May 6, 2011 11:35 AM
The LastPass 'hack' is a warning on password weakness
The hack was minor, probably affected a tiny number of its users, and was precautionary the company said. What it has done is underscore people’s growing dependence on a service that is becoming necessary to cope with the dozens and possibly hundreds of websites that Internet users are slowly accumulating.
The potential weakness of LastPass is that users MUST set a longish and complex master password, just in case (as the company has reported) its databases become compromised. Remember, anyone who steals this encrypted data and cracks the account using a plain old dictionary attack will have access to every site the user accesses.
Uh-oh number 1: LastPass needs to start insisting that users set a long password.
The next problem is that as people rushed to do exactly what the company had asked, the service has become unavailable for large numbers of them, leading to frustration. As I write, the service has been intermittently available for the last 12 hours, making even a reset difficult.
LastPass does have an offline mode but this has obvious limitations such as the inability to reset passwords within the database or add any new ones, or at least this feature seemed not to work when I tried.
Uh-oh number 2: LastPass users are vulnerable to downtime, including the possibility of DDoS, and its users need to think through the practicalities of using the more manual offline mode so they have a plan B worked out.
In a tight spot, LastPass has remained remarkably calm if slightly disorganised in the wording on some of its communication (for instance, telling people to reset the master password but not explaining how to do this).
Things will improve and LastPass is still a superb and arguably essential tool if used properly. It is still the best password management tool going. When the service returns, my advice to users is to run the integrated tool that analyses a user’s web passwords for weak and duplicate entries, before changing these to longish, random replacements.
Users can’t stop hackers finding ways into a company’s database but they can at least stop them crashing through the front door.