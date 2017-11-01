Follow Slashdot blog updates by subscribing to our blog RSS feed

 


LastPass Reveals the Threats Posed By Passwords in the Workplace

Posted by msmash from the security-woes dept.
A reader shares a BetaNews report: A new report by LastPass -- The Password Expose -- reveals the threats posed, and the opportunities presented, by employee passwords. The report starts by pointing out that while nearly everyone (91 percent) knows that it is dangerous to reuse passwords -- with 81 percent of data breaches attributable to "weak, reused, or stolen passwords," more than half (61 percent) do reuse passwords. But the real purpose of the report is to "reveal the true gap between what IT thinks, and what's really happening." Jumping straight into the number, the report says that even in a 250-employee company, there are an average of 53,250 passwords in use -- a near-impossible number to keep track of and to know the strength of. LastPass found that people have nearly 200 passwords to remember, so it's little wonder that password reuse is an issue.

  • extolling the virtues of using a password manager
    threat revealed, thanks lastpass

    • It is a balancing act. One one hand, if someone uses weak (but memorable) passwords, that can be brute-forced, that is far more likely than a password manager getting compromised, especially a password manager with 2FA.

      However, selecting a password manager is critical. LastPass is one that has had security intrusions succeed... but were mitigated. Some other PW managers which have, as of their latest versions, required cloud access (1Password, mSecure) not just don't have a proven track record... but don

      • Re: (Score:3)

        by Average ( 648 )

        I can't recommend PasswordStore (passwordstore.org) highly enough. ~400 lines of (quite readable) Bash. GPG. Git. That's the extent of it.

        Combined with my GPG credentials being on a smartcard, I feel like I'm doing the best I can.

  • LastPass employees have access to everyone's passwords? I think that'd be a bigger story.

    • Re: (Score:2)

      by AvitarX ( 172628 )

      I assume they're encrypted, but they can easily tell if they're the same. It doesn't say they have statistics in complexity, only reuse.

      I suppose this would mean that they're not salted though, or the same salt is used for every password in an account.

      • You shouldn't be able to tell if two encrypted strings are the same unless they are encrypted with the same key. And they should not be for that reason among many others.

        You appear to be talking about hashing which is not what a password manager does.

    • I'm not going to register to read the full report. But, based on the article, it seems likely they're using two sources of data: 1) a survey (which probably has an item asking about password re-use), and data from the corporate version of the app that shows, in aggregate, how many passwords a person has stored.

  • I only have to remember the vault password. The three keys to making it work in the long run are backup, backup, and backup.

  • I have 3+ passwords. (Score:1)

    by Anonymous Coward

    One for I don't give a shit - like a Reddit account and every other dipshit website that requires a login so that they can use their registered users for advertising and revenue - and that's why I will never register for Slashdot.

    One for it'd suck if someone got a hold of it, but life goes on.

    One for my money and other important shit.

    My wife on the other hand, takes this password shit too seriously. She creates a new a special one for every dipshit login. And as a result, is constantly forgetting them and r

    • Re: (Score:3)

      by XXongo ( 3986865 )

      One for I don't give a shit - like a Reddit account and every other dipshit website that requires a login so that they can use their registered users for advertising and revenue - and that's why I will never register for Slashdot.

      I don't get it-- why don't you use your "I don't give a shit" account password, here, too, if you use it on Reddit?

  • We kept complaining about the password explosion. Especially since so much of the office functions are outsourced and we end up logging into so many servers. They rolled in with great fartfare Single Sign On. With TFA to boot.

    Now after we go through the painful microsoft applications access panel, we click on any thing, it pops up the same password dialog. The only thing has changed is now we can not directly log in to the third party service. First we sing on here and then sign on again. Single Sign on e

  • If everyone had a password manager, then IT would spend all their time replacing passwords for people who forgot the password to their password manager.

    And if the passwords are stored in the cloud, they are almost guaranteed to not be secure.

    • In fairness, it's much easier to remember one password for your password manager than 150 unique strong passwords, so IT would be getting fewer calls. Plus, a big part of the problem is that people won't remember hundreds of unique passwords, so they instead reuse passwords, which is one of the major ways that accounts get compromised.

      I'm not saying that this isn't an advertisement in disguise, but they're not wrong.

      • I'd be willing to bet that password reuse isn't the problem so much as weak passwords in the first place.
        For example, in moderately large places (greater than 100 people) where passwords are required to change every quarter, you can be fairly certain that someone will use the password scheme "Spring2017"
  • And Ramps it up to LUDICROUS! Why go small? LoL :-P

  • Stupid Password Rules (Score:3, Insightful)

    by Anonymous Coward on Wednesday November 01, 2017 @04:23PM (#55471755)
    When the rules are "must contain 1 lower case, 1 upper case, 1 number, 1 special character, cannot reuse any of the past 20 passwords, must change every 30 days, etc etc etc", no shit we end up picking a pattern and recycling old passwords.
  • is a brilliant expose on the dangers of Slashvertisements.

