Configuring Password Security Levels using LastPass Identities

The new LastPass identity system can also be used to separate online accounts by security level. This is particularly important for cryptocurrency users who can be exposed to unique attack vectors.

By Colin McCrae

The importance of online security has increased continuously since the invention of the internet, and shows all the signs of becoming an even higher profile issue in the future.

In the early days of the internet, the most important online account that most people had was an email address provider. Access to this account could be used to reset other online account passwords, compromise personal communications, and spread computer viruses.

As the internet developed, online banking and general finance became common, and there was a social media explosion. The stakes involved in a personal online security breach were now higher. An attacker could impersonate you on your social media accounts and potentially drain funds from your online banking accounts. However, much of this damage was short term and reversible once you regained access to your accounts. The banks generally insured online customers against fraud, and social media account graffiti could be removed once access was restored.

The advent of the internet of value in the form of blockchains such as Bitcoin and other cryptocurrencies has ushered in a new era with even greater stakes for poor security practices. If an attacker gains access to the private keys or mnemonic seeds for your cryptocurrency accounts, your coins are gone. Blockchain transaction are irreversible, often untraceable, and there is rarely any insurance to fall back on. In short, your money is gone for good.

Hence online security has gone from being a major issue for most users, to a critical issue for cryptocurrency users. A small lapse in security can lead to all your funds being stolen. Individual users can face ruin, and blockchain organizations can at best lose credibility, and at worst may not be able to recover from a serious attack.

Defining Security Levels

As we have discussed above, the consequences of an attack on an online account depends very much on the type of account we are talking about. The consequences of an attacker discovering your login details to a cooking recipe website is vastly different from your login details to a cryptocurrency exchange.

When using LastPass, or any major password manager, the default is for a single login password (and optional 2FA code) to provide access to all your online accounts.

This could leave you vulnerable to attack, especially when using your laptop or phone in public places (such as at a coffee shop). You may need to simply login to an airline’s website, so you first login to your password manager. However, this action has unlocked access to all your online accounts, including potentially private keys to cryptocurrency and mnemonic seeds. An attacker having identified you as a cryptocurrency owner would simply need to swipe your unlocked laptop (with your password manager unlocked) to gain access to all this information.

This attack vector can be mitigated using a new feature that LastPass has implemented called ‘identities’. The idea behind identities is that you can segregate different types of online accounts (such as keeping work accounts separate from personal accounts). When you are logged into your ‘work’ identity, you will only see your work accounts — your personal accounts are not even visible.

The new LastPass identity system can also be used to separate out accounts by security level. For example, you could have an identity called ‘Low’ which only allows access to online accounts which you are happy to use in a public space such as a coffees shop, and does not allow access to any cryptocurrency accounts where you have value stored.

Several categories / security levels can be defined. Defining these levels is a somewhat subjective task, and will differ from person to person. The following list is my attempt to detail various security levels for my online accounts (in decreasing importance).

Moving cryptocurrency / unlocking devices. Information which would give an attacker the ability to move cryptocurrency into an account they control. This includes private keys, the login details / mnemonic seeds for online HD wallets, 2FA keys (where the associated usernames and passwords are also accessible), desktop wallet keys / passwords, and the PIN / password of your devices (phones, tables, laptops, desktops). Password reset / critical data. Information which would allow an attacker to reset some of your passwords, and allow them to access your data which may contain additional critical information. This includes the login details to your email (e.g. Gmail), Apple, Microsoft, Dropbox, etc. In this category, I would also include the ability to access cryptocurrency accounts, but not the what is required to move coins (e.g. Poloniex, Kraken, Bittrex, and Coinbase login details if you don’t have 2FA set-up). Traditional online services. This final category encompasses all other ‘traditional’ online services. The ability to spend old fashioned fiat money (banking, finance, Amazon, eBay, PayPal, online shopping), social media (Twitter, Facebook, Instagram), identity information: passport, social security / national insurance number, bank card numbers), and everything else (entertainment, travel, utilities).

There are two main philosophies:

A ‘cascading’ system where if you access the top level (‘High’ security) you can also access all levels below that A ‘silo’ system where you can only access the data in the level you are signed-in.

I would argue for a cascading system, since when you are accessing the top security level, you would ensure you are in a sterile environment (on a secure trusted network connection, on a secure device, nobody looking over your shoulder, etc.)

Configuring LastPass Identities

Having determined that LastPass identities can be used to segregate online accounts based on their security level, the next step is to implement such a system to your existing LastPass account. The following guide describes how this system could be set-up in LastPass.

The pre-requisites for following this methodology are:

You have a LastPass account, which you use to store your online account details and other private data. You have the Google Chrome LastPass plug-in installed. You have decided whether you want a three-tier (High / Medium / Low) set-up, or a two-tier (High / Low) set-up.

