hpr_transcripts/hpr1810.txt

Episode: 1810
Title: HPR1810: 17 - LastPass Hacked - What Does It Mean?
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr1810/hpr1810.mp3
Transcribed: 2025-10-18 09:34:01

---

This in HPR episode 1,810 entitled, 17 Last Pass Hacked, what does it mean?
And in part on the series, privacy and security, it is hosted by AYUKA and in about 23 minutes long.
The summary is, Last Pass 1 Hacked, but in how bad is it?
This episode of HPR is brought to you by an honesthost.com.
Get 15% discount on all shared hosting with the offer code HPR15, that's HPR15.
Better web hosting that's honest and fair at An Honesthost.com.
Hello, this is AYUKA, welcoming you to Hacker Public Radio and another in our exciting series
on security and privacy and I know I'm working on some stuff that we will be getting to later on SSH but something came up and that's the thing about security is that the headlines sometimes tell you what you need to do.
So what I want to do this time is I want to talk about Last Pass.
Now, Last Pass on June 15th disclosed that it had been hacked and chances are you've heard about it.
I know I have received questions from quite a few people because I have recommended Last Pass often and my advice has been to stay with them.
What I want to do now is explain why this was not quite the big deal it was made out to be in some quarters and that anyone telling you to stop using password vaults is only asking you to lower your own security.
Now, the Last Pass blog post that I'm going to refer to is titled Last Pass Security Notice and was posted on their site June 15th, 2015 and I have a link in the show notes to cover that.
In addition, email went out to every Last Pass user advising them to change their master password. This is good advice but pretty standard in these cases.
But in the very first paragraph of their blog post they say, as expected we work tirelessly to make sure that your data is safe.
That's why we quickly detected, contained, evaluated the scope of the incident and secured all user accounts.
We want to assure our users that our cyber attack response worked as designed.
Now it is one thing to make these claims and quite another to back them up. I think they are valid claims and I want to explain why.
So first, what did the hackers actually get here? Again, looking at the security notice.
In our investigation, we have found no evidence that encrypted user vault data was taken, nor that Last Pass user accounts were accessed.
The investigation has shown, however, that Last Pass account email addresses, password reminders, server per user salts and authentication hashes were compromised.
Now, this is not trivial, but the real point is that the safeguards last past user accounts were accessed.
This is not trivial, but the real point is that the safe guards last past user accounts were accessed.
The investigation has shown, however, that Last Pass account email addresses, password reminders, server per user salts and authentication hashes were compromised.
Now, this is not trivial, but the real point is that the safeguards Last Pass put in place worked as designed.
First, they clearly had segmented their network to keep key data in different areas, so that getting into one area does not get you into everything.
Now, that was one of the big mistakes that Sony made. When the hackers got inside, with Sony, they got everything.
At Last Pass, getting into one network segment did not give access to the other segments, and key security info was split up.
This really is a best practice for network security, and is one of the reasons this hack is not the big deal some people claim.
None of your actual password data was accessed, but to see why this is not such a big deal, we need to look at how Last Pass secures your passwords.
So how do they do it?
Well, the idea of Last Pass is to create a password vault that is secured by a strong master password.
As we have discussed previously, strong passwords have both length and entropy.
A really good password might be one that has, for instance, 20 characters, including uppercase and lowercase letters, numbers, and special characters, all put together in a random jumble.
The problem with that is that such passwords are really hard for people to remember, and with every site in the world requiring you to create a password, it gets impossible really quickly.
But Last Pass lets you create all of the strong passwords you need, store them in your Last Pass vault, and you can then copy them as needed, or set Last Pass to automatically fill in passwords on websites.
Using their browser plugin. I do this, and it is very convenient.
I only need to memorize my master password, and use that to open the vault, and I only need to do that once after every reboot.
For my purposes, it gives me all the security I want.
Yes, if someone got physical access to my computer, while Last Pass was open, they could read my passwords.
But I think anyone listening to this ought to be smart enough to know, if someone has physical access to your computer, it is game over for security in any event.
In a situation like that, I suppose we could start talking about people shooting free on to memory chips to prevent them from discharging, and all of this.
Does that stuff exist? Yes. It is not what I am concerned with, and I am going to get to that in a moment.
Now, when you create your Last Pass vault, you create your secure, at least I hope it is secure, master password.
This is then combined with your username, and this is then hashed multiple times using SHA256, which is an excellent hashing algorithm.
The default setting is to hash 5,000 times on your local computer, but in the advanced settings you can change this to another number.
Now, Last Pass tells you you probably don't want to go over 20,000 rounds because of performance problems, but that really depends on the kind of computer you have.
Try it. See how much of a deal it is. If it only means you wait 5 seconds for Last Pass to open, is that such a big problem?
So, give it a shot and see.
As I said previously, I only need to do this opening up Last Pass once after each reboot, so it is not that big deal, and it doesn't really take long for me on my computer.
Now, if you want to add a little more entropy to this process, use a number that is not a round number.
So, change that. Change it to 6578 or 13729.
That is just going to make it that much harder for anyone to crack it.
Now, this hashing process did the 5,000 times to create your key, and then your key is then hashed one more time and sent to the Last Pass server.
So, that was one of the things that the hackers got, that authentication key.
So, if you were paying attention to the things that Last Pass said, the authentication hashes were one of the things compromised.
Well, what was compromised was they get a copy of something that had started with a strong, I hope, Master Password, combined with your username.
Now, they did get your username, but they did not get your Master Password, that's not stored anywhere on Last Pass' site.
The only thing they store is the result of at least 5,000 hashes of it.
That alone makes it fairly secure, by the way.
Then, when they get it, what do they do with it?
They take it and they combine that with a salt.
Now, a salt is simply a random number that is added.
So, they take that hash, that they got the authentication hash, they add a random number, and it's a different random number for every user.
And then, they do another 100,000 rounds of hashing before storing that resulting binary blob in a database.
So, Last Pass does not have your Master Password anywhere in their system, it only exists in your mind.
All they have is a random binary blob that was generated from your Master Password, but is computationally difficult for even the best computers to get at.
What they do need to store is the salt, since that is essential to decrypting your data, but note that they stored the salt on a different database in a different network segment from the database that actually has your data.
Now, that's exactly what you want them to do.
Now, a little side note, does Last Pass really not have your password?
Well, I ran into that.
I once changed my Master Password to something different.
I don't recall now exactly why I wanted to do that, but for some reason I thought that was a good idea at the time.
So, I made the change and I wrote down a hint about it. Now, when I made the change, I was at work.
And when I got home, I looked at my hint and I couldn't get into my password vault anymore.
So, I don't know if my hint was to obscure or I did the password wrong and it didn't match what I thought it matched.
All I knew was I could not open my vault.
So, I checked with Last Pass, what can we do?
And all they said was, well, we have an earlier version of your vault.
From before you changed your password, would you like to try that?
Well, since at this point it had only been about a day and I don't think anything had changed, I was fortunately able to recover.
But yeah, Last Pass will tell you, they do not have your password, they cannot recover your password.
You know, this is part of the security model here folks.
Now, I want to talk a little bit about threat models because that's I think a big part of understanding all of this.
Now, if you've been following my series on security and privacy, you probably have picked up that I'm a pretty big fan of Bruce Schneier.
And I use something that I call the Schneier model to evaluate threats and countermeasures.
Now, I took this from his book Beyond Fear and I've got two different links in the show notes.
One is to the written article and the other is to hacker public radio show 1581, which is the show that I recorded talking about this Schneier model of how to think about security.
And the idea here is to identify the threat you are guarding against and then evaluate your proposed countermeasures in terms of how well they work against that threat.
As I said above, the threat I guard against by using Last Pass is that some internet bad guy will get my logins and maybe do an identity theft on me, you know, my bank account and you know, stuff like that.
That's what I'm trying to guard against. Now, what Last Pass is not going to entirely protect me from and I understand that is a scenario where the government has decided that I am what they call the person of interest and is directly targeting me.
If that's your problem, you will need to take a look at other possible measures.
And you could do a whole lot worse than to carefully study the example of Edward Snowden in his interactions with Glenn Greenwald and the others because he did everything just about as well as you could do it.
So that would be the model that I would give you in that particular situation, but that's not what I'm worried about.
