LastPass melts down and leaves many users (hopefully, temporarily) stranded without their passwords

LastPass melts down and leaves many users (hopefully, temporarily) stranded without their passwords

Summary: Last night, the operators of LastPass noticed some anomalous behavior in their systems.

SHARE:
TOPICS: Security
13

Image courtesy Flickr user bobu.

For the last several hours, I've been watching LastPass melt down and talking with many of its panicking users. It has not been pretty.

Here's what's going on. LastPass is a password aggregator, that, by all accounts, is a best-of-breed product.

See also: Five Windows tools to keep your digital life in sync

LastPass bills itself as the last password you'll ever need, and they do this by storing all your passwords in a highly encrypted format, and then using a single, master password to give you access to all your sites. All you need to do is remember one password, but all your sites can have unique, complex passwords.

Of course, the possible point of failure is that one, master password.

Last night, the operators of LastPass noticed some anomalous behavior in their systems. Their concern is that a hacker had somehow penetrated their system and exfiltrated master passwords.

So, today, they told users to change their master passwords. All heck ensued.

First, the company didn't email each user. Instead, it posted a blog entry. This infuriated many users.

Next, LastPass decided to force all users to change their master passwords. The database of ancillary passwords is encrypted based on a "salt" from the master password, so changing the master password changes the encryption for all the other -- a very smart move.

Unfortunately, the LastPass site and the company's various password management tools apparently can't handle the load of millions of users trying to change passwords all at once.

Some users are locked out, and can't change their passwords. Some users are locked out after having changed their passwords. Some users changed their passwords and are now being told their passwords are invalid.

Next: Analysis and options »

« Previous: LastPass meltdown

The problem, of course, is that if you use the last password you'll ever need, and you can't get into your passwords, you're essentially locked out of all of your systems, everywhere. LastPass does not store a local copy of your password database, so there's no way (other than regularly exporting the set) of backing up your passwords.

As a result, users all over are unable to get into many of their other services. A quick read of the comments on the LastPass site will curl your hair.

Fellow ZDNet blogger Michael Krigsman (he, appropriately enough, hosts ZDNet's IT Project Failures blog) sent me his thoughts about the situation:

  • LastPass appears to have insecure network architecture. For example, their Asterix server is on the same internal network as the password database server.
  • LastPass had decent (not great) processes, which is how they caught the problem.
  • LastPass should have had external audits performed in the past.
  • In general, there was sloppiness and not enterprise, industrial strength systems and procedures.
  • They are doing the best they can under the circumstances and are being open, which is good.
  • Some of the user comments on their blog post are asinine. LastPass is being blamed for inconveniencing users and also not providing easier ways for users to access their data. However, LastPass correctly is putting security ahead of all other concerns. Still, some users can't access email and other essential services now,which sucks for them.
  • A key issue is balancing convenience vs. security in an online world.

Right now, the LastPass situation is a clusterfrak and represents another sad-but-true example of what happens when we depend on the cloud for our services.

See also:

We'll keep watching the progress of the service, but for now at least, LastPass may be near last rights.

Stay tuned.

Webcast about how to protect yourself and your business

To learn more about how to protect your business from cyberattack, I’ll be giving a free webcast on the subject next week here on ZDNet and TechRepublic. It’s called Top 10 Tips To Protect Your Business Against Cyberattack. Believe it or not, this thing was scheduled way before the LastPass and Sony messes began. That said, there will be lots of tips and techniques for keeping yourself safe. It’s worth a tune-in.

P.S. Personal note: This really bugs me. LastPass is a small company with a good product and an attempt at best practices. Criminals breaking into sites like this do nothing but harm. This is why cyberattacks are so dangerous and why we should chase down these criminals and bring them to justice no matter where they are in the world.

Topic: Security

About

David Gewirtz, Distinguished Lecturer at CBS Interactive, is an author, U.S. policy advisor, and computer scientist. He is featured in the History Channel special The President's Book of Secrets and is a member of the National Press Club.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

13 comments
Log in or register to join the discussion
  • The Cloud

    I am not a big fan of cloud services, and this is before Amazon, Sony and LastPass issues. The work that I do needs 99.9999% or better availability, at least as far as internet connectivity. That's a little over 5 minutes of downtime per year. Systems need very close to 100% uptime.

    I have been piloting LastPass for about a month, with pretty good success (our legacy PW manager is Roboform). It's a great product and a good little company. I know it's little since one of their top people emailed me a response to an inquiry within an hour. I hope the company doesn't end up getting a huge black eye because of this, as they are a good little company with huge upside potential.

    Cloud based services have their limitations, so you always need a backup or contingency plan. And they are not the cure-all for data center problems.
    matricellc
  • Minor correction to your article

    Lastpass does store your database locally, it is encrypted just like the remote data is with a salt of your username/password combo. The salting is done locally so the only data that is sent over the internet is encrypted data (another plus to your security). Lastpass will work while there servers are down & you can download thier pocket version of their program which will allow you to access the data locally, export an encrypted file of your data and even (be very careful here) export an unencrypted version. Best practices is for each user of lastpass to have a routine of backing up at least an encrypted version from your local database so in major issues or even if the company goes under, you still have your data. The SecurityNOW podcast covers this in great detail. Now I am screwed on 1 PC in my house because not knowing lastpass was having an issue I cleared my local cache trying to fix the problem. Now on that PC it's gone and until lastpass comes back to full tilt I am screwed on that PC. (I also forgot to do a backup of my wife's account so all her data is ONLY on lastpass at the moment, something I plan on fixing when lastpass returns.) This just identified a problem with my own security and backup policy, not a problem with lastpass. Yes I am frustrated Lastpass is down temporarily, but I am more frustrated with my own planning. This event has shown me a major hole in my own plans that I need to fix.
    MrThirteen
    • RE: LastPass melts down and leaves many users (hopefully, temporarily) stranded without their passwords

