Apr 19, 2013

For the Love of Security: End-of-Week Link Round-Up

This week we were particularly intrigued to hear of new internal security efforts by Twitter. Their head of security Bob Lord recently discussed that chief among their efforts have been the company-wide enforcement of the use of password managers.

Noting that password managers will allow employees to follow best security practices and generate strong passwords without writing them down, Twitter reported that after an initial phase of set-up and training, employees responded positively to the use of password managers and would continue to use them.

Twitter also engages in simulated phishing campaigns to see if their employees would take the bait. Lord stated that it's been a process in learning how to effectively teach employees about online security, while the employees are also learning how to stay safe.

We commend Twitter on its efforts to improve the security of its company data and educate employees, while providing a tool that allows them to achieve their goals. We hope this becomes a greater trend!

A few other articles that caught our eye: 
  • Symantec security report reveals attacks up and spam down << According to Symantec's 2013 security report, small and medium businesses are now an increasing target (which is where LastPass Enterprise can help), and threats on social media continue to climb. Spam, though, is on the decline.
  • Online security threats are shifting in 2013 << Trustwave's 2013 Security Report highlights the global effect of online security threats, and brings home how it affects each individual, even if you think you "don't have any data worth stealing." Notable is the slow detection of a breach - with businesses, the average time of detection and containment is 210 days. The report enforces the need for strong workplace policies and tools, including the use of strong passwords and an effective way to manage them.
  • Affordable brainwave sensors could make typed passwords obsolete << A team at UC Berkeley are tackling the issue of passwords with a headset with a built-in electroencephalogram (EEG), that allows users to authenticate using only their brain waves. The password isn't going anywhere just yet, but this is some fascinating tech!
And can you believe it?

We love Ellen's comments on the absurdity of this password commercial that was recently making the rounds on social networks. We think she pretty much nails it - if only LastPass was mentioned as the real solution!

What caught your attention recently? Share in the comments below!

Enjoy the weekend,
The LastPass Team  

Apr 16, 2013

WordPress Blogs Attacked: What You Need to Know

Reports of an attack against WordPress and Joomla sites spread through the tech community this weekend, as a large botnet launched brute-force, dictionary-based login attempts on user accounts. According to researchers at hosting companies like CloudFlare and HostGator, some 90,000 IP addresses were involved in the latest series of attacks, leading them to speculate that the overarching goal is to expand the botnet of infected computers to potentially create a super botnet. With some 18% of websites running WordPress, the potential scale is enormous.

Although the attack is no longer breaking news, we wanted to alert LastPass users and clarify what you should know:
  • The attack is focusing on common account usernames - admin, test, administrator, Admin, root - and is systematically testing common passwords to break in to accounts with those usernames. The top five passwords attempted in the hack are "admin," "123456," "111111," "666666," and "12345678."
  • The goal is not a data dump of user accounts - this is a large-scale attack that aims to take over a user's machine, using the server as a stepping stone in order to add it to the botnet's arsenal. A network of compromised machines can wreak havoc in a distributed denial-of-service (DDoS) attack.
  • If you are a WordPress user using CloudFlare, you are protected from the latest attack, according to their blog post.
The best steps LastPass users can take at this time:
We'll update our users if any further action should be taken. As always, be vigilant and protect your most important accounts.

Apr 15, 2013

Master Those Complicated Logins with "Save All Entered Data"

Did you know that there are over 600 million websites on the Internet, with over 50 million added in the last year alone? That's a lot of information - and a lot of potential usernames and passwords!

Although LastPass is designed to efficiently save your logins for the majority of websites, it's inevitable that a few prevent LastPass from properly auto-saving your credentials.

There are three common reasons why LastPass is not able to save your credentials:
  1. Extra security: Bank and financial websites have added security measures, including preventing auto-filling of data, requiring keystrokes before data can be entered, and more. They're designed to prevent malicious activity but also make it hard for LastPass to appropriately detect and fill your logins.
  2. Additional form fields: Sometimes LastPass will pick up extra fields on a page that will complicate the login process, or LastPass can't detect additional fields that you do want it to save and fill.
  3. Multi-page logins: Websites may prompt you for your username or email address on one page, then after you submit that information will ask for your password or code on the second page, which LastPass cannot always string together.
We continue to work to improve our accuracy on common types of login forms, but if you run into any of these obstacles, you should try our "Save All Entered Data" feature. This feature force-saves any fields filled in on a login page, giving LastPass better accuracy next time you are logging in to the site.

To use Save All Entered Data:
  1. Login to your LastPass account via the browser addon.
  2. Go to the website whose login you need to force-save with "Save All Entered Data".
  3. On the login page, fill in your credentials (username, email address, password, etc) but do not press login.
  4. Click the LastPass Icon and select the "Save All Entered Data" option at the bottom of the menu.
  5. Confirm the information in the save site dialog.
  6. Once saved, when you return to the login page LastPass should fill the data for you.You can also "force-fill" the login from the LastPass notification bar, or from the LastPass icon by selecting the site name at the bottom of the menu and then clicking "autofill".
Our video tutorial shows this feature in action: