lee/hpr-knowledge-base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
hpr-knowledge-base/hpr_transcripts/hpr1940.txt
Lee Hanken 7c8efd2228 Initial commit: HPR Knowledge Base MCP Server 
- MCP server with stdio transport for local use
- Search episodes, transcripts, hosts, and series
- 4,511 episodes with metadata and transcripts
- Data loader with in-memory JSON storage

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-26 10:54:13 +00:00

309 lines
33 KiB
Plaintext
Raw Permalink Blame History

Episode: 1940
Title: HPR1940: WASHLUG Talk on LastPass
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr1940/hpr1940.mp3
Transcribed: 2025-10-18 11:32:08
---
This episode of HPR is brought to you by Ananasthos.com, get 15% discount on all shared hosting
with the offer code HPR15, that's HPR15, better web hosting that's honest and fair at Ananasthos.com
The question in my mind is will we move to IPv6 before we move to metric?
Let's get started.
What I want to do is I want to talk it's going to be about the last pass hack a little bit which I have dug into and decided it really was not a terribly big deal.
I say that as someone who has done a number of presentations on passwords and the best way to approach it and I've always recommended last pass.
When the hack happened a few people said well does that change your mind? No actually it doesn't.
But I want to start a little bit by talking about what are best practices because I think that helps.
Last pass is very safe if you follow best practices. If you follow bad practices with almost any security tool it'll bite you in the butt.
So what are best practices? I think there's a lot of confusion. I don't know how many people saw there was an article in ours technical that was basically comparing average users versus security pros and what are your top five things you're concerned with.
And there was almost no overlap between those two groups. It was very interesting. So the average user their number one priority for being safe on the internet was use antivirus software.
If you have been a factor that may have been a factor then their second priority use strong passwords that actually makes sense.
Change passwords frequently that actually makes no sense. Only visit websites they know that also makes no sense.
Exactly. And don't share personal information. If you're on the internet good luck with that one.
And here's what the pros said their number one security tip install software updates.
And a lot of average users resist installing updates. Now if I understand having worked in some large corporate environments currently I'm at Ford which you know is multinational global company is kind of the definition of a large environment.
I can understand the IT department says we we're not going to roll out these updates right away we want to do the due diligence to test them out.
I do indeed. At home I install my updates religiously. My wife has a windows computer. I have one windows computer. I have them set to automatically install any updates that come through.
I mean I could take the time to figure out which ones are really security related or not but you know there's only so many hours in the day you got to pick your battles.
Now the second one use unique passwords very important.
And that's actually the way I put it when I did our password presentation previously. Then use two factor authentication something I'm a big fan of.
Use strong passwords and then number five on their list use a password manager. Now my priorities map pretty well to what ours technical found the pros were recommending.
Now you can see the only point of overlap between the two groups was use strong passwords. So you know average users get at least one thing right.
And God love them for that. But you know there's odd things changing passwords frequently only visiting websites they know that's stupid.
Now for changing passwords frequently. Okay their average users they see the IT department at work insisting that you know every 60 or 90 days they must change their password.
All right I can see they might have internalized this is a good idea it isn't what for what attack vector is that really a defense.
Yeah. So to me that's an example of a lot of people will call that a best practice. What's the definition of best practice in the corporate world if I do this I won't get my ass sued off because that's what everyone else is doing doesn't have to make sense it just has to be what everyone else does.
Now only visiting websites they know it's not what the web is about you know and as set as websites slowly drop off due to link rot and just entropy you know pretty soon I guess Google and ESPN would be the only websites they know anymore that are still around.
Well you can get your Gmail. So look at the pros again install software updates use unique passwords to factor authentication strong passwords and a password manager.
Yeah. Yeah. So install software updates number one on the pros list. I think this is a very important practice and there's a reason it's number one on the pros list. All right I read every day the Sands Institute newsletter.
So I'm seeing what the latest security issues are and it's almost I can't tell you how many times it's like yeah this site got hacked because of something for which a patch was released a year ago and they hadn't installed it.
You know companies release security patches for a reason because they've discovered a flaw and you know nowadays when people announce that they've discovered a vulnerability within hours there are people on the internet using it to try and take over computers.
