| Paul Walker on 7 Jan 2017 23:18:40 -0800 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] Lastpass - friend of foe |
LastPass has opted to use SHA-256, a slower hashing algorithm that provides more protection against brute-force attacks. LastPass utilizes the PBKDF2 function implemented with SHA-256 to turn your master password into your encryption key. LastPass performs x number of rounds of the function to create the encryption key, before a single additional round of PBKDF2 is done to create your login hash.
I've been using LastPass for a while, and am dreading the day when they inevitably get hacked and I have to change all my passwords. But that is just part of life: we have a ton of systems at work. Any time an employee leaves, we have to change the passwords / keys on all systems with service accounts they had access to. I've stupidly committed keys to version control, and have had to change it. These things happen and the response is what matters. I look at LastPass as the same thing.LastPass has some very nice features. At work, we also have LastPass Enterprise. The linking mentioned to my personal LastPass account from my Enterprise account makes my personal account appear as a folder in the folder tree. This is very handy; it saves my personal passwords in my personal LastPass, and my work passwords in the parent enterprise account. They're naturally separated, and if I were to ever leave, I simply unlink my personal account and I'm off and running.The shared folders are extremely useful too, as others have mentioned. We have a number of generic accounts: read-only DB accounts for our data team, the team's social media accounts shared with marketing, etc. We created separate shared folders for each of these roles, and there's no more bugging us for forgotten passwords, non-technical employees sharing passwords over email / Google Chat / AIM / Slack / etc. The days of our staff keeping Excel spreadsheets of passwords on their desktop, home desktop, dropbox, and so forth are quickly dwindling.As with all things, its a bit of a trade off, but I think we're much better off than we were. LastPass's interface is much easier to use than others I've used in the past (PWSafe, 1Password) and with a mobile app to boot, has made it a no-brainer for us.Regards,TimOn Sat, Jan 7, 2017 at 8:14 PM, Thomas Delrue <delrue.thomas@gmail.com> wrote:So you didn't salt passwords then, ey...--On January 7, 2017 7:01:22 PM EST, Paul Walker <pjwalker76@gmail.com> wrote:Finally, we can come clean abut what are passwords really are. P@ssw0rd123 is a pretty good one -I was working on a website and noticed that a lot of hashed passwords in the database were the same, so I put the hash into google and it returned the password for me .. lol.On Sat, Jan 7, 2017 at 6:38 PM, Rich Freeman <r-plug@thefreemanclan.net> wrote:On Sat, Jan 7, 2017 at 5:38 PM, Christopher Barry
<christopher.r.barry@gmail.com> wrote: Ah, the Podesta approach. :)
>
> Meh, I just use 'P@ssw0rd123' everywhere.
>
--
Rich
____________________________________________________________ _______________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
Thomas
(Sent from my mobile device, please forgive brevity or typos.)
____________________________________________________________ _______________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug