LastPass.txt 08/02/13 LASTPASS - A PASSWORD MANAGER ============================= The Problem: Everything you do on the Web wants a UserId and a Password. The following are the rules for a 'safe' password: 1. At least 9-12 characters long, more is better. 2. Do not use names or words in the dictionary. 3. Mix capitals, lower-case, and special characters. 4. use a different password for each login. 5. Do not write the passwords down or save them on your PC. These are not doable by humans. A Solution - LastPass: ---------------------- What is LastPass? It is a Plugin (or Addon, if you prefer) for Web Browsers that a. Remembers your UserId and Password for each site. b. Automatically plugs them in when you visit the site. c. Makes the list available on ALL your devices and ALL browsers. For all OSes and all Devices. Walk-Through: ------------- 1. Install LastPass on your computer. www.lastpass.com Lastpass_x64.exe - plugins for IE, FireFox, Chrome, Safari, Opera Getting Started video: (1:41) https://lastpass.com/support_screencasts.php?feature=basic Install will automatically pick up all current saved passwords. 2. On any browser, log in to LastPass Click the (black) icon, enter master password, icon turns red. 3. Using LastPass Go to a Website you use. wordpress.com LastPass will fill in the UserId and Password, WITH RED LOGO. Hit 'Enter' and you're in. Go to another browser. Log in to LastPass (if needed). Everything is there!! 4. Adding Websites: Go to Login dialog on a new site. Enter your UserId and new Password A 'LastPass toolbar' appears, click 'Save' How Does It Work? ----------------- Ids and Pws are saved in the cloud, encrypted. LastPass itself does NOT have the key and cannot decrypt your passwords. The decryption key is generated from the 'Master' password you give LastPass, which is NOT saved in the cloud. So, a. The Passwords are in the cloud, not on your computer. b. The key is on your computer, not in the cloud. Alternate Walkthru (if no connection available) Demo1.jpg Normal log-in to a website Demo2.jpg Click the Save in the toolbar Demo3.jpg Fill in site name and group Demo4.jpg Next login with LastPass fill-in The Vault: ---------- Click the LastPass icon and click Vault 'Recently used' folder Group folders Create your own category folders in 'Create Group' Actions Edit (pencil), Share (arrow), Delete (trashcan) Edit Complete url of the login page involved Enter a Name that describes it for you Assign the entry to a Group (down triangle) Generated password: edit.yahoo.com Names and Groups: ----------------- Default name is the URL. You define the groups. Other Computers: ---------------- Download and install LastPass. Login. Voila! Available for Android, iOS, Windows RT, MAC, etc Premium is $1/month (= SCG!) = USB Keys One-Time Passwords The Results ----------- Cross-Browser: Downloading LastPass should install it in all your browsers IE, FireFox, Chrome, Opera, Safari, and Maxthon Setup a PW in one browser and all others know it right away. Cross-Machine: On each other device, download/install LastPass or its App. Bingo, you have all your id's and passwords. Syncronizing: don't need to, it's in the cloud. Problems: Some browsers are old versions Some AV programs or ISPs may block it. If no Inet, then no LastPass. But then you don't need one!! Other Features: Generating 'good' passwords. Filling in Forms Data built automatically - use it if you wish. ----------------------------------------------------------------- Security Discussion by Steve Gibson: (SpinRite and ShieldsUp) So the way this works is, the reason I'm using it, is I now understand how it works and why it's absolutely trustable, is that very much like Jungle Disk, which we've talked about in the past, all the encryption is done locally. That is, at no point does LastPass receive anything other than what looks like a block of pseudorandom noise. We've talked about how, when you take so-called plaintext, the normal readable, human readable, your username as an email address and your actual password, and you encrypt it with a good cipher, it turns it into, under the influence of a key, which is the key to the whole process, under the influence of the key, it turns it into noise, absolute pseudorandom bits that mean nothing. So that's what the LastPass system gets and saves. It is absolutely no use to anyone because they never get the key. And they've gone to great lengths to arrange never to get the key. When you log into their system, you do so with your username, which is your email address, and your password. That's put together, it's concatenated into one long string. They sanitize the username a little bit. They lowercase it, and they remove the so-called white space, you know, spaces and things. That just makes it a little more robust. The password they don't change at all. So that remains case-sensitive, and special characters and things can be in there. They leave that alone. So the idea is that when you log in, when you give your system your LastPass username and password, the first thing it does is it runs it through this SHA - it lowercases the email address, removes the white space, adds the password, and then it does this hash to it, turning it into a 256-bit blob which tells the blob holder nothing about your username and password. It's just like it's been digested into this thing. In fact, hashes are called "digests," also, for that reason. What that is, is that is your cryptographic key. That's the key which your system will use, both to encrypt your data which is being shared with LastPass Corporate, and also to decrypt it when LastPass Corporate sends this back to you. They're holding the encrypted results of your own personal database, just because that's what they do. That's the service they provide, essentially, that and creating all these amazing plug-ins for everything anyone's ever heard of. So but what they're holding, they have no ability to decrypt. They never get the key. That never leaves your system. https://www.grc.com/sn/sn-256.htm LastPass Pocket: Saves encrypted Vault to USB stick. LastPass Portable: Run FireFox/Chrome portable from USB stick.