient today to get things sorted out, but I prefer that to doing nothing.

With that incident in mind, I thought it would be pretty cool if you could run a check on all of your passwords and login information to see which of your accounts may have been affected by the hack. While that’s unfortunately not possible, the next best thing is. The developers of the popular online password manager and synchronizer Last Pass have created an online tool that evaluates the strength and other information about all passwords stored in a user’s vault.

This way, you can assess all of your passwords and logins at once, and make changes to the accounts that receive a weak rating. It begins with an overall score and rank at the top. Detailed results are then displayed when you start scrolling down, and this is where it gets interesting.

The results screen displays various information about your passwords. This includes the average password length, number of duplicate passwords and sites with those passwords, number of weak passwords or number of blank passwords. While those results are nice to know, they are not that helpful as you do not yet know which sites and log ins share the same password or use a weak passwords.

Those information are displayed when you scroll down to the Analyzed Sites listing. Last Pass’ Security Challenge lists all sites with duplicate passwords, unique passwords and no passwords in list form on that page.

You see on first glance which sites share a password. Even better, the password strength is shown on the very same page ranging from 0% (very bad) to 100% (very strong).

A visit site link is provided next to each entry which makes it even more comfortable to visit those sites and change the passwords.

It may take a while to go through all duplicate or weak password sites that are shown, but it is well worth it. Chance is, you find duplicate site listings as well, which is for instance the case if a service uses the same log in on more than one domain, or if you use it to access a site by domain name and IP address.

You can run the test again at anytime, and the score gets automatically updated. Last Pass displays test history information where you can see how the score improves or drops based on your changes.

A low score does not necessarily mean that you do not care about your account security. I for one use the very same username, email, password combination on many sites that force me to register to check out their service. These accounts are in no way linked to me and it would not be problematic if they would get hacked. More or less like a private Bug Me Not password if you like.

Tips on how to improve the overall security score are displayed at the very bottom of the page.

Last Pass users who want to run the test can do it on the Last Pass website. They need to be logged into their Last Pass account for that. (via Caschy)

A cross site scripting vulnerability was recently discovered by a security researcher on the LastPass.com website. The potential to exploit the vulnerability was limited, as it required a specifically prepared website and a user who was logged into LastPass.

The developers stated on the official LastPass blog that the logs did not indicate that the vulnerability was successfully exploited, other than by the security researcher who discovered it.

The vulnerability has been fixed and, as a consequence, security has been improved on the Last Pass website. The developers list four areas of improvements:

• Implementation of HSTS which basically forces supported web browsers (Chrome and Firefox 4 currently) to stay “on secure SSL web requests for the lastpass.com domain.”
• Increased input filtering and stateful inspection
• Implementation of X-Frame-Options which makes it impossible to embed Last Pass pages via iframes or frames.
• Implementation of “something very similar to Content Security Policy” which allows the LastPass admins to specify how content interacts on their website.

The LastPass blog offers links to several of the concepts and technologies that have been added or implemented as a reaction to the discovered vulnerability.

LastPass users who would like to take a look at the original article can do so here. It details the security researcher’s methodology and is a good read for security interested computer users.

A new post on the Xmarks blog has now revealed that LastPass was the company that bought the popular bookmarking service which was said to shutdown in January 2011. The good news is that Xmarks has been saved and that everything that is remains the same.

Xmarks Premium has been introduced and it appears to use a business model very similar to the one that LastPass uses successfully. Xmarks Premium users get additional features like Android and iPhone apps, priority support and more for $12 a year. Or, they can pay $20 if they are LastPass users as well to get both premium services for a discount.

Good news for Opera users as XMarks has listed integration with the popular web browser on of their priorities in their roadmap. So, development continues and it is possible that the two services get integrated into one eventually. (via Xmarks, LastPass).

All in all an excellent acquisition that – for once – does not change a thing for current users of the service.

Extensions have been integrated in Opera 11, which is currently available as a beta version. Users who have a version of Opera 11 installed can head over to the Opera Extensions site to install LastPass in Opera.

LastPass offers free online password management and form filling, among other features. The extension adds an icon to the Opera address bar after installation. The icon is black if the user is currently not logged in, and turns red once the connection to LastPass has been established.

Users can opt to save the login email and password to make it easier to log into the service on future sessions. Existing LastPass users have automatic access to all their stored passwords and information, so that login information, notes and other data becomes available that has been stored using LastPass in other web browsers.

LastPass for Opera fills out the login information automatically, leaving the user with nothing else to do than to click on the login button.

A notification is displayed if there is more than one login for a website available. This function is similar to LastPass notifications in other supported browsers. Users can select auto login, autofill or to block the password manager from filling out information for the current site. Each identity can be selected for auto login or auto fill.

A click on the icon after log in displays a menu with several interesting options. It offers to log off the current user, open the LastPass Vault, display the recently used sites, all sites, secure notes, preferences and the login information stored for the site loaded in the active tab.

Best thing is, everything is handled directly in the menu with options to navigate back and forth in it.

The preferences are very extensive. It is possible to force LastPass to logoff automatically when the browser is closed, configure notifications and hotkeys, as well as advanced options.

Generate Secure Password: Alt-G
Recheck Page: Alt+I
Site Search: Alt-W
Fill In Next Login (When Multiple):Alt-Page Up
Fill In Previous Login (When Multiple): Alt-Page Down
Submit Form
Open My LastPass Vault:Ctrl-Alt-H
Save All Entered Data
Logoff
Fill In Default Form Fill Profile

Available tools include generating a secure password which is handy during registrations on websites, export options and adding secure notes that are stored alongside the passwords in the encrypted vault.