So you got to do this.
Well don't get me started on Microsoft and security.
So I've never installed a dot oh release I'm there. Yeah.
Yeah.
Yeah.
Yeah.
Yeah.
Mike. Yeah.
That's why my wife's computer is configured to just install the patch and reboot.
As is my windows computer. Hello. Nope that might be next door.
Now two factor authentication. I think this is excellent security.
It does require a little more effort because with two factor authentication what you need to do you have to and in my case my phone is the second factor.
And I mentioned Duo Security. I learned about Duo Security from Mark Stanislaw who has spoken here a number of times and if you get this here Mark Stanislaw speak he's a great speaker very knowledgeable.
And at one time he was working for Duo Security and that's how I heard about them and you can get a free individual account with them.
And so that's a good way to get two factor for a lot of sites. Now the sites that offer two factor with Duo they have to have some software.
So for instance on my WordPress websites I got a plugin from Duo that you know if I put in my password on my website then send something to my phone and I have to say no I'm approving this log in.
So what happens if your phone gets run over by a boss and it takes going to be a week before you get another call.
I think first I went through having that on the phone with a Mac and doing the Google stuff I have to factor on the Google stuff.
And so if I use a new device like a new phone and go into Google the website gives me several options one of which is a push to my phone another one is to send something to my email account.
Yeah if you're running with like Google voice you can use the Google voice and if you're on up with an email with you can end up with an email with your pass message.
So it'll push you to the Google voice and then you can if your phone's gone you can go and get your email to see what it has to do.
Yeah Google will even go you can play a landline for a voice phone and they will read a code out to you and you can put out a set of one-time use special code and you can have a set of them that you stick in your wallet.
So there are a number of ways but I think it is to Google that is where you are in Google secure.
It's well it's still a true factor it's going in to Google from a new device and you don't have your phone with you for instance you can use a separate piece.
And it's just my phone needed Google in order to get set up and but I think the idea that the two-pack drop indication you have to have some backup plan on the second pack or it can.
Okay I should probably set up a backup and I didn't do that here.
But you can have you can have a backup phone or some other ways.
So there's an alternate method.
Yeah.
From the other my standard is I only give my Google voice number everything.
Yeah.
And therefore I will get that message in multiple places.
So that's and this is my Google voice number that is in here.
So I think that that would probably cover it.
Now strong and unique passwords which were two separate listings in the pros recommendations.
They worked together.
So strong I did a whole presentation on we got into the mathematics of it and everything else.
Long passwords with high entropy.
So ideally you know we're talking about like 20 character passwords that are random gibberish from the complete 96 character set of what the keyboard can give you.
Those are long and strong they are by definition very difficult to remember.
If it's easy to remember it's not a strong password is the way I look at it.
And obviously if you have to memorize that the average person is not going to do that.
I mean they won't do that for their bank account.
Let alone any of the other websites they might be interested in.
So that's why a password manager was the last thing on the list security pros recommend a password manager.
Because you can have strong and unique passwords.
And oh by the way last pass also has a number of two factor things including duo security.
But it was hack so what does that mean.
I don't think it is a problem because I took a look at how does last pass manage their process.
And what did the intruders actually get now the thing that we have to understand you know security is a layered process.
No security professional will ever say I can guarantee you will never have an intrusion they won't do it.
But Schneier has a company based around the idea of how you respond to an intrusion is what matters.
And I pay a lot of attention to Bruce.
Well yeah the only computer that's safe is one that is powered off has no network connection is locked in a vault.
And you still have to worry about who had the combination to the vault.
The question is how you handle the things that happen.
And last pass handled it well.
So here's the they got this out on the blog pretty quickly.
In our investigation we found no evidence that encrypted user vault data was taken nor that last pass user accounts were accessed.
So that was not the issue the investigation has shown however that last pass account email addresses password reminders server per user salts and authentication hashes were compromised.
There's no evidence that encrypted user vault data was taken nor that last pass user accounts were accessed.
But these other things were were compromised.
Yeah.
Okay. So what is this telling me first they segregated their network.
