Monthly Archives: December 2022

Privacy, Security, Tools

Another breach at a password storage service: LastPass

Leave a comment

Using a password manager is still the best way to securely record all your passwords. This assumes that you are in fact using different passwords for every web site and service that require one. If you’re using the same password for everything, you are risking your privacy, financial security, and sanity.

So… which password manager should you use? Most of the major password management services (1Password, LastPass, etc.) store your passwords on their own servers, and there’s no question that this provides some benefits in terms of convenience, with the main one being that you can access your passwords from anywhere. You don’t have to back up your password data or copy it between devices; it’s maintained by the service provider and easily accessible via their web site.

But this convenience comes at a huge cost: the risk that your passwords will be compromised when the service provider experiences a security breach.

A recent breach at LastPass is, sadly, only the most recent example. In this case, the LastPass servers were compromised and attackers gained access to user data. The company first reported the breach in August 2022, but downplayed the impact on users. Their latest announcement finally provides the full story, and acknowledges that the attackers gained full access to user data, including encrypted passwords.

More about the breach from Bruce Schneier.

Although LastPass is to blame for the breach and compromised user data, passwords in the user data obtained by the attackers are all encrypted, and there’s no way to magically decrypt them without knowing the master passwords of individual users. However, that just means that the people who have the data will be using brute-force techniques to crack those passwords. For users whose master password is long and complex, it would take years–if not centuries–to crack, but if your master password is simple or commonly-used, all of your passwords are now known by these attackers.

Something for your to-do list: if you use LastPass, and your master password is easy to crack (check it here), you should immediately change ALL of your passwords.

In my opinion, you’re much better off using password management software that stores its data locally, on your own computer. Then you only need to worry about someone getting access to your computer, which you can actually control.

I’ve long recommended Password Corral for Windows users. It’s simple, secure, and free, and it stores its data locally only.

Other password managers that use only local storage include PasswordSafe, KeePassXC, and KeeWeb. Password managers that can be used with local storage include Roboform, and Sticky Password.

And remember that when you use a ‘cloud’ service, you’re just storing your data on a total stranger’s computer, which may or may not be managed and secured competently, and which you have basically no control over. Cloud stuff is convenient, but the risks of using it indiscriminantly are enormous.

Update 2023Sep11: Brian Krebs reports that password information obtained during this breach is being actively used by criminals to gain unauthorized access to various systems and services.

Cortana, Microsoft, Windows 10

Cortana

Some technologies seem always to be just around the corner. Every few years, people get excited all over again, about 3D media, virtual reality, voice assistants, hoverboards, self-driving cars, flying cars, artificial intelligence, and other things that always turn out to be more hype than anything else.

I started writing the post below about Cortana way back in 2015, but never published it. I can’t even remember why it never got published, but presumably I just lost interest, and figured everyone else would as well.

For a while there, my main interest in Cortana was the ways in which it was making work difficult for IT staff. My favourite example of that is shown in this video of someone prepping a room full of new computers with Windows 10.

Now, all the excitement about Cortana, along with Amazon’s Alexa, has almost completely disappeared. Cortana is still around in recent versions of Windows, but much of its functionality has been stripped away (and now it’s gone). Alexa is being similarly sidelined, and increasingly viewed as a failure.

Why are voice control tools like Cortana and Alexa failing?

  1. Talking to your computer is amusing for a while, but once the novelty wears off, one can’t help noticing that it’s just as easy (and in many cases much easier) to use your mouse and keyboard.
  2. Privacy issues. Computers are really good at making our lives easier. And that’s good. But some technologies, to be truly useful, need to know about us — a lot about us. The most obvious example is Internet advertising: unless you’re blocking ads and related scripts and cookies in your web browser, the ads you see are based on what advertising networks know — or think they know — about you. And that’s just one example. A lot of what makes modern computers useful is based on this tradeoff between privacy and convenience. Computer ‘assistants’ like Cortana and Alexa rely on what they learn about you to improve their effectiveness. And of course they’re always listening.

Anyway, here’s what I wrote back in 2015:

Cortana limitations

Having a computer you can talk to is one of those things that most of us associate with science fiction. Cortana is Microsoft’s attempt to make that fantasy real. The extent to which they have succeeded depends on your point of view. There are loads of examples of cool things Cortana can do in response to your questions and commands, but they still feel very limited to me. Not to put too fine a point on it, there are some things Cortana is good at, and others it is not. If your idea of talking to your computer is to find out the weather, the time, and stock prices, or set up appointments in your calendar, you might find Cortana quite useful. To my way of thinking, unless I can debate philosophy or sports with a computer, I’m not really interested in talking to it.

That said, there are plenty of examples of useful ways to use Cortana (find some). (Editor’s note: I never found any, although admittedly I didn’t look very hard. I assumed if someone found a killer app for Cortana, I’d hear about it.)

Cortana is also region-dependent and may not be available in your country. If that’s the case, and you happen to be an English speaker (which I can assume given that you’re reading this), you can make Cortana work by configuring the Windows region settings to the US. I’m in Canada, and I’ve been using the US English Cortana for a while, and it works fine. The main difference between the versions is the speech recognition database, so the Canadian version is going to be pretty much identical to the US version. There may be other small difference as well, such as units of measurement. If you do decide to tweak the region settings to use the US Cortana, keep in mind that this will affect other apps as well. For instance, your web browser may tell search engines that you’re in the US, and your search results may be regionally skewed as a result. Still, most apps are more likely to use your location than your computer’s region configuration when doing their thing.

There are other problems. In my tests, the ‘Hey, Cortana’ feature worked for a few days, then stopped responding. Disabling and re-enabling the feature didn’t help.

Cortana is a fun feature, and it’s likely that many of the current issues will be resolved in the near future. It’s worth looking at, and anyone with Windows 10 should probably try it, but it’s not something that should figure prominently in deciding whether to use Windows 10 at all.