As far as I know, I am not a particularly interesting person to my government and I have simpler needs. So how safe am I?
Let's take a look at the situation.
Suppose someone actually got a hold of the database that has my encrypted binary blob of data and also got the database with the salt and the things they actually did get in this attack.
Is that game over? Well, I don't think so. First, they do not have my master password. That means they would have to actually crank through a lot of computation.
Now, if my password is not very good, they might get somewhere using a dictionary attack. That means they would have to take my username and combine that with every password in their dictionary and hash it.
Worst case scenario here, at least, is that I never changed the default settings. So they know they need to hash it 5,000 times using SHA256.
Then hash it again, combine it with the salt they got from the other database, hash it 100,000 times more and see if they get a match.
If it does not match, they need to start the same thing again with another potential password and go through all of that.
And this is the worst scenario for most of these options. That you have a password that is in the dictionary and you left the default alone for the hashes on your computer.
Now, if this is the NSA and they think you are the next Edward Snowden, they do have the computing power to do this. And they will eventually get in.
But as I said, I am not trying to guard against that threat.
An internet bad guy is not targeting me specifically but is trying to get a whole bunch of passwords and logins that they can use or sell.
If they can crack half the ones in the database, that is a success for them. And I need to make sure I am not in that half.
Now this is a lot like why you put a deadbolt lock on your door. It won't stop anyone determined to get into your house, but it will make a burglar move along to another house that is less well protected.
Now if you understand everything we have discussed above, you can see why this particular attack is less serious than it seems.
Last pass really thought about security. Did it right? And the result is that your passwords continue to be safe.
Now if you listened to people who advised you to stop using last pass, where would you be?
Probably using insecure passwords that are less protected. Your security would actually go down unless you are an Edward Snowden level security genius.
So I advise you to stay with last pass, but to make sure you are using it properly.
So here are some things you can do that I am calling my last pass best practices.
Number one, never use your last pass master password on any other site. If someone can crack that other site, they would then get your password, and you no longer have any security.
Last pass is built around the principle of keeping all of your eggs in one basket and guarding that basket very carefully.
You need to have this one very secure password, and then let last pass manage all of the others. It really works well.
And that means make it highly secure, a combination of letters, numbers, special characters, if possible choose from all 95 of the characters available on a standard keyboard, or whatever that is for you if you are in a different country with a different keyboard, if you can memorize it all the better.
But writing it down and putting it in your wallet is not a bad idea. Again, what is the threat you are guarding against?
If you get arrested and they find that in your wallet, they can get in, but that is really not the threat I am guarding against.
And you could write down the first part and have something you can remember that you add on the end if that concerns you.
Now, if for some reason you didn't have a secure master password previously, consider this a wake up call to make it secure now.
Because a lot of your security depends on that master password.
Then, change the default setting. All right, in last pass go to settings, and then look at advanced settings, it is a little button on the bottom of that window.
For how many passes last pass does locally on your machine make it some random number, not a rounds number, and increase the number of rounds of hashing to as high as you can live with.
Even if it takes a minute to load as a result, you only need to do this once when you reboot, and then it stays open for the rest of your session.
Finally, enable two factor authentication.
All right, what that means is opening your last pass vault requires more than just a password.
Now, the way I do it, and last pass has arrangements with a number of different places.
There is a company that I like called Duo Security. They happen to be located in the same area that I'm in.
But, you know, they're available to anyone on the internet, really.
So, with Duo Security, what I do is I set that up. Duo Security gives everyone a free personal account.
So, it's not going to cost you anything, and you set that up, and there are some pieces of information that they create that you then put into last pass in this case.
I also use it to safeguard my WordPress websites, and this all works pretty much the same way.
So, if I go to log in, I type in the password instead of letting me in, what it then does is send a confirmation message to my phone where I then have to say, you know, press a button that says, yes, I am allowing this log in to take place.
Does it take another second? Yeah, but, you know, it's really not that hard to do.
Now, if you don't want to do it that way, there are a number of other options.
Last pass has relationships with a number of different places.
If you wanted to carry around a USB device, you could use like Ubike, which is very good as well.
But, you know, as I say, I've already got a relationship with Duo Security. I already had an account with them, so that just made it real simple for me to set that up.