This is an excellent security practice.
If someone gets into a piece of your network that shouldn't give them access to everything.
A contrast that with Sony where once the Koreans got into Sony they had access to everything in Sony.
You know you just get past the first line of defense and they were just totally compromised.
So good network segregation.
And in a good IT department you're going to have barriers put up as to what people can access.
And you know we talk about things like roll based authentication and access rights and things like that.
Now what are the things that you have to store on something like last pass.
Now the way last pass works is that you access last pass over the internet.
So it's a remote site.
If you don't like that when I did my presentation on passwords I said if you can't handle that then you put something like key pass on your local machine and that's all you ever use.
I like being able to access my passwords anywhere I am.
There are times when that's very handy.
Now given that that's what they're doing how do they do it in a way that makes sense well you know they have to have the password hint.
Now one of the things that when people store any kind of password information there's usually some sort of hint that's good if you forget your password is going to jog your memory.
The password in for the master password is your email address they have to have that that's part of your login that's really your account name as much as anything per user password salt.
Now per user password salt what that means is they take the other password information and then they add a random number to it and then hash that together.
Well they have to know what that salt is because otherwise the next time you log in they need to be able to add that same random number hash it and compare the hash.
And then of course the resulting hash password values they have that and finally all of that turns into a key that creates an encrypted database.
So last pass has all of those things there and the key was the encrypted database was in a completely different network segment.
So the people who got in never got anywhere near my password vault.
That's a good thing.
So they would have had to do a second successful attack.
So you know I don't know what the actual odds are this is just an illustration of why this is a good security practice.
If you have a one percent chance of being successful on any given intrusion.
If you got to do it a second time that now takes you to a point zero one percent probability of being successful.
So I'm hoping that if you do things right and last pass does that the actual probabilities are somewhat lower but I'm not a security professional.
It depends on if they're exploiting a bug somewhere that is coming every time.
Right.
Knowing exactly how they broke it.
It has to be a bug that is common to everything in which the site owner either doesn't know about or is too stupid to deal with.
Yeah.
Most of these are social engineering attacks of one kind or another.
I mean that's what killed RSA was you know they were able to get some secretary to click a link.
So this is the stuff they got.
They got the email addresses the password hints the salts and the password values.
So why is this not so bad well.
This is where and I got this from Bruce Schneier.
He did a book called Beyond Fear published in 2003.
And what that book was about was saying well you know there was this thing that happened in 2001 you might have heard of called 911.
And he was sort of looking at it and saying okay everyone's freaking out and they're being really stupid because they're not thinking.
And so I call this the Schneier model it and I have an article all about that.
The countermeasure needs to work against the threat you have identified.
And this is really important Bruce really hammers that point you know what is it you're trying to protect yourself against.
I think it was Klausowitz who said a general who defends everything defends nothing you know if it's like I want to protect myself 100% against everything that can possibly ever happen.
You don't have that kind of money and yeah.
So what you have to do is you have to think logically what am I trying to protect myself against.
If say the NSA was behind this there's no evidence that the NSA was by the way.
And if they had specifically targeted you as a person of interest you might be at risk.
Now I say might.
I remember doing a presentation here where I had several people in the room swear at all the NSA's got more money than God they can do anything they want and I said no they cannot violate the laws of physics and mathematics.
They can't do that.
And if you think about it you take a look at all of the things we've learned from Ed Snowden's revelations it's clear they can't just do anything you know they're storing up a lot of stuff because someday they may be able to decrypt it they can't decrypt it now but they're storing it.
And they've got a lot of other interesting kind of ways of trying to sneak key bloggers onto your computer and stuff like that.
So and that's why I say if the NSA is specifically going after you your last pass account is not your biggest problem.
Okay and as I say you should be studying Edward Snowden like a rabbi study scripture.
The threat that I worry about is password that that I use for a site could be grabbed by a criminal that's what I want to protect myself against.
Because these are people who might want to use my passwords to access my bank account to take out credit cards in my name do an identity theft I mean those are things for me to realistically be concerned about.
So that's a manageable threat you may have heard the story of the two campers who you know they're in a tent and they hear the bear rummaging around the campsite and one of them looks for sneakers.
