In the past 15 or so years that I've been gaming the only one time I've ever been "hacked" was due to my own stupidity downloaded a keylogger.
Short of downloading something malicious or getting phished, you aren't very likely to get hacked. Just use a strong password.
If you set that to 25 billion you can see how long it'd take a modern CPU & high end GPU to crack your pass.
Set it to something like 20 characters long. Here's some examples:
141 nonillion years to crack. That's 141 x 10
years.
Another concern is your e-mail. Use an e-mail provider with two-step authentication. Gmail for instance has this. This makes it so that there's no way anyone could get into your email to authorize a password change without access to either your home or cell phone. Most getting hacked probably have their passwords just stolen from databases, so make sure every single password you use is unique and never reuse the same password.
It makes life infinitely easier, and it's extremely secure. They also have plug-ins for just about everything. Here's a review of it by security expert Steve Gibson:
I use Grid Multifactor Authentication with LastPass as well. Here's what that is:
It's very secure... The only way someone other than you could get into your account is to
have access to your grid, which you should keep on your person. Even if you assume someone could log your grid and try to memorize the whole thing... if you just change it every week or so even that's not plausible. You can also set secure locations so you don't have to enter it from home or such if you have somewhere secure that you aren't worried about. Extremely secure.
Here's I think probably one of the most important parts about the security of LastPass if you're super lazy:
Yes, even the iPad. What these bookmarklets are, a bookmarklet is a bit of JavaScript which is like a URL, that is, it sort of runs like script on a page. And that allows them to sort of shoehorn themselves into literally any browser. So if you didn't have any plug-in, or for example you were using somebody else's browser that didn't have a plug-in, you could still use these bookmarklets in order to get access to your own personal library of passwords. So that's what LastPass creates is your own personal library of passwords.
What LastPass users have a level of reasonable discomfort with, and I did when I was first installing this and setting things up, LastPass has also a form fill-in capability. And it was suggesting, why don't you give me your credit card numbers? It's like, uh, what? And it even has a secure vault where you can put just your own notes which you want to have available anywhere, that is, on any of these platforms, containing anything whatsoever. The question is, how is this safe? How is it that I am not giving the LastPass people, who I want to trust, but do we trust everyone who works there? Do we trust everyone who has ever worked there in the past, who will ever work there in the future? Do we trust that, like, that somebody won't break into their servers in the middle of the night and have this huge massive win of getting all of the usernames and passwords for everyone who is using LastPass?
So the way this works is, the reason I'm using it, is I now understand how it works and why it's absolutely trustable, is that very much like Jungle Disk, which we've talked about in the past, all the encryption is done locally. That is, at no point does LastPass receive anything other than what looks like a block of pseudorandom noise. We've talked about how, when you take so-called plaintext, the normal readable, human readable, your username as an email address and your actual password, and you encrypt it with a good cipher, it turns it into, under the influence of a key, which is the key to the whole process, under the influence of the key, it turns it into noise, absolute pseudorandom bits that mean nothing.
So that's what the LastPass system gets and saves. It is absolutely no use to anyone because they never get the key. And they've gone to great lengths to arrange never to get the key. When you log into their system, you do so with your username, which is your email address, and your password. That's put together, it's concatenated into one long string. They sanitize the username a little bit. They lowercase it, and they remove the so-called white space, you know, spaces and things. That just makes it a little more robust. The password they don't change at all. So that remains case-sensitive, and special characters and things can be in there. They leave that alone.
But, for example, email addresses are not case sensitive. You can change the case in an email address. And so since they're using their email address, people's email addresses as their password, users might not be careful about the case in their email addresses, so they make that case-insensitive. They always lowercase the email address ASCII characters, the alphabetic characters. So they put all this together into one blob. Then they do something called a "hash." They use SHA-256, which is a - SHA stands for Secure Hashing Algorithm. The listeners that have been listening to the podcast for years know what that means.
For people new to this, a hash is what's called a one-way function. You can take any amount of text or anything, binary data, anything, any amount of data, and run it through this process called "hashing," which always results in a fixed-size thing, sort of a fixed-size token. And what's unique about this is it is "computationally infeasible," is the technical jargon that cryptographers use, to go the other direction. That is, it's very easy to put stuff into this - think of it like sort of as a meat grinder. But it's impossible to ungrind the meat. It's been ground up. It's been completely - it's been turned into this 256-bit result such that anything you change in the input changes everything about the bits in the output. Yet anybody, no matter how much they want to, no matter how much they look at it, they can't go the other direction.
So the idea is that when you log in, when you give your system your LastPass username and password, the first thing it does is it runs it through this SHA - it lowercases the email address, removes the white space, adds the password, and then it does this hash to it, turning it into a 256-bit blob which tells the blob holder nothing about your username and password. It's just like it's been digested into this thing. In fact, hashes are called "digests," also, for that reason.
