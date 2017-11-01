LastPass Reveals the Threats Posed By Passwords in the Workplace (betanews.com) 33
A reader shares a BetaNews report: A new report by LastPass -- The Password Expose -- reveals the threats posed, and the opportunities presented, by employee passwords. The report starts by pointing out that while nearly everyone (91 percent) knows that it is dangerous to reuse passwords -- with 81 percent of data breaches attributable to "weak, reused, or stolen passwords," more than half (61 percent) do reuse passwords. But the real purpose of the report is to "reveal the true gap between what IT thinks, and what's really happening." Jumping straight into the number, the report says that even in a 250-employee company, there are an average of 53,250 passwords in use -- a near-impossible number to keep track of and to know the strength of. LastPass found that people have nearly 200 passwords to remember, so it's little wonder that password reuse is an issue.
It is a balancing act. One one hand, if someone uses weak (but memorable) passwords, that can be brute-forced, that is far more likely than a password manager getting compromised, especially a password manager with 2FA.
However, selecting a password manager is critical. LastPass is one that has had security intrusions succeed... but were mitigated. Some other PW managers which have, as of their latest versions, required cloud access (1Password, mSecure) not just don't have a proven track record... but don
I can't recommend PasswordStore (passwordstore.org) highly enough. ~400 lines of (quite readable) Bash. GPG. Git. That's the extent of it.
Combined with my GPG credentials being on a smartcard, I feel like I'm doing the best I can.
1password used to work that way, and it is still possible to purchase the standalone version that lets you store your passwords on other cloud services, but I don't know how much longer that will be. As it is, they don't advertise the standalone version anymore. You have to specifically ask them for it.
I am currently looking at Enpass as a possible alternative, however there are several dealbreakers that I am waiting to be resolved:
LastPass employees have access to everyone's passwords? I think that'd be a bigger story.
I assume they're encrypted, but they can easily tell if they're the same. It doesn't say they have statistics in complexity, only reuse.
I suppose this would mean that they're not salted though, or the same salt is used for every password in an account.
You shouldn't be able to tell if two encrypted strings are the same unless they are encrypted with the same key. And they should not be for that reason among many others.
You appear to be talking about hashing which is not what a password manager does.
I only have to remember the vault password. The three keys to making it work in the long run are backup, backup, and backup.
One for I don't give a shit - like a Reddit account and every other dipshit website that requires a login so that they can use their registered users for advertising and revenue - and that's why I will never register for Slashdot.
One for it'd suck if someone got a hold of it, but life goes on.
One for my money and other important shit.
I don't get it-- why don't you use your "I don't give a shit" account password, here, too, if you use it on Reddit?
And if the passwords are stored in the cloud, they are almost guaranteed to not be secure.
In fairness, it's much easier to remember one password for your password manager than 150 unique strong passwords, so IT would be getting fewer calls. Plus, a big part of the problem is that people won't remember hundreds of unique passwords, so they instead reuse passwords, which is one of the major ways that accounts get compromised.
I'm not saying that this isn't an advertisement in disguise, but they're not wrong.
For example, in moderately large places (greater than 100 people) where passwords are required to change every quarter, you can be fairly certain that someone will use the password scheme "Spring2017"
