Image courtesy Flickr user bobu.
For the last several hours, I've been watching LastPass melt down and talking with many of its panicking users. It has not been pretty.
Here's what's going on. LastPass is a password aggregator, that, by all accounts, is a best-of-breed product.
See also: Five Windows tools to keep your digital life in sync
LastPass bills itself as the last password you'll ever need, and they do this by storing all your passwords in a highly encrypted format, and then using a single, master password to give you access to all your sites. All you need to do is remember one password, but all your sites can have unique, complex passwords.
Of course, the possible point of failure is that one, master password.
Last night, the operators of LastPass noticed some anomalous behavior in their systems. Their concern is that a hacker had somehow penetrated their system and exfiltrated master passwords.
So, today, they told users to change their master passwords. All heck ensued.
First, the company didn't email each user. Instead, it posted a blog entry. This infuriated many users.
Next, LastPass decided to force all users to change their master passwords. The database of ancillary passwords is encrypted based on a "salt" from the master password, so changing the master password changes the encryption for all the other -- a very smart move.
Unfortunately, the LastPass site and the company's various password management tools apparently can't handle the load of millions of users trying to change passwords all at once.
Some users are locked out, and can't change their passwords. Some users are locked out after having changed their passwords. Some users changed their passwords and are now being told their passwords are invalid.
The problem, of course, is that if you use the last password you'll ever need, and you can't get into your passwords, you're essentially locked out of all of your systems, everywhere. LastPass does not store a local copy of your password database, so there's no way (other than regularly exporting the set) of backing up your passwords.
As a result, users all over are unable to get into many of their other services. A quick read of the comments on the LastPass site will curl your hair.
Fellow ZDNet blogger Michael Krigsman (he, appropriately enough, hosts ZDNet's IT Project Failures blog) sent me his thoughts about the situation:
Right now, the LastPass situation is a clusterfrak and represents another sad-but-true example of what happens when we depend on the cloud for our services.
We'll keep watching the progress of the service, but for now at least, LastPass may be near last rights.
Webcast about how to protect yourself and your business
To learn more about how to protect your business from cyberattack, I’ll be giving a free webcast on the subject next week here on ZDNet and TechRepublic. It’s called Top 10 Tips To Protect Your Business Against Cyberattack. Believe it or not, this thing was scheduled way before the LastPass and Sony messes began. That said, there will be lots of tips and techniques for keeping yourself safe. It’s worth a tune-in.
P.S. Personal note: This really bugs me. LastPass is a small company with a good product and an attempt at best practices. Criminals breaking into sites like this do nothing but harm. This is why cyberattacks are so dangerous and why we should chase down these criminals and bring them to justice no matter where they are in the world.