On LastPass After I lost the 2-factor Grid
So, since the first of the year, I’ve been a happy LastPass user, using the browser integrations in Chrome and Firefox. It’s great:
- I never need to type a password –> Especially handy if you’re projecting on screen.
- I never reuse a password across sites –> Even salted, hashed password files can get compromised.
- The ‘Generate Password’ feature lets me generate an arbitrary length password of arbitrary complexity–> Not vulnerable to dictionary attacks.
- You can use a neat 2-factor authentication system.
I’ve also enabled 2-factor auth wherever I can (Google Profile, Twitter, etc.).
However, the thing with a two-factor authentication system is, you must have both factors to log-in. In my case, factor 1 is my master lastpass password, which I have to enter whenever I launch a new browser. This is something I know. Factor 2 is an alphanumeric grid that lastpass generated for me and that I have with me in my wallet. This is something I possess.
It’s all well and good, right up until I opened my wallet this morning and saw I didn’t have my grid with me. Looking online, the way LastPass sends you a cancellation link for two-factor is via your email address. My email is….stored behind my Google Profile on Gmail, itself protected by 2-factor auth, one of which is a 20-character LastPass password. Stuck.
My recovery for my personal gmail is my work Gmail, protected behind….you get the idea.
I was stuck.
The only thing that saved me was my work login is resettable internally via a hotline, so i reset that (they left the uber-secure reset password on my voice mail, protected behind a PIN). From there I began the cascade:
- I reset my gmail.
- I reset my lastpass to remove the 2-factor
- I re-engaged 2-factor with a new grid
- I regenerated my Google profile password
- I regenerated my work passsword
Through it all, LastPass worked as advertised. But I’d just about ‘secured’ my way out of any possibility of logging-in to work this morning.
Fun times. Gotta love security!