So, with all of that, you know, clearly I feel that I've got all the security I need using last pass, and so I'm not particularly worried.
Now, changing your master password, particularly if the one you had was not a very good one to begin with, you know, please take this as a wake-up call.
You know, this is one of those things you've got to fix.
You know, there is nothing that any company can do to improve security that will make up for you doing something stupid that reduces security.
So, you've got to do your part.
Think about what are realistic threat models and what it is that you're trying to guard against.
And don't worry so much about things like having your password written down if your real concern is having your identity stolen on the internet, because they're not going to steal your identity on the internet because you had a password in your wallet.
So, think about that stuff.
So, with all of that, this is Ouka signing off for Hacker Public Radio and reminding you as always to support free software.
Bye-bye.
You've been listening to Hacker Public Radio at HackerPublicRadio.org.
We are a community podcast network that releases shows every weekday, Monday through Friday.
Today's show, like all our shows, was contributed by an HPR listener like yourself.
If you ever thought of recording a podcast, then click on our contributing to find out how easy it really is.
Hacker Public Radio was founded by the Digital Dog Pound and the Infonomicon Computer Club, and is part of the binary revolution at binrev.com.
If you have comments on today's show, please email the host directly, leave a comment on the website or record a follow-up episode yourself.
Otherwise, status, today's show is released under Creative Commons, Attribution, Share a Life, 3.0 license.
Initial commit: HPR Knowledge Base MCP Server - MCP server with stdio transport for local use - Search episodes, transcripts, hosts, and series - 4,511 episodes with metadata and transcripts - Data loader with in-memory JSON storage 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-10-26 10:54:13 +00:00			`Episode: 1810`
			`Title: HPR1810: 17 - LastPass Hacked - What Does It Mean?`
			`Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr1810/hpr1810.mp3`
			`Transcribed: 2025-10-18 09:34:01`

			`---`

			`This in HPR episode 1,810 entitled, 17 Last Pass Hacked, what does it mean?`
			`And in part on the series, privacy and security, it is hosted by AYUKA and in about 23 minutes long.`
			`The summary is, Last Pass 1 Hacked, but in how bad is it?`
			`This episode of HPR is brought to you by an honesthost.com.`
			`Get 15% discount on all shared hosting with the offer code HPR15, that's HPR15.`
			`Better web hosting that's honest and fair at An Honesthost.com.`
			`Hello, this is AYUKA, welcoming you to Hacker Public Radio and another in our exciting series`
			`on security and privacy and I know I'm working on some stuff that we will be getting to later on SSH but something came up and that's the thing about security is that the headlines sometimes tell you what you need to do.`
			`So what I want to do this time is I want to talk about Last Pass.`
			`Now, Last Pass on June 15th disclosed that it had been hacked and chances are you've heard about it.`
			`I know I have received questions from quite a few people because I have recommended Last Pass often and my advice has been to stay with them.`
			`What I want to do now is explain why this was not quite the big deal it was made out to be in some quarters and that anyone telling you to stop using password vaults is only asking you to lower your own security.`
			`Now, the Last Pass blog post that I'm going to refer to is titled Last Pass Security Notice and was posted on their site June 15th, 2015 and I have a link in the show notes to cover that.`
			`In addition, email went out to every Last Pass user advising them to change their master password. This is good advice but pretty standard in these cases.`
			`But in the very first paragraph of their blog post they say, as expected we work tirelessly to make sure that your data is safe.`
			`That's why we quickly detected, contained, evaluated the scope of the incident and secured all user accounts.`
			`We want to assure our users that our cyber attack response worked as designed.`
			`Now it is one thing to make these claims and quite another to back them up. I think they are valid claims and I want to explain why.`
			`So first, what did the hackers actually get here? Again, looking at the security notice.`
			`In our investigation, we have found no evidence that encrypted user vault data was taken, nor that Last Pass user accounts were accessed.`
			`The investigation has shown, however, that Last Pass account email addresses, password reminders, server per user salts and authentication hashes were compromised.`
			`Now, this is not trivial, but the real point is that the safeguards last past user accounts were accessed.`
			`This is not trivial, but the real point is that the safe guards last past user accounts were accessed.`
			`The investigation has shown, however, that Last Pass account email addresses, password reminders, server per user salts and authentication hashes were compromised.`
			`Now, this is not trivial, but the real point is that the safeguards Last Pass put in place worked as designed.`
