Editorials
Do LastPass Issues Point to Concerns Storing Passwords in the Cloud?
We’ve seen a number of cloud security related issues of late. Today’s company dealing with the issues is LastPass. Recently it was Amazon and Sony. Actually Sony still is dealing with the issues. LastPass, as we posted this morning, is dealing with a potential hack that might have compromised users passwords. I say might have, but LastPass is forcing users to change their master password, and apparently having trouble handling the load. That’s based on this updated post from the LastPass blog:
Record traffic, plus a rush of people to make password changes is more than we can currently handle.We’re switching tactics — if you’ve made the password change already we’ll handle you normally.If you haven’t the vast majority of you will be logged in using ‘offline’ mode so you can still use LastPass like normal and get back to your day, only syncing of new password should suffer (and you’ll see the bar).As load lowers we’ll increase the percentage of people being sent through email validation / password changing.For people experience problems please email us at [email protected] — we have seen a few reports of bogus data post change, we think this is due to you downloading a stale copy and if you go to LastPass Icon -> Clear Local Cache and try again it should work.You can access your data via LastPass in offline mode or by downloading LastPass Pocket : https://lastpass.com/misc_download.php (choose your OS)
- If you have a significant other do you share passwords with each other? What happens if one or the other of you has an accident (heaven forbid) and you need access to accounts or the like?
- Do your parents have passwords for their accounts? Do they share them with you or another sibling?
- If you use 1Password or LastPass or another solution do you have your data files backed up somewhere else other than on the machine(s) you use frequently?
- How often do you change your passwords? Is this routine or only after you see some story about a hack or security breakdown?
- If you’re in a small office or company, does your office have a password or security policy? We qualify as a small company and we have two people who are designated to be the keepers of passwords for computers, the network, and companies we do business with online. We update those lists about every quarter, which is when we change passwords as well.
- Are you an assistant or a secretary to a superior at work? Do they let you or require you to use their passwords for their personal or business accounts?

brianweeden
05/05/2011 at 11:47 pm
First point, they probably didn’t get hacked. If you read the blog entry, they have a standard procedure of logging EVERY packet that comes in/out of their network and figuring out what the source/reason was. In this case, they had some anomalous data they could not immediately explain, so they did the safe thing and notified every one. If only every other firm was a security conscious.
I’m a happy LastPass user and will continue to be one. Why? Because the only thing that LastPass stores for me is a blob of noise. The passwords and all the info you store on LastPass is encrypted on your machine before it goes to them. Even your password is stored as a salted hash, so there is no way for a hacker to get your password (unlike what happened with Sony’s PSN, where they stored everyone’s passwords cleartext).
That means – worst case – that all any attacker can get from LastPass is a blob of encrypted data and the hash that contains the password. They then have to brute force the hash by trying every possible password to see if it matches. Only when they get a match can they then decrypt your blob of stored data. As long as your master LastPass password isn’t something in the dictionary and is reasonably strong, that brute force process would take decades or longer.
For a more thorough explanation of how LastPass works see this podcast: https://twit.tv/sn256
Anonymous
05/05/2011 at 11:52 pm
To be fair Warner, lastpass is not saying “we have been hacked and all your datas belong to somebody else”.
They are saying, “we see an anomaly and to be safe are taking the aggressive step of having all our users change their master passwords.”
That, even though they point out there is little worry if you are using a strong master password phrase – as they recommend.
I use lastpass and have been very happy with it.
It is a pain to have to deal with these things – but I think they are dealing with it well.
And, as you point out – there are those people in the world and to live in it we will have to deal with their crap every once in a while.
Frankly – as is common wisdom – you don’t really know who you are dealing with in life until something bad happens and then you see their reaction.
From what we are being told about the situation currently, I felt fiine about lastpass yesterday, and after seeing this today will feel even better about them tomorrow.
Anonymous
05/06/2011 at 1:25 pm
I think that’s why in both posts I’ve done on this I’ve used the word potential and possible.
Anonymous
05/06/2011 at 1:25 pm
I think that’s why in both posts I’ve done on this I’ve used the word potential and possible.