Earlier this morning LastPass announced that they noticed some anomalies in the network traffic to one of their servers. And…
… it’s prudent to assume where there’s smoke there could be fire.
I’ve been a longtime LastPass user and fan. While I rather this not have happened at all, I’m an even bigger fan now. I like paranoid people protecting my stuff. I also think some of the stuff they do is pretty cool and shows a serious commitment to security. They monitor traffic in their network and noticed some abnormal traffic that they couldn’t track down.
Unfortunately their response caused the real problems. They began forcing password changes which caused a heavy load on their servers (which was probably already heightened once the news hit) and things began to grind to a halt. It appears password changes could take an hour or more to take effect, making it appear data was lost (since it wasn’t being decrypted with the right password).
I have to admit, I didn’t have any problems during the day the few times I used LastPass. And when I got home they changed things from forcing a password change to selecting an option to not change my password or to temporarily postpone the change and only allow logons from personal computers. I chose the permanent postponement. So did I permanently postpone the change”?
The worst case risk is that someone got the password hash (the actual passwords aren’t saved or known to LastPass) and the salt used to hash them, LastPass needs to keep the salt in order to log us on. With both those items a dictionary attack could be launched to find the password. Only passwords that matched the dictionary could be broken. I’m protected by two things:
- My password is a long string of symbols, numbers, and both cases of letters. Not likely to match any dictionary.
- I use a Yubi-key for two factor authentication. If my password is cracked it’s useless without the Yubi-Key
Still, once things die down and their performance returns to normal I’ll go ahead and change my password. Can’t be too cautious. And the LastPass folks get that – they’re changing their hashing algorithm in a way to make brute force attacks unreasonably long to execute.
Unlike other recent breaches in the news, this possible attack hasn’t lessened my trust in LastPass. It’s only increased it because they take their responsibility seriously.