Frequency of changing master password ?

[meddyg]

I use LastPass and haven't changed master since inception of paid account ~ 2 years back.

Their web site doesn't suggest frequent changes.

As a lowly GP in NHS land we were required to change desktop passw monthly.
I am working my way through shoddy password to improve on line score for LastPass masters!

[ian]

Does a password get easier to guess over time?

I think not. The only reason to change them periodically is if you expect the password to be leaked or otherwise liberated into the wild of little nefarious webmonkeys, I suppose.

[Auntie Helen]

I changed my LastPass master password after the hack 3+ years ago but I don’t think in retrospect it was necessary and the original was probably more secure. If you don’t use it anywhere else, why should it be changed?

[grams]

LastPass users should be changing their password manager, not just their password. It was hacked again recently and some of the security practices it revealed were appalling.

[philip]

The LastPass breach involved users' encrypted data being stolen; the question then is if the encryption is strong enough to resist cracking. This depends on the password being strong and the algorithm being strong, and it turns out that sometimes LastPass used an algorithm that was not strong: it had too few iterations. The number of iterations can be configured in your LastPass account settings, and should be set to a high value. If your account has a low value you should change it. What you really want to know is whether your account had a low value when the encrypted data was stolen, if it did then an attacker could devote resources to cracking the encryption which would reveal your master password and all your encrypted passwords.

https://palant.info/2022/12/28/lastpass-breach-the-significance-of-these-password-iterations
https://support.lastpass.com/help/how-do-i-change-my-password-iterations-for-lastpass

[drossall]

I'm aware of an incident that appears to have been caused by the LastPass breach. It's caused huge disruption. If I had been using LastPass, I'd be changing every password in the database, as well as my password manager. Which is exactly what's happening as a result of the incident. Your vulnerability does seem to depend on the strength of your master password, your settings, and how long you've been using LastPass.

[Auntie Helen]

Ok, looks like it might be time to switch password manager and change my passwords.

What does the hive mind recommend?

I use with 3 iOS devices and a MacBook.

[Sergeant Pluck]

I left Lastpass and switched to 1Password. I find it much easier to use.

[Lightning Phil]

I use KeePass

[drossall]

+1. Not a cloud system, so I have to copy the database to any device where I may need it, but not vulnerable to the cloud system being hacked...

Reviews do however say that the interface is not the easiest. I hadn't noticed

[psyclist]

This thread has prompted me to check how vulnerable my choice is, msecure. Found the following article that may assist some in choosing their solution:

https://password-managers.bestreviews.net/faq/which-password-managers-have-been-hacked/

msecure doesn't feature in the review, and I couldn't find details of any hacks, but I suspect that might be because I've not been able to search deeply enough.

[Auntie Helen]

That review seems to show they are all vulnerable and have been hacked

[Sergeant Pluck]

When I looked for a replacement for Lastpass, Google seemed to show that all of them have potential security weaknesses, including msecure.

[quixoticgeek]

I use LastPass and haven't changed master since inception of paid account ~ 2 years back.

Their web site doesn't suggest frequent changes.

As a lowly GP in NHS land we were required to change desktop passw monthly.
I am working my way through shoddy password to improve on line score for LastPass masters!

As stated elsewhere, change your password manager (and your password). Lastpass have proven themselves to be utterly untrustable.

bitwarden seems to be a popular alternative. Or 1password.

As for changing password every x period of time. This drives me utterly nuts. It's proven that if you do this, it actually makes the password weaker, not stronger. People will use EasyToTypePassword8 where the 8 is the number of periods since they started at the job, it's better to set passwords to be longer, but easier to remember and type. (Obligatory xkcd https://m.xkcd.com/936/)

My passphases tend to be about 40-50 characters long, but because they are made up of actual words, they are pretty easy to type. And type them I do a lot. Some machines at work require me to type four passphrases to access them, which I often do many times each day.

J

[grams]

That review seems to show they are all vulnerable and have been hacked

The “hacks” are of wildly differing degrees. A lot of them are hypotheticals and would require access to your personal computer to exploit. LastPass’s servers were actually hacked and the contents of users’ vaults found to be stored in ways that made them trivial to decrypt.

It’s the difference between locking your bike outside with a Poundland lock and sleeping with it by your bed.

[quixoticgeek]

That review seems to show they are all vulnerable and have been hacked

The “hacks” are of wildly differing degrees. A lot of them are hypotheticals and would require access to your personal computer to exploit. LastPass’s servers were actually hacked and the contents of users’ vaults found to be stored in ways that made them trivial to decrypt.

It’s the difference between locking your bike outside with a Poundland lock and sleeping with it by your bed.

Ultimately they all are vulnerable to beating the crap out of you until you give up the password: (Obligatory xkcd https://m.xkcd.com/538/)

Unless they start having duress codes as a feature, that's not gonna stop any time soon.

Personally I don't trust anything in the cloud, but that's cos I'm more paranoid than most, and it may not be a totally rational view.