His friend says it's no use you can't outrun a bear and he says I don't have to I only have to outrun you.
So you know I'm not trying to stop the NSA I'm trying to stop criminals that are trying to grab passwords and those those attacks are fairly common.
So let's understand the salted hash this is your first level of defense.
I suppose your password could be the first level but you know passwords by themselves just don't do a lot these days and you know I imagine with biometrics will be beyond passwords one of these days but for the moment we're still stuck with them.
So it adds a random number that that salt that random number must be stored on the same server as the hash but it gives you an enormous amount of security against dictionary attacks which is what you should be concerned about.
Yeah.
Yeah.
Well let's think about it what a dictionary attack is and people do this all the time that this is what everyone did with the actually Madison database recently they did a dictionary attack.
So every known password you've seen these lists people who use as a password password or one two three four five six or Batman for some reason monkey ranks high on that list and I don't know why there's probably some interesting psychology behind that but who am I to say.
So they take all of the you know every word in the dictionary and every common variation and you're going to substitute numbers for letters they know that they get all of that in the dictionary.
You're going to put three words together they know that we're talking computers here you can do a lot.
Exactly.
Sure and and that's it that's really the point it's a numbers game.
So what they do is they take all this stuff they create hashes now the hashing algorithm is known there's nothing secret about the hashing algorithm and then you know they can create this dictionary then all they have to do is a look up you know here's a hash I got from this database I downloaded here's a hash in the dictionary do they match computers can do that kind of stuff really fast.
When they match now you know what the password is now if there's a salt added to each password even if the salt is known and tied to the user it forces them to create a dictionary for every possible salt.
So if you've got a million users and you've got a random salt for each one of those million users they now have to do a million dictionaries to try this attack.
So if they get the database and it's really hard to deal with they'll move on to another database if it's easy to deal with they'll get the 50 60 70%.
I just want to be in the 30% they can't get.
So storing the salt on the server is not a problem that's how everyone does it and it really does add to security because of the amount of computational resource necessary to deal with that problem.
Now someone wants to say hey I heard about this quantum computing thing and I would just point out I have also seen some very interesting research on quantum cryptography most knives will cut both ways.
Now the hashing algorithm added even more because they used a SHA 256 SHA stands for secure hashing algorithm they use the 256 bit so let's just say this is good all right this is not a week one.
Now I saw there was a couple of years ago there was a story that got a lot of attention for a while about how oh we can crack all of these passwords nothing is ever safe and I read the article md5 md5 isn't secure nobody uses it for security and hasn't for years it's known to be weak.
The only thing people use md5 for now is verifying the accuracy of your downloads it's a very good way of knowing if you've had a bit flip when you download a ISO file for instance.
A single bit flip will throw off your md5 hash though and that's the whole point so you have a client side algorithm with last pass.
And what is the client side process look like all right you create a vault vault is just a little database it's a file of your passwords and some other information you can put notes in there if you wish like some sites want you to start putting in stuff like the town you were born in.
Like this is going to provide security do you remember Sarah Palin's email account getting hacked and it was because you could look up all that stuff.
Security questions are stupid places insist on them right so in that case you probably want to write down what you gave as an answer so you can store notes and stuff like that so you create this little database it is secured with a master password.
This is the key your master password you do this right you're fine you screw it up doesn't matter how many other things you did right you know I remember seeing a I think it was an FBI agent who said crooks have to get it right 100% of the time we only have to get it right.
From time to time and we'll catch them you know so you got to get this right now one of the things you can do this you're an idiot if you do but what you can do you can set up last pass to automatically remember your master passwords you don't have to type it in.
You're the whole point of the master password so master password needs to be long and strong now once you create that it's hashed together with your user name which is frequently your email address or something like that using SHA 256 which is a very good hashing algorithm at this point I say at this point because
if you take a look at what NIST says about this stuff they estimate how long it'll be good for and so current state of the art hashing algorithms they're saying probably last until about 2030.
Computers get faster things change researchers discover stuff so you know you got to kind of keep up with this little bit now this hashing on your side is done multiple times the default setting is 5000 but you can change it.
And the client side process creates a key which is hashed again and sent to the server the server then adds the random salt then hashes it another hundred thousand times.
And you know why do you do the hundred thousand hashes and all of that that just takes time you know the bad guys have to do it a hundred thousand times for every single password in their dictionary will just take them longer to do it that's really what you're buying here.
And then that creates the encryption key and that's used to encrypt your database last past does not have your key.
What it can do is it can recreate it when you enter your master password.
So I remember setting up my wife with last pass and then you know a few weeks later honey I don't think I remember my password well I hope you can recreate your database because I'm not getting it back for you.
Now I once had a situation and I don't remember now why I decided my master password wasn't good enough I was going to change it and I emailed myself a hint as to what it was two days later I couldn't remember what it was I had done.
So when I what I could do I went back to last pass and I said we have a copy of your database from a week ago.
Do you want to try that well that was before I changed it and I remembered that password I didn't lose anything.
Yeah so I was I did get it back there but you know they don't they don't have it and and that's important so you know if the FBI shows up with a subpoena or a warrant or whatever they can say sorry I indeed indeed.
So they really don't have your key. Now could it be cracked well let's think about the process in order to crack say the government shows up with a subpoena what can last pass give them well last pass can tell them this is what we do server side we do this many hashes
this is the salt this is the user name these are all components of the process but it's combined with a master password that we do not know.
And without that master password you cannot recreate the key and oh by the way if you want this binary blob we can give it to you but we can't decrypt it.
Your master password is really important.
So yeah I've already been down the road of what happens if you lose your password.
Now hashing is a well defined algorithm it's completely reversible if you have all of the parameters.
Adding security basically means making those parameters as difficult as possible for an opponent to recover and taking advantage of the fact that hashing does require some amount of resource and doing it for millions and millions of passwords is not trivial.
Yes.
I don't know what that means it's reversible if you have all the parameters that are really brisk and you've got it right there.
If you if you have everything that went into creating the encryption key.
There are reversible hashes and there are now reversible hashes.
Some hashes don't lose anything and you can run them to get back the same thing.
Yeah.
Yeah.
This is not public key private key cryptography and I did a whole actually that's the presentation I'm going to do at Ohio Linux Fest.
But yeah typically with public key cryptography because it is very inefficient you only use it to encrypt a symmetric key because symmetric keys are much more efficient to actually work with.
That's the whole thing of Diffie Helman Merkel key exchange.
So if an intruder gets in and now in this case they never even got to the database of data but let's say they get the database of hashes.
They use the prepared dictionary of passwords that are already hashed they run a comparison they get hits and they don't need to find every password just enough to be profitable.
That's how this works.
So what are the success percentages?
Okay I mentioned this study about cracking passwords that used MD5 but if it's done badly success rates of as much as 70% are not really uncommon.
And you just want to be in that other percent that they can't get.
So how do you erect barriers?
Well number one is your master password.
Now the whole idea of a password vault like last pass is you don't need to memorize all of your long strong secure high entropy passwords.
You only need to memorize one.
Well pay attention as we said if you if you forget it now again understand your threat model if you have a long complicated password.
Should you write it down depends what threat are you guarding against?
Yeah so again this is understanding the threat model if remember I defined this as I am protecting myself against an intruder who's grabbing
an entire database and is going to try and get 50 60 70% of those passwords through cracking.
If I've got mine in my wallet is that intruder going to get it?
Sure.
So my point really is defying your threat and think rigorously about
the threat you're protecting against. Now if I've got my password in my wallet and I get arrested and the FBI then I've got a whole other scenario to deal with.
That's a different thing.
Well you don't.
And you know one of them is you you know you write down part of it and there's a piece that you know you can always remember that you tack on or something.
You know there's various ways of doing it.
Now if I've been Edward Snowden territory it's a different ball game.
I'm not trying to be another Edward Snowden.
I'm amazed he did as well as he did.
I mean the dude just didn't screw up anywhere.
And that is just so freaking hard to pull that off.
Okay now changing defaults.
This is one a lot of people miss remember I said that the last pass does 5000 rounds of hashing by default on your local machine.
