Editorials
Do LastPass Issues Point to Concerns Storing Passwords in the Cloud?
We’ve seen a number of cloud security related issues of late. Today’s company dealing with the issues is LastPass. Recently it was Amazon and Sony. Actually Sony still is dealing with the issues. LastPass, as we posted this morning, is dealing with a potential hack that might have compromised users passwords. I say might have, but LastPass is forcing users to change their master password, and apparently having trouble handling the load. That’s based on this updated post from the LastPass blog:
Record traffic, plus a rush of people to make password changes is more than we can currently handle.We’re switching tactics — if you’ve made the password change already we’ll handle you normally.If you haven’t the vast majority of you will be logged in using ‘offline’ mode so you can still use LastPass like normal and get back to your day, only syncing of new password should suffer (and you’ll see the bar).As load lowers we’ll increase the percentage of people being sent through email validation / password changing.For people experience problems please email us at [email protected] — we have seen a few reports of bogus data post change, we think this is due to you downloading a stale copy and if you go to LastPass Icon -> Clear Local Cache and try again it should work.You can access your data via LastPass in offline mode or by downloading LastPass Pocket : https://lastpass.com/misc_download.php (choose your OS)
Obviously having an online company with a business model that includes protecting passwords raises eyebrows, as well as hackles. You have to feel for these guys. And of course every time one of these instances occur and the story breaks we see stories that question a cloud strategy of any sort. But that’s the way of the world on any topic it seems these days.
Simply put, I don’t think any system is completely secure whether it is in the cloud or on your local machine. Sure, if everything is stored locally you’ve got some peace of mind that it is in your hands, but what happens if someone rips off your machine? And in fact, I think these kind of hacks are no different than someone stealing a machine off of your desk or out of your car. There are bad people who will always seek to do bad things in order to achieve some gain and no system designed by humans is ever going to be capable of being completely safe from humans. Or from a simple mechanical failure.
I’m not saying that folks shouldn’t be concerned. You should, and you should take whatever precautions that you deem necessary. But this is one reason that I don’t allow password generators to make up passwords for me. As much of a PITA as it is, I make them up myself, and rely both on 1Password (I don’t use LastPass) to keep them stored across a network using Dropbox (also under scrutiny for security concerns) as well as an old reliable method of scribbling them down on a piece of paper that I keep tucked away in what I presume to be a secure location. I say presume, because I’m sure someone could find it if they really wanted to. Whether or not they would know what it is, is another matter entirely.
So, here are some questions for you:
- If you have a significant other do you share passwords with each other? What happens if one or the other of you has an accident (heaven forbid) and you need access to accounts or the like?
- Do your parents have passwords for their accounts? Do they share them with you or another sibling?
- If you use 1Password or LastPass or another solution do you have your data files backed up somewhere else other than on the machine(s) you use frequently?
- How often do you change your passwords? Is this routine or only after you see some story about a hack or security breakdown?
- If you’re in a small office or company, does your office have a password or security policy? We qualify as a small company and we have two people who are designated to be the keepers of passwords for computers, the network, and companies we do business with online. We update those lists about every quarter, which is when we change passwords as well.
- Are you an assistant or a secretary to a superior at work? Do they let you or require you to use their passwords for their personal or business accounts?
As you can surmise from the questions above, making sure you have a backup for any password list or strategy actually opens you up to possible security holes whether you follow an analog path or a digital one. It all comes down to a matter of how much trust you are willing to bestow, which is no different than agreeing to extend that trust to a cloud service fundamentally. Or is it?
Another way to put this is something that my grandfather always said. You stand a good chance of not drowning if you don’t go into the lake. Of course you aren’t going to enjoy swimming with your friends either.
brianweeden
05/05/2011 at 11:47 pm
First point, they probably didn’t get hacked. If you read the blog entry, they have a standard procedure of logging EVERY packet that comes in/out of their network and figuring out what the source/reason was. In this case, they had some anomalous data they could not immediately explain, so they did the safe thing and notified every one. If only every other firm was a security conscious.
I’m a happy LastPass user and will continue to be one. Why? Because the only thing that LastPass stores for me is a blob of noise. The passwords and all the info you store on LastPass is encrypted on your machine before it goes to them. Even your password is stored as a salted hash, so there is no way for a hacker to get your password (unlike what happened with Sony’s PSN, where they stored everyone’s passwords cleartext).
That means – worst case – that all any attacker can get from LastPass is a blob of encrypted data and the hash that contains the password. They then have to brute force the hash by trying every possible password to see if it matches. Only when they get a match can they then decrypt your blob of stored data. As long as your master LastPass password isn’t something in the dictionary and is reasonably strong, that brute force process would take decades or longer.
For a more thorough explanation of how LastPass works see this podcast: https://twit.tv/sn256
Anonymous
05/05/2011 at 11:52 pm
To be fair Warner, lastpass is not saying “we have been hacked and all your datas belong to somebody else”.
They are saying, “we see an anomaly and to be safe are taking the aggressive step of having all our users change their master passwords.”
That, even though they point out there is little worry if you are using a strong master password phrase – as they recommend.
I use lastpass and have been very happy with it.
It is a pain to have to deal with these things – but I think they are dealing with it well.
And, as you point out – there are those people in the world and to live in it we will have to deal with their crap every once in a while.
Frankly – as is common wisdom – you don’t really know who you are dealing with in life until something bad happens and then you see their reaction.
From what we are being told about the situation currently, I felt fiine about lastpass yesterday, and after seeing this today will feel even better about them tomorrow.
Anonymous
05/06/2011 at 1:25 pm
I think that’s why in both posts I’ve done on this I’ve used the word potential and possible.
Anonymous
05/06/2011 at 1:25 pm
I think that’s why in both posts I’ve done on this I’ve used the word potential and possible.