You are here: Home / Misc. Tips & Tricks / LastPass Security Features

LastPass Security Features

May 19, 2011 By Leave a Comment

In a recent article, I wrote all about the awesome online password manager service called LastPass. I tried very hard to persuade you to start using LastPass as your password manager. Well, if after reading that post you still have your doubts about it, I will go over a couple more extra security features offered from LastPass in hopes to win you over once and for all. Now I know what you’re all probably thinking. Having a password manager to manage all of our passwords is a pretty daunting task. We are putting all of our eggs in one basket. If our master password for LastPass is stolen, all of our passwords are then compromised as well. Suffice to say it, the LastPass crew is not stupid. They understand this problem. Therefore, they have introduced many security features that even a free member can utilize to further protect their password database. What I absolutely love about LastPass is that they take security very seriously. Why else would they give these security features to free members? They could easily just have required a user to be a premium member in order to take advantage of any of these security features I’m going to write about here. But no. They didn’t go that route. They understand and believe that security comes first and foremost as it’s in every person’s mind. By allowing free members of LastPass to utilize advance features, they gained my respect and I’m sure a lot of other users as well.

Grid Multifactor Authentication

This feature is what I believe to be the most beloved. Grid Multifactor Authentication (GMA), as the name implies and once enabled, will have LastPass require an additional piece of login information prior to giving you (or a stranger)  access to your password vault. Without GMA enabled, you only needed to supply your email and master password to LastPass before access was granted. This is the bare minimum. However, you need to remember that your master password is nothing special where your computer is regarded. When you input your master password to be sent for LastPass, your computer still views it as simple keystrokes entered on your keyboard. Chatting with your friends on Facebook is no different than when you are typing in your password. Your computer views it as just letters (or numbers if you know what I’m talking about). So what’s the problem? Keyloggers. They are one of my most hated malware type in existent. Once silently installed, they start to capture all keystrokes entered to a simple log file. This log file contains every keystroke you have entered and yes, that means your master password gets captured as well. Obviously the log file will then get sent back to the attacker and he/she now have ownership of all your passwords. With GMA enabled, it doesn’t matter if your master password is stolen. Let me repeat that. It doesn’t matter.

In addition to supplying your username and master password, LastPass will now require you to type in another piece of information that theoretically only you should have in physical possession form. If you can’t supply this piece of information, you’re locked out. It doesn’t matter if you are the bad buy or the actual owner of your database. Here is an example of how the LastPass grid should look like:

When you log in to LastPass, you’ll be asked for the specific value corresponding to 4 random coordinate locations on the grid. For example, the value in coordinate location G7 would be the letter “j”. The value for S6 would be “m”.  This is what you would supply to LastPass. As you can figure out, this physical grid you print out and hold in your wallet until needed. If your master password is stolen, the chances of the attacker also having possession of this grid card is very slim to impossible.

To activate GMA for your LastPass account, head over to your LastPass account settings and select the Security tab. Prior to actually enabling GMA, you’ll want to print or save a copy of your customized grid first! You don’t want to be locked out of your own account. You can either print the grid like the one shown above or save it as a CSV file which you can open with Microsoft Excel. Once you have the grid in possession, you can then enable GMA.

Once enabled, from then on, LastPass will throw you 4 random coordinate locations from this grid and you better be able to supply the information if you want to access your data! If you somehow have managed to get this grid stolen or if you simply have lost your wallet, you can easily just reset your grid and print out the new one. Your old grid would be useless to anyone who have it in possession.

I will admit that I do not like how LastPass will easily allow you or someone else to disable grid authentication if they have lost their grid by simply sending them an email and clicking on a link. I understand that there will be a lot of bickering from users if there was no way to disable GMA if the user somehow “lost” their grid card. However, they need to make it a lot harder for the legitimate user to disable the feature. As of right now, the entire GMA system relies on the password strength of the user’s email account. Of course, accessing a user’s email account can also be difficult if not at times impossible for a stranger but again, I feel that they should toughen the procedure process a bit.

Page 2: One Time Passwords and Virtual Keyboards –>


VN:F [1.9.13_1145]
Rating: 0.0/5 (0 votes cast)
WP Greet Box icon
X
If you enjoyed reading this article, you might want to subscribe to my RSS feed for updates on this topic.

Pages: 1 2

Filed Under: Misc. Tips & Tricks, Security Tagged With: ,


Shortlink:

Speak Your Mind

*


(humans only, please)

View in: Mobile | Standard