If you use LastPass, the secure password storage service, listen up: you need to change your master password there as soon as possible. Turns out it wasn’t, unfortunately, the “last” password you’d ever need after all.
The LastPass team noticed something weird happening with their servers yesterday – data was flowing in and out in a strange way, something they called a “network traffic anomaly”.
They could have just shrugged their shoulders and decided to ignore it, but instead they’ve taken a more prudent approach and decided to force a password reset for all users.
The idea behind LastPass (and services like it, such as 1Password) is that they solve all your password troubles for good.
The software handles all your web passwords, choosing and remembering complex, hard-to-crack combinations of characters on your behalf. All you have to do is remember a single unifying master password.
And it’s the master passwords that are at risk here – if their owners didn’t choose them with care.
As the LastPass team said:
“If you have a strong, non-dictionary based password or pass phrase, this shouldn’t impact you – the potential threat here is brute forcing your master password using dictionary words, then going to LastPass with that password to get your data. Unfortunately not everyone picks a master password that’s immune to brute forcing.”
The most unsettling aspect of all this isn’t LastPass’s response – which seems the right thing to do in the circumstances – but the hard-to-explain nature of the original attack. No-one seems to be able to say exactly how it was done, who by, and what they gained from it.
There’s little doubt that online storage of all sorts of data isn’t slowing down; but events like this ought to make all of us stop and think about what we store in the cloud, and what steps we take to protect it from prying eyes. Let’s be careful out there.
(Via LastPass blog)