Security Audit
Over the year-end break, I moved my password manager away from LastPass. I didn’t move for security reasons but more so for usability issues and the security issues were purely an unfortunate coincidence. I used this transition as an opportunity to do a full audit of the credentials and I stumbled across some fun (read: annoying) discoveries.
Quick Links
Why was I with LastPass originally? Why change?
When I originally transitioned to using a password manager forever ago, I chose LastPass for the same reasons ‘everyone else’ did — it was the popular option that was well marketed. It was approachable, did well in terms of usability and value-add. Over the years, the security issues haven’t bothered me nearly as much as the usability quirks.
A few things really got to me over the years:
It takes four clicks to get a username/password into your clipboard. So potentially eight mouse clicks to log into something. The count is even higher on phones where you may need to switch back and forth between processes (and sometimes having to re-authenticate in between). Thankfully with phones, you can have the option of pinning copy-notifications to make it a bit less frustrating
By default, the extension will clear the clipboard after 60 seconds. 99% of the time this isn’t an issue (especially if you’re aware of this) but there’s a rare occasion when the “would you like to save this site” prompt doesn’t trigger (say, due to the way the site’s account-creation is set up) and if it takes >60s to get the activation email etc., you’re in for a surprise when your password is cleared.
Seemingly random reasons to reauthenticate. I understand the monthly re-authentication, that’s fine and I can even understand getting signed out randomly here and there, but I’ve had a few cases where I’m authenticating (with 2FA too, for extra fun) five or six times in a 30 second period
The extension will populate a little icon in textboxes that allows you to invoke LastPass (normally, to trigger a “search for logins for this site” functionality). To things bother me about this feature: [1] many times it interferes with the ‘eye’ (show me what I typed) and [2] it’s rare, but sometimes the button just doesn’t work.
There wasn’t the ability to (easily and neatly) add ‘sub-entries’. For example: logging into your bank will include a login and password but what if there are challenge questions? PIN numbers? PIN number specific for calling into phone-banking vs support? There’s no way to consolidate this into a single object if you wanted to.
So much clicking to get the credentials…
On the big scale, these are relatively small issues by themselves, but LastPass presents itself as a premium player in this space (and they certainly charge a premium price tag). At this level (and price!) I’m much less tolerant of these issues.
Thoughts on the credential audit
When I started, I had about 500 credentials. After everything was migrated, consolidated and cleaned-up, I now have just over 265. That’s a huge drop looking at consolidating multiple related credentials (for example., combining PIN and challenge questions into the ‘main’ entry) only accounted for about 60 or so entries. Maybe 30 accounts were for websites that were no longer kicking around.
So what about the almost 150 remaining entries? I’ve got some stories.
Stealth wiping
Let me tell you a story about product registration.
Oftentimes when you buy stuff, the product manufacturer wants you to register it (ostensibly to get your contact information so they can sell you more stuff but that’s beside the point). So let’s say you create an account and register your product. Some time passes and a few months/years later, you buy another product and go to dutifully register it. Depending on how long it’s been, there is a more than good chance your account doesn’t exist anymore and all the things you registered? Probably gone.
I can understand how some services might want to occasionally purge inactive accounts for product registration, that’s a bit silly. Oddly, there are some notable web-services that purge accounts (I should note, there’s no notification of the purge — if there was an email sent saying “your inactive account is going to get purged” that’s totally fine)
Web services
BlazeMeter
Fongo
MyPrepaidCenter
OpenDNS
Webex
E-Retailer
CDW
DataPro
Product registration
Aukey
Anker
Black & Decker
Bosch (power tools)*
Flir
LG (appliances)
NEEWER
Porter-Cable
RAVPower
Worx
Zotac
Bosch is a bit of an interesting one. My account (with product registration) got deleted, so I created a new account (using the same email). When the ‘new’ account was created, my previously registered tools showed up. While this was convenient for me, I’m not sure if I like the idea that a ‘deleted’ account (the notification said the account was deleted) still has associated information floating around.
