Display/copy specific characters from password

Tell us what features would make LastPass even better and vote for features that are most important to you

Moderators: admin, anatoly_LP, chantieLP, JoeSiegrist, robyn

Re: Display/copy specific characters from password

Postby TacticalSecurity » Sun Apr 10, 2016 12:37 am

Also based in Europe. Would like this feature adding in too please.
TacticalSecurity
 
Posts: 1
Joined: Sun Apr 10, 2016 12:35 am

Re: Display/copy specific characters from password

Postby simon826 » Wed Apr 20, 2016 5:29 am

judging by the views this is a common problem, same here 2 banks same problem.
simon826
 
Posts: 2
Joined: Thu Jun 12, 2014 11:56 am

Re: Display/copy specific characters from password

Postby Redwoodsman51 » Mon May 16, 2016 12:38 pm

May I add another plea from the UK for this feature please?

Similar too others, I have more than one financial institution that uses specific characters selected from the whole password (and, also similarly, I suspect that it is to simplify & enable phone verification)
Redwoodsman51
 
Posts: 1
Joined: Mon May 16, 2016 12:30 pm

Re: Display/copy specific characters from password

Postby alphie » Thu May 26, 2016 2:07 am

I'm a long-time KeePass user, currently evaluating LastPass before I buy premium subscriptions for the family and make the jump. This is definitely one area where KeePass wins over LastPass. In KeePass I can press a key combo and a window pops up where I can choose the positions from the password I want: e.g. 1st, 2nd, 4th, 10th. Then it simply fills in the text boxes and submits. Detecting a form which has multiple one-character text fields should be quite robust. At the very least, LastPass shouldn't attempt to save the password in your vault from just the first one-character field.

Even the concept of more than one password/PIN (again, common for non-American financial institutions) seems to be unsupported.
alphie
 
Posts: 1
Joined: Thu May 26, 2016 1:58 am

Re: Display/copy specific characters from password

Postby mark523 » Tue May 31, 2016 3:33 am

Also a UK user, also would like this feature. Having to copy and paste specific characters is a hassle.
mark523
 
Posts: 1
Joined: Tue May 31, 2016 3:32 am

Re: Display/copy specific characters from password

Postby samharris69 » Thu Jun 30, 2016 10:50 pm

Me too.

Maybe this feature isn't needed in the US but my experience is that most banks & stock brokers that I deal with (& don't have 2FA) require this. I don't like the approach but I wouldn't count on them all changing. Have you ever tried telling a bank they are wrong?
samharris69
 
Posts: 7
Joined: Fri Sep 06, 2013 10:04 pm

Re: Display/copy specific characters from password

Postby mike808137 » Sat Jul 09, 2016 10:06 pm

Start naming names, people. Referencing "my bank" or vague "european banks" won't help any of us understand exactly what you're talking about, nor will it help LastPass reach out to those institutions to figure out a way to address this goofy login issue.

I noted someone said it is only part of the login, in that you have to provide your full password in one place and then in some other place, they only ask you for some random character(s) from the password you entered earlier.

I'm not sure that's of any actual security benefit - if the bad guys already know your entire password, they can certainly enter the partial characters any other time. It is also trivially provable that they MUST BE STORING A DIRECT COPY YOUR PASSWORD - one that can be STOLEN and COPIED WITHOUT THEIR KNOWLEDGE. That's the entire point of a password breach.

I seem to recall that the europeans also believed that the world was flat too. Didn't make it any more true than the claim that europeans are more susceptible to mass stupidity than in other parts of the world.

If your bank is doing this, they're doing security wrong as well as just inflicting pointless complexity upon their users And that is a provable fact, just as 1 + 1 = 2. Don't reward their failed security theatre with your business or money.

Post URLs and call these securty clowns out.
mike808137
 
Posts: 266
Joined: Tue Feb 24, 2015 12:04 pm

Re: Display/copy specific characters from password

Postby samharris69 » Sun Jul 10, 2016 1:25 am

mike808137 Wrote:It is also trivially provable that they MUST BE STORING A DIRECT COPY YOUR PASSWORD - one that can be STOLEN and COPIED WITHOUT THEIR KNOWLEDGE.

I know little about security but I'm curious. What is the trivial proof? Why cannot they store one of these 10 character passwords as 10 1 character passwords?

mike808137 Wrote:I seem to recall that the europeans also believed that the world was flat too. Didn't make it any more true than the claim that europeans are more susceptible to mass stupidity than in other parts of the world.

If your bank is doing this, they're doing security wrong as well as just inflicting pointless complexity upon their users And that is a provable fact, just as 1 + 1 = 2.

Something about your attitude makes me think you are from the USA... Given that you aren't familiar with the technique it seems a big call to assume that all these banks are incompetent. But fwiw, here's some urls:
https://www.youinvest.co.uk/securelogin
https://secure.tddirectinvesting.lu/international/
https://atonline.alliancetrust.co.uk/atonline/login.jsp
samharris69
 
Posts: 7
Joined: Fri Sep 06, 2013 10:04 pm

Re: Display/copy specific characters from password

Postby mike808137 » Sat Jul 16, 2016 9:47 am

The proof is that if they are selecting any arbitrary/random character from your password to compare against the unencrypted value, then they *must* have knowledge of your actual password value. That is horrible security where one-way functions have been around for many decades.

If your bank has a copy of your password, how can they possibly *prove* any unauthorized disclosure or theft of your password was *you*. Who can prove it *wasn't* the *bank* that your password was stolen from? That is the proof.

You can't be responsible for loss of something you *don't have in the first place*. That's why anyone with any security sense at all uses one-way functions - to prove authenticity without a direct knowledge comparision. E.g. SHA256 (has functions). It doesn't matter that they split it up or encrypt it. They have a copy of your password.

QED.
mike808137
 
Posts: 266
Joined: Tue Feb 24, 2015 12:04 pm

Re: Display/copy specific characters from password

Postby mike808137 » Sat Jul 16, 2016 10:07 am

I didn't say it would be easy to get these banks to change their ways. I said it was horrible security to have to have your password at all. And I assume it was mass stupidity on the part of European banks because all of the examples and posters said it was European banks doing this. The rest of the security-enlightened world don't use this technique.

If you're comfortable with your money in such a bank that has such poor security design, then LastPass probably won't help you with exercising bad judgement. Use another bank - problem solved.

I can see how it happened. It was probably to avoid rewriting their apps by adding a layer that only accesses one at a time characters on top of your original full password, possibly instead of adding a layer like encryption - because it doesn't require crypto expertise or algorithm lock-in) and can also be directly translated to physical paper and manual methods as fallback or predate computers. Since banking dates back to the Hapsburg period, such ancient practices aren't surprising. Doesn't make them the right or secure way to do things in today's world. Frankly, it is exactly keeping those dinosaurs around and part of the global banking system that makes *everyone's* banking less secure. They are the weakest link.
mike808137
 
Posts: 266
Joined: Tue Feb 24, 2015 12:04 pm

PreviousNext

Return to Feature Requests

Who is online

Users browsing this forum: No registered users and 26 guests