Justin du Coeur (jducoeur) wrote,
Justin du Coeur


The past week was consumed by a possible security breach at my password vault vendor, LastPass. In the interest of recognizing when people do well, it's worth calling this out.

(Context: LastPass is an online vault. You choose a single, preferably very-high-strength password, and use that to encrypt a file containing all your other passwords. They store the file online, make it available to pretty much every browser you use, and integrate nicely with most of them. I use it extensively, and like it a lot.)

First of all, they show a healthy and appropriate level of paranoia. None of this is because there was a demonstrated security breach; instead, they simply keep an eye on their internal network traffic, and detected a modest blip that they couldn't account for, which *could* have been large enough to be someone stealing a modest number of password files. In an age where companies routinely try to hush up big breaches, I have a lot of respect for one that goes into full alert on the basis of mere credible evidence of a small one.

On the downside, they clearly didn't have a policy in place yet for such an incident, and a few hours of serious tail-chasing ensued. But they got their act together quickly, and started iterating solutions. Their first solution was, frankly, too draconian -- forcing everyone to change their master passwords. (The issue wasn't that master passwords had been stolen -- LastPass themselves don't have copies -- but that a determined attacker could apply brute-force dictionary attacks to break password files with weak master passwords.)

By the next day, they'd come up with a reasonably appropriate and nuanced solution: if you try to log in from an unknown IP address, they route a confirmation through your registered email address, and require you to either (a) change your master password, or (b) state that you think yours is strong enough. That seems just about right. I don't need to change mine -- while a very small number of people might be able to look at my password and understand what it's a reference to, it's fairly long and not breakable with any technique I know of. (It's not even a literal passphrase, but has been idiosyncratically mutated.) But I actually appreciate them forcing me to pause and make that decision consciously.

So props to LastPass: they seem to have handled their first really serious crisis decently well. They're still on my list of recommended tools -- I commend them as a good option for managing your passwords, if you want such a system. (And I ask that, if you use them, please sign up for the "premium" package. The extra features are slight, but the price is low -- just $12/year -- and it's well worth supporting the company...)
Tags: technology

  • And sometimes the spam is just *weird*

    I just got an email that looks, for all the world, like an attempt to make a hotel reservation. The English is fairly atrocious, and it appears to…

  • Is this spam just messing with me?

    Today's study in Weird Spam starts off with, It is with pleasure that we invite you to take part in the 2017 world conference on Global Security,…

  • Naming and shaming the spammers: Quest

    Continuing my policy of calling out Major Companies That Ought to Know Better: I just got half-a-dozen copies of a spam in my accidental waks.org…

  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded