ZDNet Government

David Gewirtz

LastPass melts down and leaves many users (hopefully, temporarily) stranded without their passwords

By David Gewirtz | May 5, 2011, 11:20am PDT

Summary: Last night, the operators of LastPass noticed some anomalous behavior in their systems.

Image courtesy Flickr user bobu.

For the last several hours, I’ve been watching LastPass melt down and talking with many of its panicking users. It has not been pretty.

Here’s what’s going on. LastPass is a password aggregator, that, by all accounts, is a best-of-breed product.

LastPass bills itself as the last password you’ll ever need, and they do this by storing all your passwords in a highly encrypted format, and then using a single, master password to give you access to all your sites. All you need to do is remember one password, but all your sites can have unique, complex passwords.

Of course, the possible point of failure is that one, master password.

Last night, the operators of LastPass noticed some anomalous behavior in their systems. Their concern is that a hacker had somehow penetrated their system and exfiltrated master passwords.

So, today, they told users to change their master passwords. All heck ensued.

First, the company didn’t email each user. Instead, it posted a blog entry. This infuriated many users.

Next, LastPass decided to force all users to change their master passwords. The database of ancillary passwords is encrypted based on a “salt” from the master password, so changing the master password changes the encryption for all the other — a very smart move.

Unfortunately, the LastPass site and the company’s various password management tools apparently can’t handle the load of millions of users trying to change passwords all at once.

Some users are locked out, and can’t change their passwords. Some users are locked out after having changed their passwords. Some users changed their passwords and are now being told their passwords are invalid.

Next: Analysis and options »

Page 1 of 2

More from “ZDNet Government”

More Sony bad news: Sony Online also compromised (this goes beyond the PlayStation Network)

When it comes to cyber-attack, does the left prefer cyberattack and the right cyber attack?

Topics

Password, LastPass, David Gewirtz

David Gewirtz, Distinguished Lecturer at CBS Interactive, is an author, U.S. policy advisor, and computer scientist. He is featured in The History Channel special The President's Book of Secrets.

Full Bio
Disclosure
Contact

Disclosure

David Gewirtz

At various times during his adult life, David has voted for both Democrats and Republicans, and has been disappointed by both. He is deeply disturbed by how partisanship has come before patriotism in America, which gives him the freedom to pick on both sides.

David is a frequent guest on TV and radio stations across America and can usually be heard or seen on-the-air at least once a week. He writes weekly commentary and analysis for CNN’s Anderson Cooper 360 and has been interviewed by Fox News, CNN, various ABC and NBC affiliates, and Canada’s Global TV. He has been a featured guest on National Public Radio and has also been featured on Voice of America, Radio Free Europe, and Radio Liberty where his commentaries on technology, industry, and emerging nations have been broadcast into 46 countries (all in their own unique translations).

David is the executive director of U.S. Strategic Perspective Institute, a nonprofit research and policy organization. He is the Cyberterrorism Advisor for the International Association for Counterterrorism & Security Professionals, a columnist for The Journal of Counterterrorism and Homeland Security and a special contributor to Frontline Security Magazine. He is a member of the FBI’s InfraGard program, the security partnership between the FBI and industry. David is also a member of the U.S. Naval Institute and the National Defense Industrial Association, the leading defense industry association promoting national security.

David is an advisory board member for the Technical Communications and Management Certificate program at the University of California, Berkeley extension. He is also a member of the instructional faculty at the University of California, Berkeley extension.

David’s “day job” is as publisher and editor-in-chief of ZATZ publishing, an online publisher of technical magazines. Other than than his ownership stake in Component Enterprises, Inc. (the parent company of ZATZ), David has no additional industry investments.

ZATZ has many advertisers who do, in part, provide for David’s lush income and extravagant lifestyle. Most of them are IBM and Lotus aftermarket suppliers, some of them make goodies for Microsoft Outlook, and a few make all sorts of strange mobile devices and add-on products. David has been a regular judge of the IBM Awards, but has no formal financial interest in or with IBM.

Because the ZATZ online magazines often review products, David and ZATZ are sent an overwhelming stream of unsolicited, silly, and often useless products to review. Because they’re such a pain to track and ship back, these products often wind up in a dumpster or fill up the corner of a large closet. Although David has no plans to review products in connection to his ZDNet blog, if he does do a product review, he will disclose any relationship completely in that posting.

Both through ZATZ and independently, David derives a small income through various advertising and sales relationships with Amazon.com and Google. These are minor relationships and they will not impede his willingness or ability to chastise either company should they deserve it.

