LastPass Acknowledges Possible Security Breach
LastPass, the Web-based password storage service I wrote about late last year (see “LastPass Acquires Xmarks,” 13 December 2010), has announced that they recently discovered suspicious network activity on their internal network, and upon investigation, determined that it was possible that a limited amount of data may have been accessed. The company locked down all accounts to prevent access from unknown locations, announced their findings on their blog, and spoke with the media.
Further analysis failed to provide any direct evidence that customer data was accessed, but in the worst case scenario, LastPass has said that only LastPass login account credentials — your email address, master password, and master password hint — may have been leaked, and even then, only in encrypted form. Other data associated with user accounts, such as site usernames and passwords, form fill data, billing information, etc. was not taken. For a full Q&A about the incident, see the LastPass Status page.
The practical upshot for LastPass users is that if your master password is a strong one — avoiding dictionary words, including numbers and punctuation, and sufficiently long to withstand a brute force attack — you have nothing to worry about. But it probably doesn’t hurt to change it anyway, and to make sure that it’s not shared with other sites. Either way, if you attempt to log in from another location (or if someone posing as you does), LastPass requires you to validate your email address until you change your master password or confirm that you’re comfortable with it. That should prevent any access to your account, even if passwords were compromised.
The mere fact that this breach happened gives credence to the concern about storing password or other confidential information online; although LastPass’s security is probably a lot better than that of most companies and individuals, they’re an obvious target for direct attack. It’s unlikely criminals would attack an individual specifically, but would instead rely on malware and social engineering (see “Beware Fake MACDefender Antivirus Software ,” 2 May 2011). So storing passwords within 1Password on your Mac is likely safer, and sharing them among multiple devices via Dropbox isn’t
unreasonable, since even if Dropbox security were breached, 1Password’s password file would still be encrypted.
Nonetheless, LastPass appears to have handled the situation about as well as possible, and far better than some other recent security breaches, such as the one that hit the Sony PlayStation Network. That’s a good sign, and an indication of how seriously they take security.
In the end, only you can decide if the convenience of LastPass’s automatic login capabilities and machine independence are worth the additional risk of storing your passwords online with a third party. It may be that LastPass is worthwhile, for instance, but only for sites where you’re required to log in purely as a way of identifying yourself, and where there’s no sensitive information stored.
Adam, thank you for such a measured, non-hysterical piece. Can I just make one point?
You suggest that people who are now uncomfortable with LastPass store an encrypted password file on Dropbox, reasoning that even if someone were able to break into a Dropbox account, they still couldn't get the passwords without breaking the encryption on the file.
But this is exactly how LastPass works. Lastpass's servers only see an encrypted version of your password file. Everything is encrypted client-side. Even assuming the bad guys made off with LastPass's data, it was encrypted data that would have to be broken to be useful.
If someone is so careful/paranoid that even LastPass's security isn't good enough, that person should not store passwords in the cloud -- period.
Yes, I'm not so much criticizing LastPass, since I think they probably do everything pretty well. I was more pointing at the general concept of storing confidential data online versus a scenario where you maintain the data locally, but in an encrypted form, and then push it online via Dropbox. The effect may be the same as a well-designed service like LastPass, but it would be better than a badly designed service, and it would also give you some personal knowledge that the right amount of care is being taken.
One real problem with all of these services is that we have to take what the companies say at face value - it's nearly impossible to test if they're actually protecting data as well as they say they are. And even if they are, that doesn't prevent them from making inadvertent mistakes that would allow breaches.