My password security fiasco: Part 1 of 2

May 6, 2017

By Matthew E. Milliken
MEMwrites.wordpress.com
May 6, 2017

In April 2014, I wrote about an Internet security flaw and my use of the password manager LastPass. Since then, I joined LastPass’s premium service, which costs what I consider to be an eminently reasonable $12 a year in return for the ability to use the service on my mobile phone.

I try to be diligent about updating important passwords every six months or so. But you know what they say about good intentions — as in, the road to hell is paved with them…

In February, Yahoo issued a warning about hacking that had affected its site. Alng with that caution came a wave of articles advising Internet users to change their passwords because of a newly discovered web infrastructure vulnerability. Since it was about time to update the entry codes on my accounts anyway, I spent the last night of the month at home getting started on just that arduous task.

One of the passwords I changed was the one on my LastPass account — my master password, as they call it. Unfortunately, when I went to log in to LastPass a day or two later, I found that I couldn’t remember my password.

Now the whole point of using a password manager such as LastPass is that it spares you from having to write down any passwords — a practice that poses a serious security risk. Naturally, being the security-conscious person I am, I hadn’t written down my master password.

LastPass’s password-recovery mechanism is much stricter than that of the typical website. Usually, if you click on the “I forgot my password” link at, say, blobloblob.com, the site will send you an email message containing a link that you can use to set a new password. It may take a minute or two, but it’s simple to do.

But LastPass doesn’t offer that kind of easy-to-do reset, presumably because it would allow hackers who have improperly accessed someone’s email account to retrieve all of that person’s passwords. Instead, LastPass’s password-recovery mechanism is more or less limited to emailing the user a copy of her or his password hint. Much to my chagrin, the hint I’d entered for my new password was so broad that it got me not one white closer to conjuring the magic phrase. So that was no help.

The service does offer a few other avenues for unlocking LastPass accounts. One is giving a trusted person access to your account; another is downloading all of your data, which (I assume) gives you a local backup even if you get locked out from the online account. Unfortunately, I hadn’t authorized another user or downloaded my information when I still had access to my account, so these were as useless as my regrettably vague password hint.

There’s an additional way to unlock your account: By setting up and utilizing one-time passwords. As it happened, I had established three of these single-use passwords. But these rely on having LastPass plugins integrated with my web browser — something that I hadn’t been doing. (Instead, I’d just been going to http://www.LastPass.com and logging in there.) Therefore, I remained frozen out of my password manager.

I’d forgotten my LastPass master password once before, in the summer of 2015. My solution that time had been to make a list of possible passwords and keep on entering them until I discovered which one was valid.

There was a difference between now and then, however. Two years ago, I’d had a pretty clear idea of the phrase that comprised my password. The thing I’d forgotten in that case was the precise sequence of characters at the end of the password. Had I used an S or not? Had I substituted a number for one or more of the vowels, l1k3 s0? Had I placed a random character at the very end of the password, sort of like safepasswordz or safepassword1?

I solved my problem in that case by making a list of possible configurations for my passwords, like so:

safepasswords
safepassw0rds1
safepasswordz
safepassw0rdz

It took several tries, but before long I’d found the right entry code and regained access to my LastPass account.

This time around, alas, things weren’t going to be so easy. I knew that my forgotten password consisted of three words, and I was pretty sure what the middle word was, but I could only guess what the first and last words were. And as I’ve already said, my password hint just wasn’t any help.

Still, what else could I do? I made a list of possible passwords and started putting them into LastPass. None of them worked out, so I kept adding to my list. It grew from about two dozen prospects to 30, 40, 50…

My frustration mounted with each rejection, and I got no closer to finding the right phrase. In short, reader, I was not a happy camper.

To be continued…

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: