LastPass melts down and leaves many users (hopefully, temporarily) stranded without their passwords

Last night, the operators of LastPass noticed some anomalous behavior in their systems.
Written by David Gewirtz, Senior Contributing Editor

Image courtesy Flickr user bobu.

For the last several hours, I've been watching LastPass melt down and talking with many of its panicking users. It has not been pretty.

Here's what's going on. LastPass is a password aggregator, that, by all accounts, is a best-of-breed product.

See also: Five Windows tools to keep your digital life in sync

LastPass bills itself as the last password you'll ever need, and they do this by storing all your passwords in a highly encrypted format, and then using a single, master password to give you access to all your sites. All you need to do is remember one password, but all your sites can have unique, complex passwords.

Of course, the possible point of failure is that one, master password.

Last night, the operators of LastPass noticed some anomalous behavior in their systems. Their concern is that a hacker had somehow penetrated their system and exfiltrated master passwords.

So, today, they told users to change their master passwords. All heck ensued.

First, the company didn't email each user. Instead, it posted a blog entry. This infuriated many users.

Next, LastPass decided to force all users to change their master passwords. The database of ancillary passwords is encrypted based on a "salt" from the master password, so changing the master password changes the encryption for all the other -- a very smart move.

Unfortunately, the LastPass site and the company's various password management tools apparently can't handle the load of millions of users trying to change passwords all at once.

Some users are locked out, and can't change their passwords. Some users are locked out after having changed their passwords. Some users changed their passwords and are now being told their passwords are invalid.

Next: Analysis and options »

« Previous: LastPass meltdown

The problem, of course, is that if you use the last password you'll ever need, and you can't get into your passwords, you're essentially locked out of all of your systems, everywhere. LastPass does not store a local copy of your password database, so there's no way (other than regularly exporting the set) of backing up your passwords.

As a result, users all over are unable to get into many of their other services. A quick read of the comments on the LastPass site will curl your hair.

Fellow ZDNet blogger Michael Krigsman (he, appropriately enough, hosts ZDNet's IT Project Failures blog) sent me his thoughts about the situation:

  • LastPass appears to have insecure network architecture. For example, their Asterix server is on the same internal network as the password database server.
  • LastPass had decent (not great) processes, which is how they caught the problem.
  • LastPass should have had external audits performed in the past.
  • In general, there was sloppiness and not enterprise, industrial strength systems and procedures.
  • They are doing the best they can under the circumstances and are being open, which is good.
  • Some of the user comments on their blog post are asinine. LastPass is being blamed for inconveniencing users and also not providing easier ways for users to access their data. However, LastPass correctly is putting security ahead of all other concerns. Still, some users can't access email and other essential services now,which sucks for them.
  • A key issue is balancing convenience vs. security in an online world.

Right now, the LastPass situation is a clusterfrak and represents another sad-but-true example of what happens when we depend on the cloud for our services.

See also:

We'll keep watching the progress of the service, but for now at least, LastPass may be near last rights.

Stay tuned.

Webcast about how to protect yourself and your business

To learn more about how to protect your business from cyberattack, I’ll be giving a free webcast on the subject next week here on ZDNet and TechRepublic. It’s called Top 10 Tips To Protect Your Business Against Cyberattack. Believe it or not, this thing was scheduled way before the LastPass and Sony messes began. That said, there will be lots of tips and techniques for keeping yourself safe. It’s worth a tune-in.

P.S. Personal note: This really bugs me. LastPass is a small company with a good product and an attempt at best practices. Criminals breaking into sites like this do nothing but harm. This is why cyberattacks are so dangerous and why we should chase down these criminals and bring them to justice no matter where they are in the world.

Editorial standards