If you meet those pre-requisites, then follow the step-by-step guide below to configure your LastPass:

Log into LastPass by clicking on the grey Chrome plug-in icon, entering your master password and 2FA verification code. The icon should then be red (logged in). Access your LastPass vault page by clicking on the LastPass plug-in icon in Google Chrome and selecting ‘Open my Vault’. Set-up a folder structure in LastPass that matches your security policy. Each folder should only have items of one security level in it. For example, I have split my ‘Crypto’ folder into two folders: one called ‘Crypto (H)’ and one ‘Crypto (M)’. Crypto (H) is the one that contains information that by itself could be used to move my crypto (private keys). Crypto (M) does not. Naming your folders in such a way will make it much easier to create and manage identities. If you decide to use a cascading system, then the default ‘All’ identity can be used as the ‘High’ level security folder. A cascading system is where you can also access everything from lower security levels from within the current one. If you are creating a three-tier (High / Medium / Low) system, then create a new identity in LastPass called ‘Medium Level’. If you are creating a two-tier system, then call it ‘Low Level’. This is done via: More Options -> Manage Identity’s -> Red ‘+’ button on the bottom right. In the pop-up window that appears, ensure ‘Require Password Reprompt’ is ticked under ‘Advanced Settings’. Drag and drop all the items in all the folders which you have decided are medium or low security level details (basically, everything that is not high level). You can hold ‘Shift’ to select an entire folder’s worth of items. Check that this works. From the Manage Identity’s page, hover over the new ‘Medium Level’ or ‘Low Level’ identity and click the ‘Enable’ button that appears. It will prompt you for your master password. Click back to the ‘Sites’ page using the left-hand menu bar and ensure that only the items you dragged and dropped are available. There should be no high-level security items visible. Log out of LastPass completely using the drop-down menu on the top right which should now be labelled ‘Medium Level’ or ‘Low Level’. Log back into LastPass by clicking on the (now gray) Chrome plug-in icon, entering your master password and 2FA verification code. Check that you are still only logged into the ‘Medium Level’ or ‘Low Level’ identity, and that no high-level items are accessible. If you are setting up a three-tier system, then repeat Steps 5–10 for a second identity called ‘Low Level’. Ensure all your devices where you have LastPass installed are logged into the ‘Low’ level identity. LastPass will remember the last identity you were logged into and will return to that identity when you next log in. You can switch identities at any time when you logged in.

Notes on Using Identities

It is easier to manage a two-tier system compared to a three-tier system. Having email as ‘Medium’ level means that you will frequently be operating LastPass in ‘Medium’ level mode unless you leave you email logged in all the time. It is only worth having a ‘Low’ level mode if it can be used exclusively in coffee shops most of the time, without any need for going into the ‘Medium’ level identity. You should consider ‘Low’ level to be ‘coffee shop mode’. Each time a new ‘Low’ level item is added to LastPass, you will need to go into identities and add it to the ‘Low’ level identity (and the ‘Medium’ level identity for a three-tier system). For a three-tier system only, each time a new ‘Medium’ level item is added to LastPass, you will need to go into identities and add it to only the ‘Medium’ level identity. Once you are done using the ‘All’ high level identity on any device, you must switch back to the ‘Low’ level identity. If you simply log out, or leave LastPass to time out and automatically log out, then next time you login, you will be straight back into the ‘All’ high level identity. If someone manages to get your master password, none of this matters — they will have access to all your items until LastPass is logged out and then requires 2FA to log back in.

Standard Security Philosophies

The following are general guidelines that you should follow to ensure a basic level of security online.

Use a password manager (such as LastPass) for everything, with one master password which you remember off the top of your head. Your master password should have around 80 bits of entropy. Every password you use should be unique and difficult. I use LastPass to generate unique 16-character case sensitive alphanumeric passwords including symbols for every website I sign up to. This is 98 bits of entropy, which is more than sufficient. Enable 2 Factor Authentication (2FA) wherever it is offered. Never use SMS authentication as 2FA since this can actually reduce your security (this can be hacked very easily via a phone call to your service provider and used to reset your password). Only use ‘real’ 2FA like Google Authenticator or Authy. Store all your 2FA secret keys in a Level 1 password vault in case you your phone is lost / stolen. Never sign into new sites using the credentials for another site (e.g. Google, Facebook, etc.). Never give real answers to ‘security questions’. First, try to avoid security questions completely. If the website insists, then treat the answers to these as passwords (generate unique and difficult passwords using LastPass). Don’t ever secure a laptop or phone which you leave logged into services such as email using only biometrics (e.g. facial recognition, thumbprint). This technology can currently easily be fooled, giving a thief access to your email. I use a 6-digit PIN for these devices which you memorize (a good compromise between ease of use and security). Keep cryptocurrency off exchanges such as Poloniex, Kraken, Bittrex, Coinbase, etc. You do not have the private key when your tokens are on these exchanges. As the adage goes, ‘if you don’t own the private key, you don’t own the crypto’. If these exchanges are hacked, or an insider moves all the tokens, or they are shut down by the authorities, you could lose all your tokens.

Further Reading

It is highly recommended to read the following:

Piper Merriam’s guide to securing your digital life. This is a great guide for setting yourself up to be secure online, and it repeats many of the ‘standard security philosophies’ above plus much more.

—

If you found this article interesting, please hold down the clap button below. Follow me on Medium to see more content like this.

I am currently working on EdgeFund, an open-source platform which offers a decentralized shared bankroll on the Blockchain. To learn more about EdgeFund, please visit our website. Join our Telegram group to chat to the team and follow us on Twitter!