Misconfiguration could lead to security compromises
We have LastPass installed on all of our computers, and each family member has an account. My daughter doesn’t have many accounts, so she doesn’t use LastPass that much. One day my wife was having trouble with her computer so she used my daughter’s computer to login to LastPass to access a particular account. She logged in, did her business, and logged out of the account.
But she didn’t logout of LastPass, and LastPass on my daughter’s computer was not properly configured.
Months later I got an email from PayPal saying that I had purchased a video game add-on. Which I didn’t do. The email checked out – it was legitimate. But my PayPal, like all my accounts, are stored in LastPass. Who could have gotten into PayPal, and how?
And if they could do that, why only blow $10 on a video game? Something was fishy. I called my daughter to ask if she had purchased a video game recently.
Yes! Sorry! I didn’t mean to…
Mystery partially solved. At least there was no criminal breakin. But how did she get into my PayPal account?
It turns out that LastPass was not configured correctly on my daughter’s computer. There was no automatic logout set. So my wife was still logged into LastPass on my daughter’s computer despite having done so months before. Since my daughter rarely needs to use LastPass, she had no opportunity to log my wife out.
And one day she clicked on BUY NOW which took her to PayPal, onto which LastPass happily logged her in.
Don’t let this happen to you
You can have all the encryption in the world, but if it’s not implemented correctly you can still be compromised. Make sure your LastPass account is setup properly now with just a few clicks!
Note that you will have to restart your browser for these options to take effect.
Preferences -> General
There are a bunch of options you can set however you want. The two most important options are at the top
- Automatically logoff when all browsers are closed – CHECK THIS BOX. I would have no PayPal daughter story to tell if this box were checked on her computer. You can put whatever value you want for minutes, but I’d recommend something small like 0 or 1. I put 1 because occasionally I accidentally close my browser when I don’t mean to, and it’s convenient to be able to reopen it immediately and have the LastPass data there.
- Automatically logoff after idle – CHECK THIS BOX. When you minimize your browser and work on something else for a while, you forget about LastPass. For example, if you put your laptop into Sleep Mode, and someone steals it, it will be trivial for a thief to break in. Without an auto logoff when idle feature, that thief would have access to all your passwords. I leave the default 15 minutes as a good compromise between the slight inconvenience of having to login again vs the times when I’m actually done browsing.
Preferences -> Advanced
There are three options we care about here:
- Warn before filling insecure forms – CHECK THIS BOX. You should think twice before you go putting what you think are secure credentials into a website that has zero security. So many websites have security enabled for passwords, so we don’t think much about it. But some still don’t. And you should realize that before entering passwords or credit cards.
- Clear clipboard after use – CHECK THIS BOX. Copying and pasting your password from LastPass comes in handy all the time for sites that just aren’t cooperative with LastPass’ autologin feature. You don’t want a sensitive password hanging around in the clipboard. First of all you could accidentally paste it later on into a document or other website where the password is visible, and you might not notice. Second, you could come across malware that periodically scans your clipboard for data, and if it finds a password in there your account could be compromised.
- Save a disabled One Time Password locally for Account Recovery – YOUR CHOICE. If you forget your password this may be your only recourse. The LastPass User Manual states that after password hints don’t work:
If the password hint doesn’t help you, go to the Account Recovery page (https://lastpass.com/recover.php) to follow the steps to activate your local One Time Password and recover your account. LastPass will send you an email with a link to launch in your browser. If the first browser on which you attempt to use the link doesn’t work, try the same process on any other browser on any computer on which you have previously accessed your LastPass account. Please note that this can only be attempted from a desktop – mobile devices and apps are not supported for account recovery.
A criminal would have to have access to both your physical computer AND your email to gain access to LastPass with this option checked. That’s extremely unlikely for most users.
One more thing
And unfortunately you can only do this from the lastpass.com website, not the browser plugin. So login now to your account on lastpass.com. As of this writing they are cryptically calling the login funtion Web Vault in the menu system instead of Login like everyone else does.
Click on Account Settings on the left of your vault screen (kinda highlighted in yellow above, but hard to see). That will bring up the above dialog box. Click on “Show Advanced Settings” at the bottom.
When you click on Show Advanced Settings it will scroll you down part way. You’ll have to push the scroll bar down a little more to see the Password Iterations field, which by default is probably 5000.
Choose a random number between 5000 and 10,000 and click Update. Here’s what that does:
This number tells your computer how many times to send your master password through the hashing algorithm before LastPass saves it. As a reminder, no website should ever store your password, just a hash of it. Hashing a password is like beating an egg one time, but the hash algorithm beats your password the exact same way every time. You can beat that egg as much as you want, you’ll never be able to restore the original egg. And usually the more you beat the egg, the better.
In general, the more times you run a hash algorithm on your password, the more secure it is. But the more you run a hash algorithm, the longer it takes to get into your account. So for super security you’d want to set this number really really high, but you’d never get into your account.
Knowing your password was hashed 5000 times makes a criminal’s job just a little easier in that he would know how many times to send brute force attacks through the algorithm if he had access to the password file. Throw off the crooks whenever you can!
There, Now Your Secure
Now you are setup securely. Enjoy!