Open in app

Sign in

Write

Sign in

Combating Hackers With Free Password Managers

Vinh Tang
Adventures in Consumer Technology
7 min readJul 4, 2019

--

By now you must have heard a lot of Information Security (infosec) professionals and influencers harping on about password managers and how they are the silver bullet for personal account security. Long story short: Hackers use “credential stuffing’ as the primary method to brute force their way into online accounts. Hence, a password manager allows you to create a unique password for each of your online accounts which should, in theory, mitigate this risk. Let’s take a dive!

What is Credential Stuffing?

Imagine your login details for Under Armour (MyFitnessPal) was obtained as part of a data breach. Well, you don’t have to imagine it because it actually happened. 150 million user accounts.

Moving on; criminals will use your username/password pair to try and login to other online services (Like Facebook) in the hopes that you use the same credentials for your other accounts. As this does not automatically guarantee success (0.1% to 0.2% likelihood), criminals will automate their attempts on a large scale to maximize efficiency. The below diagram summarises the gist of credential stuffing fairly simply.

Image Credit: Neal Mueller, OWASP

After successfully logging into your accounts, the possibilities for further exploitation are endless. Malicious hackers can:

  • Change the password on your account and hold it to ransom.
  • Delete your account.
  • Siphon personal/sensitive data from your accounts.
  • Fraudulently assume your identity and make fool your contacts into transferring money and/or personal information. Further, this can lead to the compromise of their accounts and allow attackers to hop onto their next victim.

In short, you want to avoid being the next victim of credential stuffing attacks. Don’t be Sony, Yahoo, Dropbox or JP Morgan. The easiest way to accomplish this is with long, complex passwords for each of your accounts. Something a password manager can assist with. You’ll never have to bother yourself with remembering so many passwords!

Image Credit: Steve Harvey

Getting Started with a Password Manager

As far as password managers go, you’re spoiled for choice. You can choose either to host your own password manager or use an existing online service. For the sake of this article, we’ll only discuss the simpler online services. Options include (But are not limited to):

  • 1Password
  • LastPass
  • Keeper
  • Dashlane

For this piece, we’re going to explore setup and use of LastPass Free. No we are not sponsored by LastPass. Quite simply, this is the service we are most familiar with and there’s a free option for home users provided you’re willing to accept the following limitations:

Image Source: LastPass Website

For most home users, features such as Yubikey support and 1 GB encrypted file storage are not necessary and can be done away with.

Installation

It’s a breeze. Just make your way to the LastPass website and follow the prompts.

Image Source: LastPass website

Now it’s really important that when you create your master password for your LastPass account that you make it something very long and complex.

“Now hold on, you just said I won’t have to remember complex passwords with a password manager!”

With a password manager, you’ll only need to remember ONE complex password. If the password to your Vault is weak then you may as well hand the keys to all of your accounts over to the bad guys. If they’re able to break the password securing your password manager account, they’ll have access to EVERYTHING (Almost but we’ll get to that later).

If you want a good measure as to how quickly your password can be cracked by commercial strength cracking tools, visit howsecureismypassword.net

LastPass operates as a web browser extension so you need to download and install the version appropriate to your preferred browser. Make sure you check the vendor is actually LastPass and not a malicious copy.

LastPass for Firefox
LastPass for Chrome

Once it’s installed, just click the icon in the top right corner.

Among the must-have Browser Extensions!

Upon logging in, your menu options expand to:

Your Vault is where all of your passwords will be stored and you have the option through the main menu to generate your own secure password!

The Vault

This is where all of your user password data is stored. Clicking the “+” icon allows you to add your first password, note, address, secure note. The list goes on!

LastPass Data Entry Options

To keep it simple, we’re going to stick to a password entry.

New Password Entry

Start entering in your details. LastPass is often smart enough to autocomplete the URL for you and the Name and Folder fields depending on the service you’re entering the data in for.

You can right click into the password field to even generate your own secure password.

Generating Secure Passwords

With that excellent Segway, this is what the secure password generation dialogue looks like:

Through this mechanism, you can control length, case and even whether symbols are included. This suits online services which restrict these parameters when creating passwords. As a rule of thumb, we recommend passwords of at least 16 characters with every option enabled.

Everyday use (Autofill)

You can either use the Vault to launch your desired service directly or you can navigate to your website of choice and click on the little LastPass icon in the login fields for autofill.

Launching from the Vault
LastPass Autofill Function

Further, if you were to register for an account with a new service (Or update your existing password), LastPass will (for the most part) prompt you to save it to your Vault (As long as you are logged into LastPass).

LastPass Update Prompt

Two Factor Authentication

As per infosec best practices, it is always recommended to enable 2FA on everything. It’s especially important to do so on your password manager so it’s not your single point of failure. i.e. crooks need more than just your password to obtain your Vault.

2FA within LastPass

2FA settings can be found under “Account Settings”. Keep in mind, app-based 2FA is free on LastPass Free and hardware-based 2FA is only available through LastPass Premium. Pick your poison and follow the steps. Don’t forget to install the relevant app on your device before setting it up.

LastPass Free Multifactor Authentication Options

We personally prefer the LastPass Authenticator app as it automatically prompts (yes/no) your phone when you attempt to login to your LastPass account thereby avoiding the annoying 6 digit number prompt.

The Lastpass Authenticator app also enables you to create time-based codes for other services too! It’s a one-stop shop for 2FA code generation.

Image Credit: Android Authority

Final Thoughts

LastPass is a great password manager packed with features. You may not want to store all of your passwords on here if you want to avoid a single point of failure (So long as you have the memory to remember a few more long and complex passwords). Using a password manager definitely makes you more immune to credential stuffing attacks.

Remember it’s not about making your defenses bulletproof. It’s just got to be more bullet resistant than the guy next to you!

Enjoy what you’ve read? Please hit the clap button. Drop us a line via Facebook or Twitter.

Computers by Tang

Computers by Tang. 151 likes · 16 talking about this. *No Fix, no fee* Affordable Computer Troubleshooting and Repair…

www.facebook.com

Computers By Tang (@computersbytang) | Twitter

The latest Tweets from Computers By Tang (@computersbytang). PC Hardware, Software and IT Content Producer Adelaide…

twitter.com

Security
Hacker
Infosec
Information Technology
Computer Security

--

--

Vinh Tang
Adventures in Consumer Technology

Written by Vinh Tang

8 Followers
Writer for

Adelaide Based PC Hardware, Software and IT Security Content Producer.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams