Apr 272014
 

Lastpass What is it

Lastpass is a cross-platform “Trust No One” password manager, That means no one can access you data not even employees of Lastpass. Lastpass is free to use in desktop web browsers but if you want access on a mobile platform you will require the premium version which cost $12 a year.

How to Install

Download the extension for your browser https://lastpass.com/misc_download2.php then create an account, you need to create a strong master password as this will be used to secure your data.

Once installed you will see an asterisk symbol net to the address bar, once logged in you can access various settings along with your vault which is where your passwords are stored. When you login on a website you can click the asterisk symbol which should appear in the login boxes and if you have saved any details you can select them otherwise type in your details, you should then get a bar appear at the top asking if you want to save your details (say yes).

Secure passwords

Lastpass can be used to generate very secure passwords, there is an option to do this from the drop-down menu on the password field. You can set password length, special characters, how many digits are used as well as an option to avoid ambiguous characters so its easy to read if need be. I recommend a password length of at least 16 characters if the site allows it.

The passwords in your vault are synced to all your computers and mobile devices. Lastpass vault is stored in an encrypted form that cannot be read without your master password. There are options to increase security further and i recommend the following: Only allow logins from your country, Disable logins from Tor network, kill other sessions on login, keep track of login and form history, automatically log-off when all browsers are closed (0 mins) and automatically log-off after idle (15 mins). You will also find an option to use multifactor authentications, this requires a second form of authentication the first time you login on a new device. There are several methods of multifactor authentication, i use Google authenticator.
Lastpass provides a QR code that can be scanned using the Google authenticator app.

Password audit

Lastpass can run an audit on all your passwords and report how secure everything is, it checks to see if you are using the same password more than once and also any that require strengthening. They have now added an option which reports if the site was affected by heartbleed and whether you should change your password.

Apr 102014
 

What is the Heartbleed Bug?

The Heartbleed Bug is a serious vulnerability in the OpenSSL software. SSL/TLS provides communication security and privacy over the Internet for applications such as websites, emails, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content.

For a more detailed explanation go and read http://heartbleed.com/

How do i stop the leak?

You need to update to the latest version of OpenSSL and restart all services that use it.

How can i check if my server or a site i visit is still vulnerable

There are several sites where you can check, i recommend https://www.ssllabs.com/ssltest/index.html as it tests more than just the heartbleed bug.
There is also http://filippo.io/Heartbleed/

All my servers have been patched and the SSL certificates have been replaced.