Thursday, May 19, 2011

What does the LastPass security breach mean?

Most people in the security world - and many Internet users - have read over the past two weeks about the possible exposure of LastPass's password database. Since LastPass (which I've written about before) is a cloud password management tool, this was a major cause for concern, despite the fact that the passwords were salted - which would make them harder to figure out - many users still use poor passwords which could be easily retrieved.

The good news is that LastPass did a lot of things right, starting with their first blog post: "We noticed an issue yesterday and wanted to alert you to it. As a precaution, we're also forcing you to change your master password." They went on to explain why they were worried "we saw a network traffic anomaly for a few minutes from one of our non-critical machines" and "we found a similar but smaller matching traffic anomaly from one of our databases in the opposite direction (more traffic was sent from the database compared to what was received on the server)".

They explained what this might mean: "We know roughly the amount of data transfered and that it's big enough to have transfered people's email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn't remotely enough to have pulled many users encrypted data blobs."

Best of all, they then explained who might be in danger: "If you have a strong, non-dictionary based password or pass phrase, this shouldn't impact you - the potential threat here is brute forcing your master password using dictionary words, then going to LastPass with that password to get your data. Unfortunately not everyone picks a master password that's immune to brute forcing."

They even note that they're not sure that the whole thing is an actual issue - but that they want to do the right thing: "We realize this may be an overreaction and we apologize for the disruption this will cause, but we'd rather be paranoid and slightly inconvenience you than to be even more sorry later."

Since then, LastPass has done a lot more things right and they've described it on their blog. They've done everything from providing frequent updates to trying to make sure that any future issues are handled properly. They've analyzed the mistakes they've made, and have acted to correct them, and have implemented a number of improvements to their infrastructure, design, and their overall processes.

Some of the things that I'm happiest to see are:

  • They have engaged 3rd party code reviewers and have committed to doing several reviews per year and sharing the results of the reviews.
  • They are soliciting community feedback at
  • They've split their infrastructure to keep back end systems away from their production service systems.
  • They've created a bastion host log server
To enterprise security folks, these will all look like normal best practices, and they are - but the fact that the folks at LastPass learned, and learned quickly is a great sign.

So, if you're a LastPass user, should you be worried? The answer is...probably not. While storing passwords in the cloud has some innate security risk, their reaction to the event had all the things I would want to see, and their basic technology not only appears well founded, but it also continues to get better. For now, my recommendation remains the same: if you're interested in cloud based password storage, LastPass is a good choice - and it appears that it will continue to improve. Regardless of what you use for password storage, a good master password is critical.

If you're not comfortable with a solution like LastPass, Password Safe and similar solutions can still be kept in the cloud - you just need to keep a client handy to access them once you retrieve the encrypted file.