That's information that could be used by an intruder if they were trying to create a dictionary.
It's a well let's we'll just do the same process right.
It doesn't have to be 5000 you can change it any number you want.
Change the default to something bigger and don't make it around number.
Just just make it something that no one is going to guess that you did.
Okay I mean if you if you saw the I think got into this I think to some degree in that movie about touring and the British code breakers but you know it's very interesting and there's a great series of videos called computer file.
On YouTube that they had a number of things about code breaking and they they get into how that was like you know you just there's some little piece of information.
You know the big weakness of the enigma machine was it turns out you could never encrypt any letter as itself.
And that was just enough of the additional piece of information that they could start building up ways of cracking it.
So the thing is you want to just get rid of information in the hands of your opponent as much as possible.
So if they don't know how many times it was hashed on your machine you've just gained extra security now.
Last pass does warn you not to get too big try it out.
I mean if you have to go make a cup of coffee in the time it takes last pass to open because you're doing so many hashes maybe it's a bit extreme you know I've gone into the 20,000 range.
You know I don't have the latest most powerful computers necessarily but you know seems to work okay.
I haven't had any problems yet.
Unique okay your last pass password should be one you never use on any other site period full stop.
Remember that you know the common problem with reuse passwords is that because people do stuff like that crooks expect it.
So very often what will happen is you know they'll get a target password that's like a target you know who gives it down about target.
But well I'll use the same password for my bank and they said well let's try this password at the bank and see if it works.
Oh we got in you know.
What that yeah.
Yeah yeah.
You know the most ironic one in those top passwords is the trust no one which appears on the list irony is wonderful.
So what your password does every time you open last pass you log in with your master password your client server then client software combines that with your username hashes at the number of times you specified to get your key that is then sent to the server where a known salt is added.
And it's hashed 100,000 times and finally your password vault is opened.
So is this enough well.
You have a very strong master password.
And you have changed the default settings for client side hashing.
You know last pass is using a pretty good algorithm here they're doing their part.
That's not bad.
But there's always that one more thing and that for me is the the two factor authentication.
So if I need to open my last pass vault.
I have to approve that and it's something to do us security has a.
And basically what it is is you go to duo and they give you a piece of code for last pass and you go to the last pass site to your account and you paste in this code.
Basically says you know if ever I try to log in go through duo security and duo security knows this is where they need to push.
The notification that I need to then say yes I approve this.
So I can't log in the last pass without approving it.
Can you log in the last pass not just the first time on a machine.
If I have logged on to last pass it stays open until I reboot.
So as soon as I reboot I've got to go through that process again.
It's you know back in the old days used to column TSRs but I mean it's just it's sitting there as a process in the browser that's running all the time.
Which is the way it's supposed to work the idea is that last pass when I go to a website is going to put in my login credentials for me.
That's why it's it's good because I can have secure strong login credentials without having that burden of memorizing or you know frankly it's a burden to type a lot of this stuff.
So I would say in conclusion then that four of the top five strategies used by security pros are addressed by last pass.
I can have unique passwords two factor authentication strong passwords and all managed by a password manager.
That's pretty good. Now I pay for a premium premium account that's all of $12 a year.
I could probably get by with I think at one point they were saying that if you wanted to have it on your phone you had to have a premium account.
I think they have since removed that but you know 12 bucks a year I use this constantly.
I would like them to stay in business.
Yeah and you know when you come right down to it I make good money.
Being a project manager for Ford has gotten me out of the soup kitchen lines.
Pitfall.
You've been listening to hecka public radio at hecka public radio dot org.
We are a community podcast network that releases shows every weekday Monday through Friday.
Today's show like all our shows was contributed by an HBR listener like yourself.
If you ever thought of recording a podcast then click on our contributing to find out how easy it really is.
Hecka public radio was founded by the digital dog pound and the infonomicon computer club and is part of the binary revolution at binrev.com.
If you have comments on today's show please email the host directly leave a comment on the website or record a follow-up episode yourself.
Unless otherwise stated today's show is released on the creative comments, attribution, share a life 3.0 license.
Reference in New Issue View Git Blame Copy Permalink