LastPass Security Notice


It looks like LastPass has detected some suspicious activity on their system.  At this time they are not calling it a breach:

From the looks of things, attackers were able to get some non-password-related data, such as account email addresses, password reminders and salt values.  They are saying that the encrypted vault data (where actual encrypted passwords are kept) was not taken.  While this is certainly not “nothing”, it doesn’t seem to be terribly bad either.

They have a list of suggestions in the notice that are really just a good idea to do from time to time in any case:

  • Change your master password.  They will be asking everyone to do it (unless you have 2-factor authentication enabled)
  • Enable two-factor authentication.  I’ve had this turned on now for a few months using the free Google Authenticator app.  It’s a little bit of a pain when you’re in a hurry, but really it’s a very easy solution and it significantly increases the security on your data.  If you’re really security conscious try using the Yubikey hardware token!
  • Change the password on any site where you might have re-used your master password.  This is a bad idea anyway, so go do it now (and don’t reuse your new master password).

I’ve seen a lot of posts about how stupid it is to store all your password data in a centralized location.  But really, I couldn’t disagree more.  LastPass (and several other password management sites) have been audited, investigated, and even had portions of their code released as open-source for review and no one has found any problems with them, including some very big names in security and encryption: (I know lifehacker is hardly a security authority, but they have a nice article covering this exact scenario)

In addition, storing passwords is what these guys do.  It makes more sense to rely on experts to do this for you then for you to roll your own solution.  They have the expertise to do it right (even when their is a breach, their layered defenses make it virtually a non-issue), they have the tools to detect breaches quickly and hence rapidly mitigate the damage, and they have the reputation and professionalism to let their customers know that something happened and what they are doing to fix it.  Trying to roll your own solution is like trying to write your own database engine because you can do it so much better then all those “other guys” out there.  You are deluding yourself.

Along these lines.  Bruce Schneier has some good suggestions on choosing your next secure [Master] password:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.