			`First, they clearly had segmented their network to keep key data in different areas, so that getting into one area does not get you into everything.`
			`Now, that was one of the big mistakes that Sony made. When the hackers got inside, with Sony, they got everything.`
			`At Last Pass, getting into one network segment did not give access to the other segments, and key security info was split up.`
			`This really is a best practice for network security, and is one of the reasons this hack is not the big deal some people claim.`
			`None of your actual password data was accessed, but to see why this is not such a big deal, we need to look at how Last Pass secures your passwords.`
			`So how do they do it?`
			`Well, the idea of Last Pass is to create a password vault that is secured by a strong master password.`
			`As we have discussed previously, strong passwords have both length and entropy.`
			`A really good password might be one that has, for instance, 20 characters, including uppercase and lowercase letters, numbers, and special characters, all put together in a random jumble.`
			`The problem with that is that such passwords are really hard for people to remember, and with every site in the world requiring you to create a password, it gets impossible really quickly.`
			`But Last Pass lets you create all of the strong passwords you need, store them in your Last Pass vault, and you can then copy them as needed, or set Last Pass to automatically fill in passwords on websites.`
			`Using their browser plugin. I do this, and it is very convenient.`
			`I only need to memorize my master password, and use that to open the vault, and I only need to do that once after every reboot.`
			`For my purposes, it gives me all the security I want.`
			`Yes, if someone got physical access to my computer, while Last Pass was open, they could read my passwords.`
			`But I think anyone listening to this ought to be smart enough to know, if someone has physical access to your computer, it is game over for security in any event.`
			`In a situation like that, I suppose we could start talking about people shooting free on to memory chips to prevent them from discharging, and all of this.`
			`Does that stuff exist? Yes. It is not what I am concerned with, and I am going to get to that in a moment.`
			`Now, when you create your Last Pass vault, you create your secure, at least I hope it is secure, master password.`
			`This is then combined with your username, and this is then hashed multiple times using SHA256, which is an excellent hashing algorithm.`
			`The default setting is to hash 5,000 times on your local computer, but in the advanced settings you can change this to another number.`
			`Now, Last Pass tells you you probably don't want to go over 20,000 rounds because of performance problems, but that really depends on the kind of computer you have.`
			`Try it. See how much of a deal it is. If it only means you wait 5 seconds for Last Pass to open, is that such a big problem?`
			`So, give it a shot and see.`
			`As I said previously, I only need to do this opening up Last Pass once after each reboot, so it is not that big deal, and it doesn't really take long for me on my computer.`
			`Now, if you want to add a little more entropy to this process, use a number that is not a round number.`
			`So, change that. Change it to 6578 or 13729.`
			`That is just going to make it that much harder for anyone to crack it.`
			`Now, this hashing process did the 5,000 times to create your key, and then your key is then hashed one more time and sent to the Last Pass server.`
			`So, that was one of the things that the hackers got, that authentication key.`
			`So, if you were paying attention to the things that Last Pass said, the authentication hashes were one of the things compromised.`
			`Well, what was compromised was they get a copy of something that had started with a strong, I hope, Master Password, combined with your username.`
			`Now, they did get your username, but they did not get your Master Password, that's not stored anywhere on Last Pass' site.`
			`The only thing they store is the result of at least 5,000 hashes of it.`
			`That alone makes it fairly secure, by the way.`
			`Then, when they get it, what do they do with it?`
			`They take it and they combine that with a salt.`
			`Now, a salt is simply a random number that is added.`
			`So, they take that hash, that they got the authentication hash, they add a random number, and it's a different random number for every user.`
			`And then, they do another 100,000 rounds of hashing before storing that resulting binary blob in a database.`
			`So, Last Pass does not have your Master Password anywhere in their system, it only exists in your mind.`
			`All they have is a random binary blob that was generated from your Master Password, but is computationally difficult for even the best computers to get at.`
			`What they do need to store is the salt, since that is essential to decrypting your data, but note that they stored the salt on a different database in a different network segment from the database that actually has your data.`
			`Now, that's exactly what you want them to do.`
			`Now, a little side note, does Last Pass really not have your password?`
			`Well, I ran into that.`
			`I once changed my Master Password to something different.`