Looking just at product registrations, this now has me looking at purchases in a different light. Specifically looking at power tools for a second:
Accounts still in working order despite not logging in for years:
Milwaukee
Ridgid power tools (orange) and Vacs (red)
Ryobi
Kreg Tools
Bosch (my account got wiped but was able to be restored, so I’ll log it here for now)
EGO (but my account is still quite new so I wouldn’t expect it to be wiped)
Accounts that got wiped without notice
Black & Decker
Porter-Cable
Worx
Having my accounts (and associated registered items) quietly wiped leaves me with an odd feeling about the vendors. In fairness, while I’ve not had any issue with the tools … what if I did? It costs next to nothing to store the miniscule amount of data associated with my account & registered products, so what gives?
All things being equal (or perhaps, close), I’d certainly shy away from brands where my data gets stealth wiped.
Unclean wipes
Accounts getting stealth-wiped seems to be the signature move for power-tool companies; for small electronics companies they took it another step: not only is your account is stealth wiped but they got rid of the entire concept of ‘creating an account’ and/or ‘registering your product’ — so forget even making a new account to register a recent purchase. Fun times.
Sometimes, you get some companies that just drop the ball even when it comes to wiping, like UPS. My account was stealth wiped; I know this because the credentials don’t work.
When I trigger “I forgot my username”, I get an email from them telling me “this is the username and email associated with the login”
If I try the “Please reset my password”, that process fails
If I try and create a new account, I can’t because the account is still in use
As someone who understands a bit of how the software works, all i can do is shake my head. Thankfully, I don’t actually really need this account for anything.
Automatic lockdown
I had a fun time with Marriott — if you change your email and phone number, you can’t log in for at least a day. Something about “you recently changed your contact info, you can’t log in at this time”.
I can understand why they might do this — if I was going to steal an account, the first thing I would do would be to change the contact information of the account! But if they are going to do this lockdown, maybe put a warning that “hey we noticed you just changed your email, if you change your phone, you won’t be able to log in”. I don’t travel enough (nor care for Marriott) so this was just an amusing nuisance of having to make a note to come back in a day or two to verify the credential migration was successful.
Have I been pwnd?
I’m a huge fan of the site haveibeenpwnd where you can punch in your email (or phone number) to see if it’s shown up on a leak somewhere in the past. This can be a bit of an warning beacon to go and do a comprehensive password update. There’s a FAQ to cover the obvious questions that arise from a service like this.
Revisiting 2FA with Authy
After I got my accounts migrated over, this was a pretty good time to revisit 2FA as well. I regularly check a directory of sites that support 2FA to see if I can add 2FA to any of my existing accounts (and in some cases, move away from SMS to time-generated codes).
Until now, my code-generator app of choice has been Google Authenticator and it while it works great, I did start to have problems with it a few updates back (it’s been bugging me for about a year now). Making an educated guess, when I launch Google Authenticator, it goes through all of the entries and starts generating the one-time keys and then it finishes loading the app. You’ll notice that when the app launches, all of the entries already have keys being generated.
At time of writing, I have about 70 accounts protected by 2FA and it regularly takes 3+ seconds to launch the app. Add my gripe of it being a general pain in the butt to manage the entries (relabeling and sorting), I wanted to see if there was a better option.
I settled on trying Authy and it’s been great. I don’t care for the backup & multi-device sync features but the app launches fast. The one-time keys are only generated when I click on the entry I want which I think is why the application launches so faster and is generally more responsive. I can very easily relabel entries and sort everything more easily. It’s also a nice touch that I can add icons to the entries and that I can also perform search.
What about the other [dis]advantages between Google Authenticator vs Authy?
Most of the time, people focus on the ability to sync across multiple devices and/or do backups. For me, this is a non-issue since I run rooted, so snapshotting the entire application’s data provides me with the ability to clone my authenticator to another device if needed.
There are still a ton of sites that use SMS as means of 2FA and one thing that has helped me keep my sanity is to create a single contact (i.e., ‘2FA’) that has all of the phone numbers (and/or email addresses) so that when the 2FA codes come in, they come in to a singular entry in your messages-view rather than spread across a billion different entries. This is a long-game optimization hack as you’ll need to add the SMS contacts as they come in, over time. But it does get better — and you can migrate it with you to new phones.
Product links may be affiliate links: MinMaxGeek may earn a commission on any purchases made via said links without any additional cost to you.
