May 5, 2011

LastPass.com, a free password management service that lets users unlock access to all of their password protected sites with a single master password, is forcing all of its approximately 1.25 million users to change their master passwords after discovering that intruders may have accessed the company’s user database.

In an alert posted to the company’s blog late Wednesday, LastPass said that on Tuesday morning it spotted a “traffic anomaly” — unexplained transfers of data — from one of the company’s databases. From that blog entry:

“Because we can’t account for this anomaly either, we’re going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed. We know roughly the amount of data transfered [sic] and that it’s big enough to have transfered people’s email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn’t remotely enough to have pulled many users encrypted data blobs.

If you have a strong, non-dictionary based password or pass phrase, this shouldn’t impact you – the potential threat here is brute forcing your master password using dictionary words, then going to LastPass with that password to get your data.Unfortunately not everyone picks a master password that’s immune to brute forcing.

To counter that potential threat, we’re going to force everyone to change their master passwords.”

LastPass consists of a core software application that sits on user machines, and a browser plug-in. Passwords are stored on the user’s system, so that no one at LastPass can access the information.  What the company does keep is an encrypted blob of gibberish data that is generated by taking the user’s master password and email address and hashing the two. Any sensitive data saved to an account is secured by the encryption key on the user’s system and then sent to LastPass. Since the user’s encryption key is locally created each time users submit their master password and email to LastPass, all that the company stores is users’ encrypted data.

As an added precaution, LastPass said users who are attempting to change their master password from an Internet address block that the company has never before seen associated with their account will need to validate their email address with the company before picking a new password. But there appears to be a slight glitch with this step: The comments on the LastPass blog suggests that many users are currently locked out of their accounts, and now unable to access their email accounts in order to validate their addresses. LastPass Premium users can access their passwords via mobile devices such as the iPhone and Blackberry, but a number of users — including some who say they’re accessing the service via their PCs — report receiving an error message stating that “account settings restrict login from this mobile device.”

LastPass seems to have done a good job designing a secure service, but it looks like they dropped the ball a bit in testing and hardening their internal infrastructure. Still, their (apparent) transparency about what happened is a refreshing change from the brand of disclosure practiced in the wake of other, much larger breaches of late.

 


35 thoughts on “LastPass Forces Users to Pick Another Password

  1. Tyler

    Thanks Brian, for bringing this to our attention. To me, this is another consideration for using password safe solutions such as KeePass and Password Safe where the files is saved locally.

    1. qka

      Agreed. The less critical information shared with remote servers, the better.

    2. Terry Ritter

      Tyler: “To me, this is another consideration for using password safe solutions such as KeePass and Password Safe where the files is saved locally.”

      LastPass browser add-ons DO keep a local copy, which is automatically used in offline mode, and can be exported to other formats. Stand-alone “pocket” versions ARE available for use outside a browser.

      I have had extensive experience with Password Safe, and all is not roses there either:

      At least up to last year, Password Safe was not cross-platform, which for me meant having to use Wine to emulate Windows under Linux, just to run Password Safe. But Wine also supports malware, and so defeats one of the main reasons for using Linux. In contrast, LastPass is strongly cross-platform.

      Any local password manager will create key management problems as new password accounts are created from different computers, and perhaps different users. With Password Safe, I would periodically have to consolidate password files from multiple machines and then distribute copies back to those machines. With LastPass, I just add new accounts wherever I am working, and then those passwords automatically become available on all other machines when I need them. That saves work, but more importantly, it also avoids the real risk that the required coordination may never get done. I do not have to carry the latest password file around with me just to work on different machines, or to be able to respond to a major emergency.

  2. Jonathon

    I’m a long time LastPass user. And I just checked my email and I haven’t received any notice from LastPass to change my password. Maybe they haven’t got around to emailing me yet?

    1. kurt wismer

      it’s my understanding that they have not sent email notifications and that they don’t intend to. that may change, but for the moment, they’re simply forcing people to change their master password the moment people log on, and then only under certain circumstances.

    2. Bill Horvath II

      They updated their blog posting to ask that you not change your password unless you’ve been asked/forced to do so, as their servers are getting swamped. I’m also a longtime user, and am pretty happy with the service so far. We’ll see what happens…

    3. Russ

      You’ll get the email soon, Epsilon’s a little overwhelmed right now. HEY-O!

  3. Sean

    Brian thanks again for another very informative post.

    I am a long-time LastPass user, and whilst I was forced to change my password earlier today, I was not aware of the potential theft of data.

  4. Jack

    I experienced this issue this morning when I went to Log into LastPass. They sent the confirmation email to me but it went into my Spam folder which doesn’t download to Outlook. So, since my email password is some long form of characters and letters that I don’t have memorized I couldn’t log into my email to get the email out of Spam folder.