David has many other business relationships, but none of them relate to anything he covers in his ZDNet blog. David does have a bit of the sales-guy bug and if he’s not doing a sales deal with someone at least once a month, he goes through withdrawal. He has a number of consulting clients, but none of them relate to anything he covers for ZDNet (and if they ever do, he will either disclose that fact, or decline to write about them).

Back in the 1980s, David held the unusual title of “Godfather” at Apple. He has written and published 40 incredibly simplistic applications for Apple’s iPhone.

Although David is forbidden to disclose the terms of his iPhone developer agreement, he isn’t drinking the Apple Kool Aid, will never be confused with a metrosexual, and feels free to mock Apple, and Apple users, any time the occasion permits, on alternate Tuesdays, or if he’s bored.

Vendor HotSpot

The 360° Conversation around Cloud Computing

TECH VISUALIZER brings the social conversation to life... powered by Brocade

Learn More »

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?

Ask a Question Start a Discussion

Comments

Add Your Opinion

Join the conversation!

Follow via:: RSS; Email Alert

Just In

Eight Months Later...

Wizard Prang Updated - 12th Jan

Looking back, this is looking more and more like a storm in a teacup.

LastPass saw something that looked odd, said "Hmmmm... that looks odd" and published a blog advising users to change their master passwords. I'm not sure how that can be described as a "Meltdown".

For the uninitiated, LP encrypts your password database before storing it on their servers. So even if bad actors (William Shatner?) get hold of your data, they still have to brute-force pound on it to get anything useful out. Good luck with that.

I still use LastPass, and recommend it. I use the Premium service, which requires my Yubikey for any untrusted machine. I also backup my database every couple of months, just in case. I have never had occasion to use it.

View in thread

Please Select
Please Select

0 Votes

+ -

The Cloud

matricellc 5th May 2011

I am not a big fan of cloud services, and this is before Amazon, Sony and LastPass issues. The work that I do needs 99.9999% or better availability, at least as far as internet connectivity. That's a little over 5 minutes of downtime per year. Systems need very close to 100% uptime.

I have been piloting LastPass for about a month, with pretty good success (our legacy PW manager is Roboform). It's a great product and a good little company. I know it's little since one of their top people emailed me a response to an inquiry within an hour. I hope the company doesn't end up getting a huge black eye because of this, as they are a good little company with huge upside potential.

Cloud based services have their limitations, so you always need a backup or contingency plan. And they are not the cure-all for data center problems.

Reply
Flag

0 Votes

+ -

Minor correction to your article

MrThirteen 5th May 2011

Lastpass does store your database locally, it is encrypted just like the remote data is with a salt of your username/password combo. The salting is done locally so the only data that is sent over the internet is encrypted data (another plus to your security). Lastpass will work while there servers are down & you can download thier pocket version of their program which will allow you to access the data locally, export an encrypted file of your data and even (be very careful here) export an unencrypted version. Best practices is for each user of lastpass to have a routine of backing up at least an encrypted version from your local database so in major issues or even if the company goes under, you still have your data. The SecurityNOW podcast covers this in great detail. Now I am screwed on 1 PC in my house because not knowing lastpass was having an issue I cleared my local cache trying to fix the problem. Now on that PC it's gone and until lastpass comes back to full tilt I am screwed on that PC. (I also forgot to do a backup of my wife's account so all her data is ONLY on lastpass at the moment, something I plan on fixing when lastpass returns.) This just identified a problem with my own security and backup policy, not a problem with lastpass. Yes I am frustrated Lastpass is down temporarily, but I am more frustrated with my own planning. This event has shown me a major hole in my own plans that I need to fix.

Reply
Flag

0 Votes

+ -

Contributr

RE: LastPass melts down and leaves many users (hopefully, temporarily) stranded without their passwords

David Gewirtz 5th May 2011

@MrThirteen I didn't know about the local copy. That's interesting. But I've heard from a bunch of people who did what LP recommended: change their master pw. Now, they can't get into anything. Any ideas for them?

Reply
Flag

0 Votes

+ -

RE: Minor correction to your article

DavidShepherd 9th May 2011

@MrThirteen provides some great insight. Here's the odd thing, it so happens I changed my master password just last week right about the time this occurred. Now I need to determine if that was coincidentally done at the right time or if I need to again change it. I'm a heavy user of LastPass for both the security aspect but even more so for productivity. I've highly recommended it, but also caution not to put all your eggs in one basket. With a service like this, I ask how much am I willing to risk? I have never saved financial information with LastPass because to me, that risk is too great. One thing I point folks to is bad practice issues when using the same password for any number of sites etc - http://hitechbrew.com/password-recreational-browsing/ - In addition, I recommend using LastPass. Now I may need to rethink that strategy.