      @MrThirteen I didn't know about the local copy. That's interesting. But I've heard from a bunch of people who did what LP recommended: change their master pw. Now, they can't get into anything. Any ideas for them?
      David Gewirtz
    • RE: Minor correction to your article

      @MrThirteen provides some great insight. Here's the odd thing, it so happens I changed my master password just last week right about the time this occurred. Now I need to determine if that was coincidentally done at the right time or if I need to again change it. I'm a heavy user of LastPass for both the security aspect but even more so for productivity. I've highly recommended it, but also caution not to put all your eggs in one basket. With a service like this, I ask how much am I willing to risk? I have never saved financial information with LastPass because to me, that risk is too great. One thing I point folks to is bad practice issues when using the same password for any number of sites etc - http://hitechbrew.com/password-recreational-browsing/ - In addition, I recommend using LastPass. Now I may need to rethink that strategy.
      DavidShepherd
  • Over-reaching?

    You say: "Right now, the LastPass situation is a clusterfrak and represents another sad-but-true example of what happens when we depend on the cloud for our services."<br><br>I say we have been fed a diet of being told that enterprise class systems should take lessons from the consumer world accompanied by a race to the bottom - ie 'free.' If that's the case then how's about we discuss the long running and continuing clusterfrak that is Twitter? But heh - it seems that different standards apply to the loved up social media world. <br><br>I read through exactly the same blog and thread as yourself. I agree that many of the comments seem to be coming from the now all too familiar nut jobs or those only too eager to pile on when something goes wrong. <br><br>But I'd be far more impressed to hear what security experts have to say. Of course that's unlikely to happen. In my dealings with experts in this field, almost all conversations take place in hushed tones. They know the importance of their work and the continuing need to guard against those with less than good intentions. <br><br>I'm no expert on this topic and listening to experts feels like the IT equivalent of having a root canal. But I'd rather those guys did their job as best they can than not at all. <br><br>If LastPass has committed any sin it is in misunderstanding how best to communicate. But that of itself isn't a reason to throw them under the bus. Neither is it a reason to generalise about cloud. <br><br>I will continue to support LastPass. I have to put my faith and trust somewhere and like @matricellc, I have been impressed with what they offer. It's a setback for sure, but meltdown? C'mon, that's for the Twitter gallery.

    FWIW - I can access my LastPass account and all passwords, I'm not seeing any weirdness in any business critical apps, I changed my master password and that's all working fine. I just can't get to master settings at the moment. No surprise - they're overloaded.
    dahowlett
    • RE: LastPass melts down and leaves many users (hopefully, temporarily) stranded without their passwords

      Dennis, by the way, is the host of the Irregular Enterprise blog here on ZDNet. Well worth reading:

      http://www.zdnet.com/blog/howlett
      David Gewirtz
  • This is exactly why I use RoboForm

    I've been using RoboForm for six years and have never had a security breach. My passwords are on my computer. Go with RoboForm.
    michaelcaps
    • RE: LastPass melts down and leaves many users (hopefully, temporarily) stranded without their passwords

      @michaelcaps, we don't even know if anyone actually breeched lastpass's security. All we know is an anomaly occurred, and LP was trying to be proactive just to be safe, even though it is technically impossible to steal your data. Remember: even if Lastpass itself is compromised, your data never is, nor can be. This is by design.

      As for Roboform, I used to like this product until Siber Systems pulled a bait and switch on me (and other customers) by not honoring free lifetime upgrades. Their dirty stunt left a bitter taste in my mouth and because of that, I can't recommend Roboform. With that said, I'll stick with LastPass despite this incident.
      Knoxximus
      • RE: LastPass melts down and leaves many users (hopefully, temporarily) stranded without their passwords

        @Knoxximus Agree on RoboForm. I keep hoping a class-action lawyer will sue them out of existence. They tried to claim it was only free 'updates,' not 'upgrades,' but Google was full of cached pages from their own website that said 'lifetime free upgrades.'
        lkjlkjadf
  • RE: LastPass melts down and leaves many users (hopefully, temporarily) stranded without their passwords

    I am a LastPass user, why didn't they send me an email?

    I had to find out about this through ZDNET, many people don't read ZDNET, they should be sending out emails.
    malcarada
  • No WAY!!

    If I would have got an email supposedly from lastpass saying to change my password, I wouldn't have believed it and would assume it was a phishing scam!
    JCitizen
  • It's when things don't go well that we see the true character

    (@JCitizen, "Like"!)
    I've been cautiously assessing Lastpass as I use it myself, but haven't put all my 'eggs' into that basket.

    There's a saying that people of integrity expect to be believed, and if not, they let time prove them right. So far, I believe Lastpass is proving themselves.

    This recent episode was a perfect opportunity for them to show their true colors and for users to know who they're dealing with. Sure, their communication was less than perfect and many were inconvenienced. But I think every user should be thankful that we got to see how they respond under pressure without having to experience any serious 'hacktastrophe'.

    Kudos to Lastpass!
    SamMurai
  • Eight Months Later...

    Looking back, this is looking more and more like a storm in a teacup.<br><br>LastPass saw something that looked odd, said "Hmmmm... that looks odd" and published a blog advising users to change their master passwords. I'm not sure how that can be described as a "Meltdown".<br><br>For the uninitiated, LP encrypts your password database before storing it on their servers. So even if bad actors (William Shatner?) get hold of your data, they still have to brute-force pound on it to get anything useful out. Good luck with that.<br><br>I still use LastPass, and recommend it. I use the Premium service, which requires my Yubikey for any untrusted machine. I also backup my database every couple of months, just in case. I have never had occasion to use it.
    Wizard Prang