    Solution that worked for me: Disconnect from internet then Login to LastPass offline. I was able to retrieve my email password. Reconnect to Internet and then Login to email and retrieve LastPass email from Spam Box. Reset LastPass master password and all is working well now.

    1. Al Mac

      How do you connect to an Internet site, without using the Internet?

      Do they have a VPN or other direct-connect option?

      1. Terry Ritter

        Al Mac: “How do you connect to an Internet site, without using the Internet?”

        LastPass is typically used as a browser add-on. It handles a little password database locally, encrypts it locally, and only sends the encrypted blob to the clouds. An encrypted local copy is kept, and the add-on can use that copy in “offline mode.”

  5. PJ

    A lastpass user here too, service is a godsend over multiple computers. If only sony had the same breach of security public disclosure policy lastpass has. I am still going to use it.

  6. bob

    What’s a server salt?

    If it’s an app salt, why’s it in the database? Totally defeats the point of an app slat.

  7. Eats Wombats

    WARNING:

    1. Yes, they have a blog post about a possible hack and advice they intend to give to warn people to change their master password
    2. I changed mine ahead of getting a note from them, though I may not have needed to (I use a Yubikey for 2 factor authentication). A harmless precaution I thought.
    3. As soon as I did so all of my records (hundreds) became complete gibberish
    4. I cannot even log into the support forum as I could – I’ll have to create a new account
    5. But… others are posting the same problem

    A great pity as this was working so well, so being deprived of it is a huge inconvenience.

    I think the operative advice is to download all one’s passwords before changing the master password. I don’t keep my banking or other critical passwords online (I use and recommend KeepassX) and there’s now a way of loading Lastpass passwords into this for safekeeping, which I haven’t got around to yet.

    I do have a backup stored in a TiddlyFolio (a Tiddlwiki than can encrypt key data and which lives on a USB stick on my key ring): http://tiddlyfolio.tiddlyspot.com, but it’s not as up to date as I’d like.

    1. Alan

      I’m also a user of LastPass and happy with it. I haven’t managed to change my password but the one I’m using at the moment has north of 128 bits of entropy so good luck to anyone who stole my encrypted data blob.

      I also use KeePass and the pPassword manager that comes with IronKey drives for mt more critical passwords.

  8. Gary H.

    Perhaps this makes the case for using a password system that can be memorized…at least until alzheimers sets in.

    1. wiredog

      That’s how I do it. A “master” password that I have memorized, with the variations written down.

  9. 0xb000b1e5

    Yes, they have a well designed product, but you accepted this very risk by using it.

    Personal use of this technology aside, a company using an outsourced ASP solution for password management is simply asking for trouble.

  10. Ken Klein

    Does anyone know if the multi-factor authentication last pass uses has any bearing on the encrypted blob they keep? It seems that it would only come into play in authentication and not server side encryption.

  11. c.cobb

    Security is inversely proportional as convenience, and it seems to me that LastPass gives a false sense of hope. Many articles on this site demonstrate how Man-in-the-Browser attacks are perpetrated, and how easily this can defeat multi-factor authentication.

    Using LastPass, if thieves get your master password, they get ALL your passwords. Using local password storage only (KeePass / Password Safe), they not likely to gain full access.

    I followed the LastPass forums for several months last year. There were a lot of posting-rants from a critic, and in post after post the response was that LastPass is NOT in the PC Security business–that this was up to the big vendors–and DON’T use LastPass on a compromised machine.

    The strongest possible crypto is useless when Malware can watch over your shoulder as you type. I’ve never understood why people can’t grasp this concept, especially folks that hang out here.

    1. Terry Ritter

      c.cobb: “Security is inversely proportional as convenience,”

      The single most important contribution to PC security is to NOT use Microsoft Windows online. (The second most important contribution is to boot an OS from CD/DVD immediately before banking.)

      There is, and can be, no absolute security. We have to choose what we protect, because we are limited. Personally, I am not particularly worried about a cloud company employee finding and using my password or my saved data. Instead, I want to defeat brute force attacks targeted at my exposed accounts and equipment, and I want the convenience of easily working from different computers and different OS’s. Another form of security is having access to my current accounts in a family emergency, assuming only that I can get to a computer I can boot, but not requiring that I have retained a usually outdated flash drive.

      Anyone who imagines that ordinary precautions will protect against a targeted attack from a security agency is living in delusion-land. It is nevertheless very easy to be very safe, simply by disconnecting from the network. Somewhere between highly vulnerable and generally invulnerable we can choose a reasonable level of protection, with a reasonable level of utility, at some reasonable effort and cost. But we also can expect surprises.