Reply
Flag

0 Votes

+ -

Contributr

Over-reaching?

dahowlett Updated - 5th May 2011

You say: "Right now, the LastPass situation is a clusterfrak and represents another sad-but-true example of what happens when we depend on the cloud for our services."

I say we have been fed a diet of being told that enterprise class systems should take lessons from the consumer world accompanied by a race to the bottom - ie 'free.' If that's the case then how's about we discuss the long running and continuing clusterfrak that is Twitter? But heh - it seems that different standards apply to the loved up social media world.

I read through exactly the same blog and thread as yourself. I agree that many of the comments seem to be coming from the now all too familiar nut jobs or those only too eager to pile on when something goes wrong.

But I'd be far more impressed to hear what security experts have to say. Of course that's unlikely to happen. In my dealings with experts in this field, almost all conversations take place in hushed tones. They know the importance of their work and the continuing need to guard against those with less than good intentions.

I'm no expert on this topic and listening to experts feels like the IT equivalent of having a root canal. But I'd rather those guys did their job as best they can than not at all.

If LastPass has committed any sin it is in misunderstanding how best to communicate. But that of itself isn't a reason to throw them under the bus. Neither is it a reason to generalise about cloud.

I will continue to support LastPass. I have to put my faith and trust somewhere and like @matricellc, I have been impressed with what they offer. It's a setback for sure, but meltdown? C'mon, that's for the Twitter gallery.

FWIW - I can access my LastPass account and all passwords, I'm not seeing any weirdness in any business critical apps, I changed my master password and that's all working fine. I just can't get to master settings at the moment. No surprise - they're overloaded.

Reply
Flag

0 Votes

+ -

Contributr

RE: LastPass melts down and leaves many users (hopefully, temporarily) stranded without their passwords

David Gewirtz 5th May 2011

Dennis, by the way, is the host of the Irregular Enterprise blog here on ZDNet. Well worth reading:

http://www.zdnet.com/blog/howlett

Reply
Flag

0 Votes

+ -

This is exactly why I use RoboForm

michaelcaps 5th May 2011

I've been using RoboForm for six years and have never had a security breach. My passwords are on my computer. Go with RoboForm.

Reply
Flag

0 Votes

+ -

RE: LastPass melts down and leaves many users (hopefully, temporarily) stranded without their passwords

Knoxximus Updated - 6th May 2011

@michaelcaps, we don't even know if anyone actually breeched lastpass's security. All we know is an anomaly occurred, and LP was trying to be proactive just to be safe, even though it is technically impossible to steal your data. Remember: even if Lastpass itself is compromised, your data never is, nor can be. This is by design.

As for Roboform, I used to like this product until Siber Systems pulled a bait and switch on me (and other customers) by not honoring free lifetime upgrades. Their dirty stunt left a bitter taste in my mouth and because of that, I can't recommend Roboform. With that said, I'll stick with LastPass despite this incident.

Reply
Flag

0 Votes

+ -

RE: LastPass melts down and leaves many users (hopefully, temporarily) stranded without their passwords

lkjlkjadf 8th May 2011

@Knoxximus Agree on RoboForm. I keep hoping a class-action lawyer will sue them out of existence. They tried to claim it was only free 'updates,' not 'upgrades,' but Google was full of cached pages from their own website that said 'lifetime free upgrades.'

0 Votes

+ -

RE: LastPass melts down and leaves many users (hopefully, temporarily) stranded without their passwords

malcarada 6th May 2011

I am a LastPass user, why didn't they send me an email?

I had to find out about this through ZDNET, many people don't read ZDNET, they should be sending out emails.

Reply
Flag

0 Votes

+ -

No WAY!!

JCitizen Updated - 6th May 2011

If I would have got an email supposedly from lastpass saying to change my password, I wouldn't have believed it and would assume it was a phishing scam!

Reply
Flag

0 Votes

+ -

It's when things don't go well that we see the true character

SamMurai 21st Jul

(@JCitizen, "Like"!)
I've been cautiously assessing Lastpass as I use it myself, but haven't put all my 'eggs' into that basket.

There's a saying that people of integrity expect to be believed, and if not, they let time prove them right. So far, I believe Lastpass is proving themselves.

This recent episode was a perfect opportunity for them to show their true colors and for users to know who they're dealing with. Sure, their communication was less than perfect and many were inconvenienced. But I think every user should be thankful that we got to see how they respond under pressure without having to experience any serious 'hacktastrophe'.

Kudos to Lastpass!