The hotkey to generate a secure password did not work when I tried it. Everything else appears to be working just fine.

LastPass is a free password manager and form filler.

LastPass is a free online password manager and Form Filler that makes your web browsing easier and more secure.

You can import from most major password storage vendors (such as RoboForm, 1Password, KeePass, Password Safe, MyPasswordSafe, Sxipper, TurboPasswords, and Passpack) and export too.

LastPass captures passwords that other managers won’t including many AJAX forms, and allows you to make strong passwords easily. If you’re having issues saving a site please watch our screencast on complex logins: http://lastpass.com/video.php?&feature=saveall#media

Your sensitive data is encrypted _locally_ before upload so even LastPass cannot get access to it. Please see https://lastpass.com/technology.php for more details on our Host Proof Hosting methods that make this safer than you thought possible.

One Time Passwords, Screen Keyboard, and Grid multi-factor help protect your account.

LastPass for Opera does a lot of things right. The developers need to work out the non-working hotkeys, as it is much easier to display the password generator with a hotkey than having to select it from the tools menu.

Still, LastPass is an excellent password manager for the Opera web browser. Especially the ability to access all features with a click on the toolbar button comes in very handy. Did you try the extension already? What’s your take on it? (thanks SA1 for the tip)

There are two things that are keeping me personally from switching to Opera. I would like to outline those two below with the hope that these features get added eventually to the web browser:

1. Password Manager

Like every web browser Opera has a build in password manager. What it does not have is support for the excellent Last Pass service that has been ported to many web browsers. Last Pass is a password management service that makes it much easier to create and maintain accounts. Some of its features are a password generator, form profiles, online access to passwords and auto-login to websites.

Last Pass is currently supporting various web browsers including Firefox and Google Chrome. The only option to use it in Opera is the Last Pass bookmarklet which provides limited functionality as it only provides login or form filling support but not other features like generating passwords.

The developer’s of Last Pass state that they would love to create a version of their service for the Opera web browser. The nature of the web browser, in particular the missing or limited browser SDK, makes it impossible at this point.

The build in password managers are no alternative at this point and the bookmarklet is not either. Opera Link provides data syncing but it is limited to Opera only. The benefit of Last Pass is that the stored passwords can be used with any web browser that is supported by Last Pass.

NoScript like functionality

The second feature that I do not want to miss anymore is provided by the NoScript Firefox add-on which turns of all scripts on any website by default. That’s a security precaution as scripts are usually used to attack computers.

Opera has a feature to disable some scripts globally and per website. The problem here is that this would require lots of manual work. The only viable option would be to disable scripts globally and enable them on a per site basis.

NoScript on the other hand offers a finer handling. Opera’s per site settings enable JavaScript, plugins, Flash or Java for the whole site and all scripts of that type that are executed on the website. NoScript can be used to enable a specific script (e.g. JavaScript) but block all other JavaScripts on a website.

Conclusion

I’d really like to switch. I’d might be able to either get used to the bookmarklet (with additional help of tools to generate secure passwords) or switch to Opera’s build in password manager. It would be possible to sync the passwords across all Opera browsers but other web browsers would not be able to use those passwords then.

NoScript on the other hand is the real culprit. It does not look as if there will be an option in the near future that comes close to the functionality of NoScript.

I’m currently trading speed and reliability for support of these two extensions.

Are you thinking of switching to Opera as well? Or have you already switched? What’s keeping you or why did you make the move?

The developer’s of the password manager LastPass have now created a first version of LastPass for Google Chrome dev builds. Chrome users who want to install and use the password manager need to do the following (taken from Lee’s explanation over at the Download Squad):

• Install a Google Chrome dev build. Skip this step if you already do
• Install the LastPass extension by opening https://lastpass.com/lpchrome.crx in the Google browser.
• If Chrome refuses to allow you to install it (it tries to save in a loop) go to Wrench -> Options and disable choosing where to download files (this will be fixed in next dev build).
• Finally, it is recommended that you disable the built-in password manager by clicking on the Options (under the customize and control ‘wrench’ button). Then choose the ‘Personal Stuff’ tab and select ‘Never save passwords’ and ‘Never save text from forms’

The Windows version of the LastPass extension seems to be very solid right now while Linux and Mac users report problems with the extension. This will be addressed in the next version of the extension according to the developers.

The LastPass team has been hard at work making their password management software compatible with additional browsers and devices. The first step is a set of bookmarklets that they have created. These bookmarklets can be used in browsers like Opera, Google Chrome, Safari and even the iPhone to make use of the stored passwords and form information of LastPass. All that needs to be done on the user’s part is to log into the LastPass website and drag the bookmarklets into the web browser.

Three bookmarklets are available: Login, Fill or Fill Form. Login will try to login the user into the website automatically that he is currently on. Fill will only fill in the information stored at LastPass while FillForm will fill out forms automatically. The website contains instructions for a few web browsers, make sure you read them thoroughly.

One could say that those bookmarklets could be a security risk. Imagine someone else accessing the computer where the bookmarklets are installed. That user could practically log into all websites that are stored at LastPass. The team has created a bookmarklet reset for exactly that purpose. This will reset the bookmarklets rendering all bookmarklets that have been created up to this point useless.