Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Security IT Technology

LastPass Reveals the Threats Posed By Passwords in the Workplace (betanews.com) 72

A reader shares a BetaNews report: A new report by LastPass -- The Password Expose -- reveals the threats posed, and the opportunities presented, by employee passwords. The report starts by pointing out that while nearly everyone (91 percent) knows that it is dangerous to reuse passwords -- with 81 percent of data breaches attributable to "weak, reused, or stolen passwords," more than half (61 percent) do reuse passwords. But the real purpose of the report is to "reveal the true gap between what IT thinks, and what's really happening." Jumping straight into the number, the report says that even in a 250-employee company, there are an average of 53,250 passwords in use -- a near-impossible number to keep track of and to know the strength of. LastPass found that people have nearly 200 passwords to remember, so it's little wonder that password reuse is an issue.
This discussion has been archived. No new comments can be posted.

LastPass Reveals the Threats Posed By Passwords in the Workplace

Comments Filter:
  • by Anonymous Coward

    extolling the virtues of using a password manager
    threat revealed, thanks lastpass

    • by ctilsie242 ( 4841247 ) on Wednesday November 01, 2017 @03:30PM (#55471799)

      It is a balancing act. One one hand, if someone uses weak (but memorable) passwords, that can be brute-forced, that is far more likely than a password manager getting compromised, especially a password manager with 2FA.

      However, selecting a password manager is critical. LastPass is one that has had security intrusions succeed... but were mitigated. Some other PW managers which have, as of their latest versions, required cloud access (1Password, mSecure) not just don't have a proven track record... but don't even give any details on what security they actually bother with. For all we know, they could stash everything on a public S3 bucket.

      I like PW managers which piggyback on existing cloud providers and have decent encryption [1], like Enpass or Codebook. That way, not all eggs are in one basket, and Google Drive provides adequate 2FA protection.

      [1]: The idea would be separating the passphrase protecting the database on the cloud provider versus the encrypted copy, or even better, using public key encryption and "introducing" new devices, to make the copy sitting on the cloud provider as brute force resistant as possible.

      • by Average ( 648 ) on Wednesday November 01, 2017 @03:46PM (#55471885)

        I can't recommend PasswordStore (passwordstore.org) highly enough. ~400 lines of (quite readable) Bash. GPG. Git. That's the extent of it.

        Combined with my GPG credentials being on a smartcard, I feel like I'm doing the best I can.

      • 1password used to work that way, and it is still possible to purchase the standalone version that lets you store your passwords on other cloud services, but I don't know how much longer that will be. As it is, they don't advertise the standalone version anymore. You have to specifically ask them for it.

        I am currently looking at Enpass as a possible alternative, however there are several dealbreakers that I am waiting to be resolved:
        1. It doesn't support multiple password vaults. Supposed to be in the ne

  • I only have to remember the vault password. The three keys to making it work in the long run are backup, backup, and backup.

    • I only have to remember the vault password. The three keys to making it work in the long run are backup, backup, and backup.

      I use Acerose password manager. It's weak spot is any back-up of the database is readable with any text editor. I've used it for so long, having many log-ins I stick with it.

      • by sehlat ( 180760 )

        I use KeePass. The database (including backup copies) are encrypted. The password is in a sealed envelope inside our family safe deposit box, and both my wife and son have access.

        • I use KeePass. The database (including backup copies) are encrypted. The password is in a sealed envelope inside our family safe deposit box, and both my wife and son have access.

          Good to see you have a plan. So few do.

  • I have 3+ passwords. (Score:2, Interesting)

    by Anonymous Coward

    One for I don't give a shit - like a Reddit account and every other dipshit website that requires a login so that they can use their registered users for advertising and revenue - and that's why I will never register for Slashdot.

    One for it'd suck if someone got a hold of it, but life goes on.

    One for my money and other important shit.

    My wife on the other hand, takes this password shit too seriously. She creates a new a special one for every dipshit login. And as a result, is constantly forgetting them and r

    • by XXongo ( 3986865 )

      One for I don't give a shit - like a Reddit account and every other dipshit website that requires a login so that they can use their registered users for advertising and revenue - and that's why I will never register for Slashdot.

      I don't get it-- why don't you use your "I don't give a shit" account password, here, too, if you use it on Reddit?

    • by AvitarX ( 172628 )

      My bank would require you have access to my e-mail or phone.

      My e-mail would require you have access to my phone.

      I don't think it'd be as easy as you think in general.

  • We kept complaining about the password explosion. Especially since so much of the office functions are outsourced and we end up logging into so many servers. They rolled in with great fartfare Single Sign On. With TFA to boot.

    Now after we go through the painful microsoft applications access panel, we click on any thing, it pops up the same password dialog. The only thing has changed is now we can not directly log in to the third party service. First we sing on here and then sign on again. Single Sign on e

  • If everyone had a password manager, then IT would spend all their time replacing passwords for people who forgot the password to their password manager.

    And if the passwords are stored in the cloud, they are almost guaranteed to not be secure.
    • In fairness, it's much easier to remember one password for your password manager than 150 unique strong passwords, so IT would be getting fewer calls. Plus, a big part of the problem is that people won't remember hundreds of unique passwords, so they instead reuse passwords, which is one of the major ways that accounts get compromised.

      I'm not saying that this isn't an advertisement in disguise, but they're not wrong.

      • I'd be willing to bet that password reuse isn't the problem so much as weak passwords in the first place.
        For example, in moderately large places (greater than 100 people) where passwords are required to change every quarter, you can be fairly certain that someone will use the password scheme "Spring2017"
        • by sls1j ( 580823 )
          Even strong passwords have a problem when you re-use them. If you get Phished you've just comprimised all your sites not just one. Where as a with a password manager you don't enter your strong password into a web page (at least not the PM I use) so you won't loose everything with one mistake. I also use my PM enough to remember the strong password.
          • Password managers have the problem that if you are compromised, every password is lost. So which is the more likely scenario?

            Passwords are not good security, even with a password manager.
            • Password managers have the problem that if you are compromised, every password is lost. So which is the more likely scenario?

              Passwords are not good security, even with a password manager.

              If your password manager is compromised, you have a neat and tidy list of every password you need to reset. Hopefully you do it after figuring out how your password manager was compromised. Hint: You either used the wrong password manager (i.e., anything other than KeePass), you used a shitty master password, or you opened your password database on a compromised box.

  • And Ramps it up to LUDICROUS! Why go small? LoL :-P
  • by Anonymous Coward on Wednesday November 01, 2017 @03:23PM (#55471755)
    When the rules are "must contain 1 lower case, 1 upper case, 1 number, 1 special character, cannot reuse any of the past 20 passwords, must change every 30 days, etc etc etc", no shit we end up picking a pattern and recycling old passwords.
    • Re: (Score:2, Interesting)

      by Anonymous Coward

      must change every 30 days

      This one in particular infuriates me. We have a finance system which demands a change every 60 days but also won't let you re-use passwords (I assume it keeps a record of the hash because it won't even let you recycle from several years ago), and locks you out on the third failed attempt. After a lockout you have to email the finance department and wait several days for someone there to manually reset it and email you a new one, at which point it immediately demands a brand new pa

    • by pnutjam ( 523990 )
      Most sites allow spaces in passwords now. I tend to pick a lyric from a song, or something related to a character from a movie or book, for example, "The postman is a terrible move, great b00k".
      Pretty easy to remember, long enough, and meets complexity requirements. Sometimes my AD Linux integration chokes on special characters, so I'll simplify it to something like this "Dune_is_0verated".
  • is a brilliant expose on the dangers of Slashvertisements.
  • Seriously, I'd be really interested to know how they arrived at their 200/user figure. I'm assuming that includes service accounts whose passwords never need to be remembered by an individual.

    Now, by all accounts (zing!) their software is pretty user friendly and better than a not using a vault... but this is just marketing. Why slashvertise it?
  • by OneHundredAndTen ( 1523865 ) on Wednesday November 01, 2017 @04:52PM (#55472351)
    Not all passwords are created equal. For example, my Facebook password is probably a very weak one, for I use Facebook only when I am forced to register to some site where I want to write a comment. I don't really know (or care) about the contents of this account, which I opened under false credentials long ago. You see, Facebook can be useful, after all. This aside, the truth is that the bad guys all too often obtain passwords simply by asking for them. Well, not so simply, for the theater involved to get the victim to relinquish their password can be quite elaborated. But, this seems to work pretty well; having seen the process in action a few times, I couldn't help but feeling impressed. Articles like this amount to little more than marketing for someone (LastPass, in this case) or mental masturbation. The people who select easy-to-crack passwords are, most likely, those who are going to relinquish their password when properly asked to do so, anyway. And, quite frankly, I for one couldn't care less if somebody gains knowledge of my Facebook password. Which I have forgotten, at any rate - only my browser knows it.
    • by PCM2 ( 4486 )

      Let me understand this ...

      You use your Facebook account solely as a method of authenticating yourself into multiple accounts all over the web? And for that reason you chose weak credentials for your Facebook account?

    • Can you elaborate on the "process in action"?

  • Given LastPass' track record, perhaps we need a companion article:

    "LastPass Reveals the Threats Posed By Using LastPass in the Workplace"

  • ... there was some product that could help solve this problem!
  • reveal the true gap between what IT thinks, and what's really happening

    IT tries to implement decent security, then Management cries because they can't handle remembering 4 different passwords and refuse to purchase licenses for password management software.

The game of life is a game of boomerangs. Our thoughts, deeds and words return to us sooner or later with astounding accuracy.

Working...