      “Many articles on this site demonstrate how Man-in-the-Browser attacks are perpetrated, and how easily this can defeat multi-factor authentication.”

      ANY password manager, local or cloud, MUST be run on a clean machine. Any password or authentication whatsoever which flows through an infected machine will be exposed, either WITH or WITHOUT a password manager, completely independent of local vs. cloud storage.

      Having a clean system is crucial. We can get a clean system by booting a Linux LiveDVD. Personally, I use Puppy Linux booted from DVD, all day, every day. I am using it now.

      “Using LastPass, if thieves get your master password, they get ALL your passwords.”

      Such is the case with ANY password manager. A local program is not immune when a resident bot gets your main password. A local program will expose ALL its passwords just like a cloud program.

      “Using local password storage only (KeePass / Password Safe), they not likely to gain full access.”

      If the local machine has a bot infection, as many do, “they” WILL gain full access to ALL your passwords. Using a local program is no protection.

      Largely due to limitations in the current hardware and software, many machines ARE infected. Even worse, we have no way to tell how many infections there are which we cannot detect. Things could be much worse than we think.

      The difference between local and cloud password management is the possibility that the LastPass site could be infected. The consequences depend upon implementation details I do not know: If the theoretical LastPass bot could only capture the main password when typed into the web site, that would not bother me much, since I may do that once a year or so. But if the theoretical LastPass bot could capture the main password from a browser add-on, that would be trouble.

      “The strongest possible crypto is useless when Malware can watch over your shoulder as you type. I’ve never understood why people can’t grasp this concept, especially folks that hang out here.”

      Brian has presented several articles promoting online banking via Linux LiveCD. I have been arguing the same for a year or more, in dozens of comments here, and in articles on my website.

      LiveDVD’s differ wildly in usability, but currently, the best approach seems to be Puppy Linux. Puppy allows the frequent and necessary browser and file updates to be added to the existing boot DVD, and then seamlessly loaded on the next boot.

      1. Nick P

        “Having a clean system is crucial. We can get a clean system by booting a Linux LiveDVD. Personally, I use Puppy Linux booted from DVD, all day, every day. I am using it now.”

        This is a good move and why a service like LastPass might work for you. If someone isn’t doing this, then the other poster’s criticisms apply. If you’re putting all your eggs in one basket, then guard the heck out of that basket (e.g. the Puppy strategy). Problem is that most users leave their baskets unattended in a fox den on discount buffet night.

        I especially loved the irony though: *Last*Pass forces users to pick another password. LMAO!

  12. Eats Wombats

    Crypto is not useless when malware watches over your shoulder if you use 2 factor authentication, such as a Yubikey (review here). Your captured password is useless. Thieves do not get access to your lastpass account and to all your passwords.

    1. Terry Ritter

      Eats Wombats: “Crypto is not useless when malware watches over your shoulder if you use 2 factor authentication,”

      Well, perhaps not absolutely “useless,” but almost: Bots DEFEAT 2-factor authentication.

      Through the magic of broadband, a bot essentially puts an attacker inside your machine. The bot gets your password (and any other authentication of any sort whatsoever) when you enter it. At that moment, the bot can use your authentication, at electronic speeds. It is the bot which signs in, not you. It is the bot which decides what you see as a result.

  13. Eats Wombats

    Happy to report that Lastpass rolled back the password change:

    We’ve found that your account likely experienced an issue when you changed your LastPass master password where your key changed, but your encrypted data didn’t change. This could make your vault appear empty or undecipherable. We’re rolling back the password change to hopefully resolve this issue for you.

  14. Eats Wombats

    TR: In principle, yes, authentication parameters could be intercepted and used ONCE to present a successful login while the session is hijacked by a man in the middle attack.

    For most people the convenience of being easily able to use unique passwords on every site is likely to outweigh the very small risk of bots able to do man in the middle attacks. These are not common — compared to the incidents arising from password reuse & weak passwords — and relatively easily defeated by booting from read-only media.

    I boot from a USB drive or CD before accessing anything critical like bank accounts. Anyone who wants to do a man in the middle attack to get at my online newspaper logins and the rest of what I use lastpass for is not going to steal anything of any consequence.

  15. c.cobb

    TR: “Brian has presented several articles promoting online banking via Linux LiveCD.”

    Brian is the one who got me started using Puppy also. Unfortunately, my bank uses a little Java applet during login, so I had to roll a custom version of Puppy. This version can be put on a USB stick without messing with ISO files and CDs: http://ccobb.net/puppy/

    “LiveDVD’s differ wildly in usability, but currently, the best approach seems to be Puppy Linux.”

    I’ve experienced some problems with Puppy connecting to a WiFi network at a local Internet Cafe. I am now working on packaging a stripped-down Ubuntu which seems to handle this better.

