NeutralAxis

LastPass is a secure online password vault that keeps track of all your various passwords automatically.  A vulnerability of LastPass and other similar programs has been from keyloggers and screen capture programs that could capture its single master password to allow a hacker access to all the other passwords.  For some time, LastPass has offered paying users what they refer to as multi-factor authentication systems which overcome these potential breaches.  They are now providing non-paying users the benefit of multi-factor authorization with their Grid system.

Why LastPass?: Most internet users don’t have secure passwords, or they use the same password at multiple sites.  The key benefit to a program like LastPass is that you can use very strong passwords, which it can create for you, that you could never possibly remember.  And you can use a different one for every site that requires you to log in.  Its system is safer than those built into Internet Explorer and Firefox, and is synced across all computers where you’ve installed its browser plugin.  Plugins are available for IE, Firefox, Chrome and Safari.  Your vault is also accessible through the LastPass website.  Access to the LastPass vault is provided through one master password that hopefully you make very strong, yet memorable. When you visit a website for which you’ve previously stored a password, the plugin will put an indicator into the username and password blanks and prompt for your permission to fill in that information.  Or you can choose the site you wish to visit from Lastpass’ site list and it will go there and log you in with one click. A benefit of this is if you accidentally browse to a phishing site, LastPass won’t offer to fill in the data because it won’t recognizes the site.

The Vulnerability: The trouble with a single password that provides access to all your others is the danger of it being captured by a keylogger.  To combat that possibility, LastPass has long provided a virtual on-screen keyboard, but even that has the potential to be breached by a screen recorder.  A real world example of such a thing is likely at your public library where VNC remote software on public terminals is commonly used by library staff to control their systems.  With such software installed, library staff could conceivably watch your screen without your knowledge.

Multi-Factor Authentication: An answer to this vulnerability is through an authentication that requires some additional bit of information that someone who has stolen your password won’t have, such as some physical object that you carry with you.  The newly launched Grid is a multi-factor authentication system for users of their free software.  Paying users may use it too and also have access to other systems including special USB thumb drives that act as keys.  If a user chooses to use the grid, Lastpass will generate a grid of random characters which you then print out and store in your wallet.  From an untrusted machine, you log in with your master password, and then supply the characters at four requested positions on your custom grid.  If you can’t provide those characters, you can’t finish logging in.  From a trusted machine, like at home, you can specify that no grid is required.  With this multi-factor authentication enabled, even if someone steals your master password, they can’t get anywhere with it.  Here’s a screencast of how it works.