Log in

No account? Create an account
Previous Entry Share Next Entry
The past week was consumed by a possible security breach at my password vault vendor, LastPass. In the interest of recognizing when people do well, it's worth calling this out.

(Context: LastPass is an online vault. You choose a single, preferably very-high-strength password, and use that to encrypt a file containing all your other passwords. They store the file online, make it available to pretty much every browser you use, and integrate nicely with most of them. I use it extensively, and like it a lot.)

First of all, they show a healthy and appropriate level of paranoia. None of this is because there was a demonstrated security breach; instead, they simply keep an eye on their internal network traffic, and detected a modest blip that they couldn't account for, which *could* have been large enough to be someone stealing a modest number of password files. In an age where companies routinely try to hush up big breaches, I have a lot of respect for one that goes into full alert on the basis of mere credible evidence of a small one.

On the downside, they clearly didn't have a policy in place yet for such an incident, and a few hours of serious tail-chasing ensued. But they got their act together quickly, and started iterating solutions. Their first solution was, frankly, too draconian -- forcing everyone to change their master passwords. (The issue wasn't that master passwords had been stolen -- LastPass themselves don't have copies -- but that a determined attacker could apply brute-force dictionary attacks to break password files with weak master passwords.)

By the next day, they'd come up with a reasonably appropriate and nuanced solution: if you try to log in from an unknown IP address, they route a confirmation through your registered email address, and require you to either (a) change your master password, or (b) state that you think yours is strong enough. That seems just about right. I don't need to change mine -- while a very small number of people might be able to look at my password and understand what it's a reference to, it's fairly long and not breakable with any technique I know of. (It's not even a literal passphrase, but has been idiosyncratically mutated.) But I actually appreciate them forcing me to pause and make that decision consciously.

So props to LastPass: they seem to have handled their first really serious crisis decently well. They're still on my list of recommended tools -- I commend them as a good option for managing your passwords, if you want such a system. (And I ask that, if you use them, please sign up for the "premium" package. The extra features are slight, but the price is low -- just $12/year -- and it's well worth supporting the company...)

  • 1
thanks, I've been hunting for a good solution.

I've been fond of LastPass all along, precisely because they give all the right warnings. In particular, they say as loudly and repeatedly as they can, "Don't lose your master password, because we can't help you (much) if you do!" That's exactly what I want to hear, since it implies that they aren't compromising security in the name of providing a sop to the users. (They permit a password hint in case you forget, but it's pretty clear that they are going to major lengths to avoid them ever having access to your master password.) And many of the features are just right from a security standpoint, such as a configurable auto-logout from the vault on idle.

Also, the browser integration is quite nice: I use it on all of IE, Chrome and Firefox every day. The only caveat is that each clearly had to be implemented separately, so they're all a bit different in the look-and-feel details.

But yes, give it a look...

Yup. Especially compared to the actions of others in recent weeks I have to approve of their proactivity, they're constant communication (check the updates on their blog page!) and their (ultimately) sensible reaction. I too am comfortable with my master password, but appreciate that on the -possibility- that they lost encrypted data and salt information and the acknowledgement that someone might try brute forcing an attack (actually, probably rainbow tables, but effectively the same thing if they have to use a salt) they came right out and did everything they could to close the barn door and to let people put up a new door.

  • 1