LastPass' Precautionary Move Sets Some Teeth on Edge
May 9, 2011 7:00 AM PT
LastPass is a password manager. Users rely on it to store the myriad user names and passwords they inevitably collect as they go about their business on the Web. With LastPass, they only have to remember one single master password. LastPass handles the rest -- including, presumably, security.
That customer-company relationship was shaken this week when the site realized there were some network traffic anomalies -- that is, unusual levels of data being transferred -- on one of their servers.
Possibly it was a hacker attack and if so, possibly data had been transferred including, possibly, stored master passwords. LastPass decided to require its users to change their master passwords just in case.
The company did not respond to TechNewsWorld's request to comment for this story, but it has been regularly updating customers on its blog. It's possible it overreacted, LastPass said.
Jumped the Gun?
"We know roughly the amount of data transferred and that it's big enough to have transferred people's email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn't remotely enough to have pulled many users encrypted data blobs," LastPass said in a blog post.
So anyone with a "strong, non-dictionary based password or pass phrase" shouldn't be impacted. The real threat is brute forcing a master password using dictionary words, then going to LastPass with that password to get the data. "Unfortunately, not everyone picks a master password that's immune to brute forcing," the post notes.
LastPass also required users to indicate they were the legitimate password owners by coming from a familiar IP block or validating an email address.
Things went downhill from there.
As the blog went on to relate, record traffic, plus a rush of people to make password changes was more than it could handle. So it switched tactics, issuing another set of confusing instructions.
By Friday, the blog was directing users what to do if they were experiencing an error contacting the server.
The Safety of the Cloud
LastPass' intentions may well have been good, but its abrupt directions to customers and then what appears to have been a shaky implementation have left some doubt as to how prepared their security provider was for, well, a security attack. It also re-ignited the debate over how safe cloud computing really is.
"The idea of using a third party that is a cloud or Web-based service to provide identity management has always been a bad idea, even though I am in direct conflict of opinion with Gartner and other analyst groups that are hell bent on pushing outsourcing and cloud-based solutions for not only data processing, but also for security and identity management," said Philip Lieberman, president of Lieberman Software.
"With sensitive resources such as identity management, the only appropriate place for the storage of credentials and their management is as an in-house resource that should not be controlled by anyone other than an employee of the organization -- so no outsourced controls -- and the servers should be under the physical control of the company," he told TechNewsWorld.
Passwords Are Old School Anyway
There are other security implications as well, though, about which customers should be thinking, Jim Fulton, vice president at DigitalPersona, told TechNewsWorld.
"Leveraging only a password to secure access to a password vault, network, application, online account or PC no longer cuts it," he said. "Stronger authentication methods like fingerprint biometrics, tokens or smart cards are now a necessity, and any company that is not leveraging multiple forms of authentication is at risk."
As for LastPass' reputation with its customers, there is no reason for them to distrust the vendor despite what has happened, Sam Alapati, senior technical director with MiroConsulting told TechNewsWorld.
"I think this adds to the credibility of LastPass, rather than making their users want to leave LastPass," he said. "LastPass's reaction to the suspected hacking is appropriate -- one must remember that hackers may make unsuccessful passes at even highly secure systems. This incident seems to fall into that category of failed attacks."
There's no reason for customers to panic and leave LastPass, Alapati concluded, "and there are no signs that they're doing so, or are planning to do so."
Wait and See
The bottom line, said Robert Siciliano, CEO of IDTheftSecurity.com, is that the truth will emerge one way or another.
"As LastPass describes what happens, if data was stolen, it is fairly useless to the thief. As long as they are being truthful, then it should be fine for all concerned," he told TechNewsWorld. "If they are not, people will find out soon enough when their data is stolen."