A Guide to Basic Password Security The Danger of Last Pass

A key element of good internet security is having secure passwords that you don't reuse on multiple sites. If you reuse passwords, all it takes is one site to be compromised, and the malicious individual will then have access to all the other sites where you used the same password. Making long secure passwords that are unique can become overwhelming pretty quickly, so I suggest using a password manager that can store all of your passwords and general login info for you.

A lot of people on the internet have been suggesting LastPass as a way to securely store long alpha numeric passwords that are unique to each site they have an account with. Proponents of Lastpass argue that all data is encrypted client side, so Lastpass doesn’t have access to your passwords, but since it isn’t open source there is no way to confirm that.

alt text

With the Lavabit case, it came to our attention that the US government uses secret court orders to compel US based companies to provide backdoors to otherwise secure systems . At the same time they issue gag orders to prevent the exposure of the backdoor to the public. Since Lastpass is a US based company, this is a real possibility, and I strongly suggest not to use them. You are essentially putting all of your eggs(passwords and usernames) in one basket that is easily accessible to the US government and its allies.

As a cryptography and computer security expert, I have never understood the current fuss about the open source software movement. In the cryptography world, we consider open source necessary for good security; we have for decades. Public security is always more secure than proprietary security. It's true for cryptographic algorithms, security protocols, and security source code. For us, open source isn't just a business model; it's smart engineering practice. ------Bruce Schneier, Crypto-Gram 9/15/1990

People who truly value their security and privacy should use KeePassX instead. It is essentially Lastpass but it is open source so the code can be inspected for backdoors by the community. Conveniently, Keepass is included in the Tails live linux operating system, which is a privacy focused OS that is intended to leave no trace on any computer you use it on.

alt text

Last but not least, you should be using two factor authentication on any site that offers it. If you are using the Google Authenticator or Authy smartphone apps for this purpose, make sure that you save a copy of the QR code that is generated when you first setup the 2FA. It will act as a backup just in case you lose your phone. Make sure you keep those QR codes somewhere safe because if someone has access to them they can bypass your 2FA.

Disclaimer: This post is intended solely to provide information. As I have no knowledge of individual circumstances and technical level, readers are expected to complete their own due diligence before proceeding with anything mentioned in this article. The topics discussed in this post are advanced and readers proceed at their own risk.