Late yesterday Lastpass informed its users that their servers had been attacked and that all their users need to change their master passwords! Holy Shit…
I am a Lastpass user, and of course I am a bit concerned. Lastpass has been very open with communicating the attack, which is reassuring. As well, they have suggested that the attack was a brute force attack using dictionary and common words. I would guess that most users of the service have more complex passwords than that. I know I do.
In defence of Lastpass, they have disabled all their user’s online access, and will slowly be allowing their users to change their passwords, which will be mandatory. For the time being, all users will have offline access to their saved passwords.
Typically when a service has such a large attack, people stop using the service.
Lifehacker was all over this story today, and posted their top picks for password managers that don’t store your passwords ‘in the clouds’. Their top 3 picks are:
- Keepass(I wrote an article on it a while ago and how to sync it with Dropbox)
- 1Password(Mac, Windows, iPhone, Android, but NO LINUX support) $40
- Keeper(Mac, Windows, Linux) $30/year for full features
For those that want to read more about the alert, here is a snippet from the Lastpass Blog. They seem to be on top of it…
We noticed an issue yesterday and wanted to alert you to it. As a precaution, we’re also forcing you to change your master password.We take a close look at our logs and try to explain every anomaly we see. Tuesday morning we saw a network traffic anomaly for a few minutes from one of our non-critical machines. These happen occasionally, and we typically identify them as an employee or an automated script.In this case, we couldn’t find that root cause. After delving into the anomaly we found a similar but smaller matching traffic anomaly from one of our databases in the opposite direction more traffic was sent from the database compared to what was received on the server. Because we can’t account for this anomaly either, we’re going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed. We know roughly the amount of data transfered and that it’s big enough to have transfered people’s email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn’t remotely enough to have pulled many users encrypted data blobs.If you have a strong, non-dictionary based password or pass phrase, this shouldn’t impact you – the potential threat here is brute forcing your master password using dictionary words, then going to LastPass with that password to get your data. Unfortunately not everyone picks a master password that’s immune to brute forcing.
What password manager do you use? Do you back it all up? Or, is ‘password’ or ‘qwerty’ your password for everything? lol
- Master Passwords At Risk in LastPass Security Breach [ALERT] (mashable.com)
- LastPass “noticed an issue”, asks users to change master passwords (geek.com)
- LastPass Security Breach? (ghacks.net)
- Why LastPass data breach isn’t the last straw (download.cnet.com)