What that is, is that is your cryptographic key. That's the key which your system will use, both to encrypt your data which is being shared with LastPass Corporate, and also to decrypt it when LastPass Corporate sends this back to you. They're holding the encrypted results of your own personal database, just because that's what they do. That's the service they provide, essentially, that and creating all these amazing plug-ins for everything anyone's ever heard of. So but what they're holding, they have no ability to decrypt. They never get the key. That never leaves your system.
Now, they do need to know that it's you. That is, they need to know that it is you who are logging in. And so there needs to be an authentication process, so you identify yourself to them. But we don't want them to get the key. So what they do is, they take that key, the cryptographic key, and they add your password to it, that is, they concatenate your password to your cryptographic key, and they hash that. So they do another one-way function on your crypto key with your password, which they don't know because they never get it. But they get another blob.
So this second blob, this second output from the hash, that's your unique ID. That is, the only way to get that is if you take your username and password, hash it, then add the password to that and hash it again. So it absolutely depends upon both of those pieces of information. So then your username and that goes to LastPass to identify you. And because that contains your password twice hashed into it, nobody who doesn't have your password, even if they have your email address, is able to produce that blob. So you have to have your email address and your password run through this hash twice to get that blob.
But notice that your cryptographic key, which is sort of the first byproduct of that because that's the output from the first hash, that goes into the second hash but is lost in the hashing process, thanks to it being mixed with your password. So the LastPass people never get your crypto key. They get a different unique token that identifies you to them so that you're able to log on securely to their facility. And these guys are so paranoid that they don't even save that on their servers. They don't even save that special logon blob, the output from that second hashing process.
Instead they, at the time you create your account, they come up with, they use a random number generator at their headquarters to create a unique 256-bit token which they save with your account. And whenever you're logging in, they take this 256 blob you're sending them that's the result of these two hashing processes. They add that to this unique 256k random number, and they hash that. And that's what they compare to what's stored with your account. Which is to say they never store that logon token. They store the result of hashing that logon token with a unique 256-bit value that they created for you. So they dynamically see if it's the same, but they never save your logon token. They just - they don't want it. They don't need it. So they're able to perform a dynamic check whenever you need to authenticate, but they don't keep it statically.
So, I mean, this thing is secure every way you can imagine. And it's simple. The reason it appeals to me is that there's no hocus-pocus, there's no mumbo-jumbo, I mean, I can explain it to you and understand it, which means I believe it. Because there's no, oh, then a miracle happens, and just trust us. That's not necessary. The result of this 256-bit hash where they take your username and password and hash that to get the key for the encryption, that is used with the industrial-strength, maximum-strength, AES 256-bit cipher that we've talked about, which takes 128-bit blocks at a time and turns it into 128 bits of gibberish under the influence of the key.
So the whole concept here is that we establish a database of domains that we're logging into, and usernames and passwords for those domains. And this is our personal database. And the beauty of this, and I've been playing with this now for about a week, is that, for example, I did change a couple passwords because I'd been a little lazy, too. And I thought, okay, now's the time. So I changed those passwords here at home on my system in Firefox, and changed them in the website. And LastPass watched me change them. I said, okay, remember this. And LastPass remembered it.
And then the next morning on my iPad I wanted to log into the site. Well, I didn't write it down. I mean, you can't write these things down. Well, you could, but it would be a pain. Using my iPad, and I don't remember if I was using the bookmarklet for the iPad which is easy to create, and I have, or LastPass's own iPad tabbed browser which they have available. But whichever, I opened the site, went to the logon page, LastPass saw - oh, it was the tabbed browser because it was an automatic process. The bookmarklet, you invoke it to fill in the form. It won't do it for you automatically. When you're using any of these plug-ins which are so widely available on virtually any browser that allows a plug-in, they've done that. And this is all cross-platform - Windows, Mac, and Linux - all of this stuff.
So it automatically saw that I was at the logon page, populated the form, and hit login button for me. So the whole process was automatic. I mean, frankly, I've been spoiled now in the last week because this thing works so well. And my point was that, because this exists in the so-called "cloud," in the Internet that we're all connected to, the change that I made in the logon credentials for that site, whatever it was, I don't remember now, it was stored by LastPass. The plug-in resynchronized itself with LastPass Corporate, and they're on several continents and several different data centers. They back up themselves locally, and then they back up using Amazon's S3 service nightly so that that's all being kept safe. And we'll talk about what happens if they go away in a second. And then the next morning on a machine I had not used, on a platform I had not used, I was able to log in seamlessly using these new credentials because it was synchronized through the Internet. I mean, it's absolutely perfect.
Now, now we've established this fantastic database, different passwords for everything. But we're dependent upon it. We can't function without it because we're no longer using something simple that we've memorized, or we're no longer using something complex, like our one master galactic password that we're using everywhere, because we know that's not safe. But now we've become utterly dependent upon LastPass. I mean, it holds the login jewels to our entire online existence. So is that safe? I mean, can we depend upon it? Well, we don't have to. They have covered that base, too. They have a standalone executable, a standalone gizmo. I'm trying to think of what it is they call it. Not Sesame, that's their one-time login deal. I've got it written down here somewhere. Maybe, oh, LastPass Pocket.