			`I don't recall now exactly why I wanted to do that, but for some reason I thought that was a good idea at the time.`
			`So, I made the change and I wrote down a hint about it. Now, when I made the change, I was at work.`
			`And when I got home, I looked at my hint and I couldn't get into my password vault anymore.`
			`So, I don't know if my hint was to obscure or I did the password wrong and it didn't match what I thought it matched.`
			`All I knew was I could not open my vault.`
			`So, I checked with Last Pass, what can we do?`
			`And all they said was, well, we have an earlier version of your vault.`
			`From before you changed your password, would you like to try that?`
			`Well, since at this point it had only been about a day and I don't think anything had changed, I was fortunately able to recover.`
			`But yeah, Last Pass will tell you, they do not have your password, they cannot recover your password.`
			`You know, this is part of the security model here folks.`
			`Now, I want to talk a little bit about threat models because that's I think a big part of understanding all of this.`
			`Now, if you've been following my series on security and privacy, you probably have picked up that I'm a pretty big fan of Bruce Schneier.`
			`And I use something that I call the Schneier model to evaluate threats and countermeasures.`
			`Now, I took this from his book Beyond Fear and I've got two different links in the show notes.`
			`One is to the written article and the other is to hacker public radio show 1581, which is the show that I recorded talking about this Schneier model of how to think about security.`
			`And the idea here is to identify the threat you are guarding against and then evaluate your proposed countermeasures in terms of how well they work against that threat.`
			`As I said above, the threat I guard against by using Last Pass is that some internet bad guy will get my logins and maybe do an identity theft on me, you know, my bank account and you know, stuff like that.`
			`That's what I'm trying to guard against. Now, what Last Pass is not going to entirely protect me from and I understand that is a scenario where the government has decided that I am what they call the person of interest and is directly targeting me.`
			`If that's your problem, you will need to take a look at other possible measures.`
			`And you could do a whole lot worse than to carefully study the example of Edward Snowden in his interactions with Glenn Greenwald and the others because he did everything just about as well as you could do it.`
			`So that would be the model that I would give you in that particular situation, but that's not what I'm worried about.`
			`As far as I know, I am not a particularly interesting person to my government and I have simpler needs. So how safe am I?`
			`Let's take a look at the situation.`
			`Suppose someone actually got a hold of the database that has my encrypted binary blob of data and also got the database with the salt and the things they actually did get in this attack.`
			`Is that game over? Well, I don't think so. First, they do not have my master password. That means they would have to actually crank through a lot of computation.`
			`Now, if my password is not very good, they might get somewhere using a dictionary attack. That means they would have to take my username and combine that with every password in their dictionary and hash it.`
			`Worst case scenario here, at least, is that I never changed the default settings. So they know they need to hash it 5,000 times using SHA256.`
			`Then hash it again, combine it with the salt they got from the other database, hash it 100,000 times more and see if they get a match.`
			`If it does not match, they need to start the same thing again with another potential password and go through all of that.`
			`And this is the worst scenario for most of these options. That you have a password that is in the dictionary and you left the default alone for the hashes on your computer.`
			`Now, if this is the NSA and they think you are the next Edward Snowden, they do have the computing power to do this. And they will eventually get in.`
			`But as I said, I am not trying to guard against that threat.`
			`An internet bad guy is not targeting me specifically but is trying to get a whole bunch of passwords and logins that they can use or sell.`
			`If they can crack half the ones in the database, that is a success for them. And I need to make sure I am not in that half.`
			`Now this is a lot like why you put a deadbolt lock on your door. It won't stop anyone determined to get into your house, but it will make a burglar move along to another house that is less well protected.`
			`Now if you understand everything we have discussed above, you can see why this particular attack is less serious than it seems.`
			`Last pass really thought about security. Did it right? And the result is that your passwords continue to be safe.`
			`Now if you listened to people who advised you to stop using last pass, where would you be?`
			`Probably using insecure passwords that are less protected. Your security would actually go down unless you are an Edward Snowden level security genius.`
			`So I advise you to stay with last pass, but to make sure you are using it properly.`
