Failed login attempts

Have questions about LastPass, or having problems using it? Ask for help here!

Moderators: admin, Israel, anatoly_LP, chantie, robyn, JoeSiegrist

Failed login attempts

Postby mtd91429 » Wed Jul 25, 2012 10:37 am

I was trying to convince my gf last-night to use lastpass. She had a number of questions that we were able to figure out, however, I couldn't find the answer to this:

If there are a series of failed login attempts to the lastpass vault, does the software have automatic security features to prevent data loss? For example, after 10 failed login attempts, the local cache of encrypted passwords is automatically flushed - and/or the account information is locked-down on your servers.

I'd imagine that this program has something in place to address this, I just couldn't find an answer. Any help is appreciated.
mtd91429
 
Posts: 5
Joined: Wed Jul 25, 2012 10:28 am

Re: Failed login attempts

Postby kilgry » Wed Jul 25, 2012 11:51 am

First, there is online and offline mode.

In offline mode, it is possible for someone to grab your encrypted data file and make attempts on it as fast as is possible outside of the LastPass client. This is why the "number of iterations" setting is important; it slows down those attempts. With a strong enough password, you can pretty much ensure that a brute force attempt will take more years than you or the hacker will be around.

Now, online mode (or better know as offline mode disabled) the hacker does not have access to your data file and must download it from LastPass' servers. My understanding is that there is a lock out timer. However, even if there wasn't, the number of attempts a hacker can make against the servers is much less than could be achieved against a local encrypted file.

So, make your LastPass master password a strong complex and 14+ characters. That will last you about 60+ years, unless someone finds a way to hack the file without brute force.
kilgry
 
Posts: 817
Joined: Sun Feb 13, 2011 5:41 pm

Re: Failed login attempts

Postby JoeSiegrist » Wed Jul 25, 2012 1:23 pm

mtd91429 wrote:If there are a series of failed login attempts to the lastpass vault, does the software have automatic security features to prevent data loss? For example, after 10 failed login attempts, the local cache of encrypted passwords is automatically flushed - and/or the account information is locked-down on your servers.


We have brute force protection at the server (and if you login using LastPass while online you'll hit the server). You'll receive an email locking you out for a time period and notify you that someone is attempting to login.

We do not have any solution to offline, other than utilizing multi-factor like Grid or Yubikey, and making a strong master password. While we could flush the data after a certain number of attempts a sophisticated attacker could attempt to check passwords without using the program so it'd be a false sense of security.
JoeSiegrist
 
Posts: 4144
Joined: Wed Aug 20, 2008 10:40 am

Re: Failed login attempts

Postby kilgry » Wed Jul 25, 2012 2:47 pm

Joe, in the offline mode, is Grid required if the hacker already has your encrypted data blob?
kilgry
 
Posts: 817
Joined: Sun Feb 13, 2011 5:41 pm

Re: Failed login attempts

Postby JoeSiegrist » Wed Jul 25, 2012 2:59 pm

kilgry wrote:Joe, in the offline mode, is Grid required if the hacker already has your encrypted data blob?

No, Grid, and Google Authenticator are simply used to prevent downloading your encrypted data -- Yubikey and Sesame actually encrypt that data locally with the static key in Yubikey and Sesame with a certificate.
JoeSiegrist
 
Posts: 4144
Joined: Wed Aug 20, 2008 10:40 am

Re: Failed login attempts

Postby kilgry » Wed Jul 25, 2012 5:00 pm

Thanks for the clarification.
kilgry
 
Posts: 817
Joined: Sun Feb 13, 2011 5:41 pm

Re: Failed login attempts

Postby Lars » Wed Jul 25, 2012 5:29 pm

JoeSiegrist wrote:Yubikey ... actually encrypt that data locally with the static key in Yubikey...

So changing the static part of your Yubikey will force LastPass to re-encrypt your locally stored data?
Lars
 
Posts: 2169
Joined: Wed Jul 14, 2010 10:48 pm
Location: So Cal


Return to General Support & Troubleshooting

Who is online

Users browsing this forum: Google Feedfetcher, marknhl, solstice1251 and 30 guests