Paul Thurrott's SuperSite for Windows
Home > Server > Windows Server > Important: LastPass Security Notification

Important: LastPass Security Notification

May 5, 2011 Paul Thurrott | Paul Thurrott's Supersite for Windows

I’ve championed the use of LastPass as a master password system for the Internet for years now, and of course as recently as this past week it was again a software pick on the Windows Weekly podcast. With that in mind, it’s important that all LastPass users read the following warning and, when possible, proactively change their master password with the service accordingly.

We noticed an issue yesterday and wanted to alert you to it. As a precaution, we're also forcing you to change your master password.

We take a close look at our logs and try to explain every anomaly we see. Tuesday morning we saw a network traffic anomaly for a few minutes from one of our non-critical machines. These happen occasionally, and we typically identify them as an employee or an automated script.

In this case, we couldn't find that root cause. After delving into the anomaly we found a similar but smaller matching traffic anomaly from one of our databases in the opposite direction (more traffic was sent from the database compared to what was received on the server). Because we can't account for this anomaly either, we're going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed. We know roughly the amount of data transfered and that it's big enough to have transfered people's email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn't remotely enough to have pulled many users encrypted data blobs.

If you have a strong, non-dictionary based password or pass phrase, this shouldn't impact you - the potential threat here is brute forcing your master password using dictionary words, then going to LastPass with that password to get your data. Unfortunately not everyone picks a master password that's immune to brute forcing.

To counter that potential threat, we're going to force everyone to change their master passwords. Additionally, we're going to want an indication that you're you, by either ensuring that you're coming from an IP block you've used before or by validating your email address. The reason is that if an attacker had your master password through a brute force method, LastPass still wouldn't give access to this theoretical attacker because they wouldn't have access to your email account or your IP.

We realize this may be an overreaction and we apologize for the disruption this will cause, but we'd rather be paranoid and slightly inconvenience you than to be even more sorry later.

Please read the entire post, only part of which is duplicated here.

Thanks to Deren S. for the tip.

Discuss this Article 9

davepermen
on May 5, 2011
another proof that the cloud "just works", right paul? still thinking that one day it'll just be secure, and have 100% update, and everything's safe in it?

how many times do such things have to happen to realize it might not be the way to go, except to lock in users and make them pay in some form?

pthurrott
on May 5, 2011
Chicken Little,

No, you're right. Separately and manually creating, maintaining, and remembering lengthy, complex passwords is a much better approach. Please, do keep doing that and then we'll see who was more secure after 10 years. You stick your head in the sand, and I'll start the stopwatch.

Paul



spivonious
on May 5, 2011
This is the response that should have come from Sony. Good to see that LastPass is up front and overly cautious about data that was possibly retrieved.

I do agree with David's comment. The cloud will never be used to store secure data. Hackers will always find a way to get in.

As far as passwords, I have three or four ranging in strength from 3-5 on a scale of 1-5. I use the "3" password for things that I don't care about, the "4" password for things I do care about, and the "5" password for things that would pose a serious identity theft risk if broken into. I haven't had a problem yet, and none of my passwords are susceptible to a dictionary attack, yet they're all pronouncable and easy to remember.



scottm99999
on May 5, 2011
I think David Sporri makes a good point. I'd like to add that, before trusting any data (encrypted or not) to the cloud, do some serious research in your vendor. We've had lots of breaches in the news lately (i.e. Silverpop, Epsilon, Sony, etc).
OldCabanaGuy
on May 5, 2011
I'm not sure Paul's response is appropriate as there may be other options... My choice was to pop $30 on Roboform and keep the responsiblity in my court. Years later and still no regrets. I'll put my 10 years against the cloud's, anybody's cloud.
mhill36
on May 5, 2011
There's no such thing as 100% fool-proof security. The fact is that most "cloud" services are more secure than their legacy counterparts. Most people who don't use master passwords usually just use the same weak password. I don't use LastPass myself but I'm impressed with their openness and common sense approach. I don't see that very often in my field.
Waethorn
on May 5, 2011
Wow. Just wow.

Storing all your passwords in the cloud with one vendor and one password. That's just plain moronic.

I had many a discussion about this before, especially regarding Sony's recent issues. Encrypted or not, if one person finds a flaw with edge security, they can easily get access to data inside. The only way to properly lock down internal data is with proper edge security and access permissions. Encryption only makes sense for physical theft. It really doesn't protect anything if someone gets full access rights. Same thing here - if someone can break in and reset your master password to something that they know, all your other passwords are available too.

"No, you're right. Separately and manually creating, maintaining, and remembering lengthy, complex passwords is a much better approach."

It's called a "password book" Paul, and it's a lot safer locked in your home than being stored online.







swb71
on May 6, 2011
this is a lot of uproar over nothing. If you are using a truly good master password and a yubikey with lastpass then you have no concerns.



menlotechnical (not verified)
on May 7, 2011
@Sporri Not everything is a trap, and frankly anyone between 35 and 50 will be concerned about cloud security and stability, but still use dropbox and carbonite, and Amazon S3. Anyone between 20 and 29 will not think about cloud stability and will only be annoyed with outages. People under 20 will not care where they place their data or how much it costs, who sees it or when it is available. Cloud outages will be "Grandpa's outrage" and mean nothing to this youngest group.
Growing up, I liked Mainframe people but I felt mainframe operators were overly short-sighted about the failed future of Unix in the enterprise. I think there is a similar divide between generations with cloud computing safety and security vs consumer convenience. People will care less and less about cost and security. OS vendors will be forced in this direction (see Windows 8 and thin clients, Ubuntu and Ubuntu One, Google and consumer adoption of cloud life, Apple and iCloud).
Everything is changing, and there is nothing that common sense of yesteryear will do to prevent this migration.

Please or Register to post comments.

Related Articles

IT/Dev Connections

Las Vegas
September 30th - October 4th

Paul ThurottYou'll have the opportunity to experience:
• 120 Technical
Sessions
• Networking with Peers
• Expert Speakers


Come See Paul Thurrott & Mary Jo Foley in Person!

Register Now

Office 365 InfoCenter

Get the latest insight and info from Paul

Read Now!

What I Use
Apr. 18, 2013
Article

What I Use: On the Road 21

Every so often, I publish an updated version of my “What I Use” document, which details the technology products and services I actually use day-to-day. Since I’m currently on my third business trip in five weeks, this is perhaps an ideal time to discuss the technology products I rely on when I travel and a few related points....More
Mar. 6, 2013
Article

What I Use: March 2013 33

Lots of changes since November, including a new PC-based home server running Windows 8, several new smart phones, new PCs and tablets, new cloud backup, Office 365 Home Premium and a nice doubling of my Internet speeds courtesy of Verizon FIOS....More
WinSuperSite.com
Related Penton Sites
Copyright © 2013 Penton Media, Inc