			`So here are some things you can do that I am calling my last pass best practices.`
			`Number one, never use your last pass master password on any other site. If someone can crack that other site, they would then get your password, and you no longer have any security.`
			`Last pass is built around the principle of keeping all of your eggs in one basket and guarding that basket very carefully.`
			`You need to have this one very secure password, and then let last pass manage all of the others. It really works well.`
			`And that means make it highly secure, a combination of letters, numbers, special characters, if possible choose from all 95 of the characters available on a standard keyboard, or whatever that is for you if you are in a different country with a different keyboard, if you can memorize it all the better.`
			`But writing it down and putting it in your wallet is not a bad idea. Again, what is the threat you are guarding against?`
			`If you get arrested and they find that in your wallet, they can get in, but that is really not the threat I am guarding against.`
			`And you could write down the first part and have something you can remember that you add on the end if that concerns you.`
			`Now, if for some reason you didn't have a secure master password previously, consider this a wake up call to make it secure now.`
			`Because a lot of your security depends on that master password.`
			`Then, change the default setting. All right, in last pass go to settings, and then look at advanced settings, it is a little button on the bottom of that window.`
			`For how many passes last pass does locally on your machine make it some random number, not a rounds number, and increase the number of rounds of hashing to as high as you can live with.`
			`Even if it takes a minute to load as a result, you only need to do this once when you reboot, and then it stays open for the rest of your session.`
			`Finally, enable two factor authentication.`
			`All right, what that means is opening your last pass vault requires more than just a password.`
			`Now, the way I do it, and last pass has arrangements with a number of different places.`
			`There is a company that I like called Duo Security. They happen to be located in the same area that I'm in.`
			`But, you know, they're available to anyone on the internet, really.`
			`So, with Duo Security, what I do is I set that up. Duo Security gives everyone a free personal account.`
			`So, it's not going to cost you anything, and you set that up, and there are some pieces of information that they create that you then put into last pass in this case.`
			`I also use it to safeguard my WordPress websites, and this all works pretty much the same way.`
			`So, if I go to log in, I type in the password instead of letting me in, what it then does is send a confirmation message to my phone where I then have to say, you know, press a button that says, yes, I am allowing this log in to take place.`
			`Does it take another second? Yeah, but, you know, it's really not that hard to do.`
			`Now, if you don't want to do it that way, there are a number of other options.`
			`Last pass has relationships with a number of different places.`
			`If you wanted to carry around a USB device, you could use like Ubike, which is very good as well.`
			`But, you know, as I say, I've already got a relationship with Duo Security. I already had an account with them, so that just made it real simple for me to set that up.`
			`So, with all of that, you know, clearly I feel that I've got all the security I need using last pass, and so I'm not particularly worried.`
			`Now, changing your master password, particularly if the one you had was not a very good one to begin with, you know, please take this as a wake-up call.`
			`You know, this is one of those things you've got to fix.`
			`You know, there is nothing that any company can do to improve security that will make up for you doing something stupid that reduces security.`
			`So, you've got to do your part.`
			`Think about what are realistic threat models and what it is that you're trying to guard against.`
			`And don't worry so much about things like having your password written down if your real concern is having your identity stolen on the internet, because they're not going to steal your identity on the internet because you had a password in your wallet.`
			`So, think about that stuff.`
			`So, with all of that, this is Ouka signing off for Hacker Public Radio and reminding you as always to support free software.`
			`Bye-bye.`
			`You've been listening to Hacker Public Radio at HackerPublicRadio.org.`
			`We are a community podcast network that releases shows every weekday, Monday through Friday.`
			`Today's show, like all our shows, was contributed by an HPR listener like yourself.`
			`If you ever thought of recording a podcast, then click on our contributing to find out how easy it really is.`
			`Hacker Public Radio was founded by the Digital Dog Pound and the Infonomicon Computer Club, and is part of the binary revolution at binrev.com.`
			`If you have comments on today's show, please email the host directly, leave a comment on the website or record a follow-up episode yourself.`
			`Otherwise, status, today's show is released under Creative Commons, Attribution, Share a Life, 3.0 license.`