If you're that worried, write the passwords down on paper (make sure the surface beneath the paper won't give up your password), and store that paper in your safe at home. You do have a safe right?

J

[grams]

I know you love referencing that XKCD, but it’s completely irrelevant to the way most people get their accounts hacked in the modern world, which is in bulk, via leaky poorly secured online services.

Which is exactly what happened with Lastpass itself. It’s not paranoia when it actually happened.

[quixoticgeek]

I know you love referencing that XKCD, but it’s completely irrelevant to the way most people get their accounts hacked in the modern world, which is in bulk, via leaky poorly secured online services.

Which is exactly what happened with Lastpass itself. It’s not paranoia when it actually happened.

True. Hence my not trusting the cloud. One of the reasons keepass can be quite good. Sure you have to move the password vault between devices manually, but it avoids the cloud vulnerability thing.

J

[Lightning Phil]

QG mentioned something that others may not have picked up. She used pass phrase rather than password.   For your master you want something that is a bit longer than your average single word password.  A phrase you’ve made up and can remember is excellent for this, and won’t appear in any prebuilt lookup tables used by hackers.

[drossall]

It’s the difference between locking your bike outside with a Poundland lock and sleeping with it by your bed.

No, it's the difference between your mate's bike being nicked, when he left it outside, insufficiently locked, and being warned that it's possible, but difficult, to break into your well-built garage and get the bike that you have secured to a ground anchor.

[quixoticgeek]

QG mentioned something that others may not have picked up. She used pass phrase rather than password.   For your master you want something that is a bit longer than your average single word password.  A phrase you’ve made up and can remember is excellent for this, and won’t appear in any prebuilt lookup tables used by hackers.

Yes and no. I did use passphrase intentionally as I think it's a better idea to use a phrase that's easy to remember cos that will be longer, and harder to crack. But any system worth it's salt shouldn't be vulnerable to prebuilt rainbow tables.

How it works explanation for those who aren't cryptography geeks:

(click to show/hide)

A well designed system does not store your password in plain text. It should be stored as what is called a hash. A hash is a one way function that is easy to computer in one direction, but as near to impossible as it's possible to be in the opposite direction. Alas storing a simple hash of the password allows for the precomputing of a list of all possible passwords and their hash (a rainbow table). To get round this systems use something called a salt. A Salt is a specific bit of data added to the password before the hash is computed. It's unique to each user, and thus makes rainbow tables impossible. Even if you get the hash of a password, you have to calculate the hash of every guess+salt you want to make. If you have 8 character password that can be made from 52 letters, 10 numbers and 34 symbols, the possible combination of passwords is 576480100000000. At a few million attempts per second this doesn't take very long to crack, conversely a 40 character password that is all lower case has 397131118389635979724231725267829060055596279248722067456 possibilities. That's a lot more expensive to crack.

If your password manager is using an unsalted hash for your passphrase, you really really really need to choose something else.

J

[Lightning Phil]

Depends on the value they see in a password manager.  If they assume the password manager database has your banking credentials and / or email credentials they may just decide to brute force it since they know the salt.  If your password is 8 characters or less, they will crack your password in at most 48 minutes or so, with a rack of 8 of the latest Geoforce graphics cards. They then start emptying your bank account or just doing password resets via your email; if your bank hasn’t moved on from just password authentication. They might consider that worth while.

https://gist.github.com/Chick3nman/32e662a5bb63bc4f51b847bb422222fd

[quixoticgeek]

Depends on the value they see in a password manager.  If they assume the password manager database has your banking credentials and / or email credentials they may just decide to brute force it since they know the salt.  If your password is 8 characters or less, they will crack your password in at most 48 minutes or so, with a rack of 8 of the latest Geoforce graphics cards. They then start emptying your bank account or just doing password resets via your email; if your bank hasn’t moved on from just password authentication. They might consider that worth while.

https://gist.github.com/Chick3nman/32e662a5bb63bc4f51b847bb422222fd

Yep, that basically agrees with what I was saying.

It's interesting how the various speeds of different algorithms go. bcrypt/sha512 has 1974 H/s based on those numbers. Lastpass's seems to be 17066.6 kH/s which is still not especially high. 164.1 GH/s for plain md5sum which unix used for years before they added the salt is verging on instant...

But this of course requires that the cracker has the (salted)hash of the password. If they have to brute force attempts, I'd hope a good designed system would block things after a few tries...

J

[Jaded]

I read somewhere that a character can be '.'

So a 20 character password can be

e5.................T

And this is just as hard to crack as

e5KryuHTeBp4CA9si7uT

[quixoticgeek]

I read somewhere that a character can be '.'

So a 20 character password can be

e5.................T

And this is just as hard to crack as

e5KryuHTeBp4CA9si7uT

Yes. But it's harder to type cos did you type 20 . Or 19? Or 21? Where as "this is a really long password made up of words " is a lot easier to type accurately, and harder to crack.

J