    Eats Wombats: Please don’t confuse Man-in-the-BROWSER with Man-in-the-MIDDLE. I was discussing the former. There are articles on this site that explain the difference.

    1. Terry Ritter

      c.cobb: “I’ve experienced some problems with Puppy connecting to a WiFi network at a local Internet Cafe.”

      There is a new “IcePuppy-008” development going on that might address your needs, especially if you can define the problem and tell them about it:

      http://www.murga-linux.com/puppy/viewtopic.php?t=66836

      Forum index » Advanced Topics » Puppy Derivatives

      IcePuppy-008 RHE release Really Highly Experimental

      “I am now working on packaging a stripped-down Ubuntu which seems to handle this better.”

      You are a better man than I am. But from my viewpoint, the Ubuntu problems go beyond size: When Ubuntu can allow the boot DVD to be extended with necessary browser and add-on security updates, then we will have a real Puppy alternative.

    2. Ken Klein

      I don’t want to start a distro stampede here, but Mac Pup 520 includes FireFox4 rc1, which solved all my odd website problems.

  16. c.cobb

    TR: “When Ubuntu can allow the boot DVD to be extended with necessary browser and add-on security updates, then we will have a real Puppy alternative.”

    This may be do-able now. I’ve organized some notes about this here: http://ccobb.net/ubuntu/ , where there’s a link to a blog for further comments–if you’re so inclined. The trick will be using a good remastering script–another weak point with Puppy, IMO. Not *exactlly* what you mean, I guess, but it works for me.

    TR: “There is a new “IcePuppy-008″ development going on”

    Ken: “Mac Pup 520 includes FireFox4 rc1, which solved all my odd website problems.”

    Thanks, I’ll take a look. My big problem with Puppy–and with all Linuxes (Linuces?) before Ubuntu–was a very unpleasing UI design. :-/

    Eats Wombats: “I boot from a USB drive or CD before accessing anything critical like bank accounts.”

    Oops, sorry, missed where you wrote this! In that case, you’re right–you probably won’t get “p0wned.”
    Cheers,

  17. OhioMC

    Great level of disclosure online by the LastPass crew but I wouldn’t have known about it without Brian’s post. Thanks Brian!

    I began using LastPass recently for the plethora of logons that can cause limited damage if compromised (I exclude banking & webmail). I love the cross platform functionality – works great with Blackberry and can be restricted to defined mobile devices.

    I think an important “security” feature is to have the vault open at each browser based logon, displaying the most recently accessed sites. This would indirectly let me know if someone else snagged my master password and was using it to access accounts.

    1. Ken Klein

      No is mentioning lastPass’s incident in February where Mike Cardwll found an xss vulnerability and responsibly reported it. They fixed the hole in a a few hours and appeared to be open and honest about it then also.

      If they have another XSS exploit, their history won’t help, and they still will compromise your account. here is the link to the incident: https://grepular.com/LastPass_Vulnerability_Exposes_Account_Details

      Using Nick P’s egg and fox (wolf) analogy, they do seem to be as nice a little red riding hood, but even she made mistakes.

  18. Eats Wombats

    An important point about cloud insecurity gets a write-up on the BBC:

    Criminals can use stolen credit cards to buy processing power to crack passwords–and are probably doing so.

    It’s why I keep my banking details double encoded in a TiddlyFolio on a USB thumb drive, encrypted and with some information in language that might as well be eskimo. Even if translated the information would require biographical information. Even then the limit of my potential exposure is limited to what my banks allow for Internet transactions.

    I have some old zip files with passwords I can no longer remember. I know in principle that I should be able to get Amazon EC2 on the job. Some day I’ll get around to it.

    1. Terry Ritter

      Eats Wombats: “An important point about cloud insecurity gets a write-up on the BBC: Criminals can use stolen credit cards to buy processing power to crack passwords–and are probably doing so.”

      We probably should make clear to other readers that simply using long, random passwords prevents success in such attacks. The news item thus argues FOR the use of password managers, whether specialized or custom, since those are needed to support the use of secure long, random passwords.

      Modern cipher key-lengths mean there are VASTLY more keys or passwords than can possibly be searched, even with all the computing power that can be imagined. Unfortunately, many users deliberately choose passwords in a related tiny, tiny fraction which CAN be searched. Those would be insecure language-based, memorable or short passwords.

      Password security depends upon passwords being random selections from among all possible values, since that makes the correct password a single needle in a mountain of similar needles. We need to use secure long, random passwords, and since most humans cannot remember such passwords, we need password managers. Fearing every password manager as “an unwatched basket” leads directly to the use of weak passwords which can be broken. But not all password managers are the same: the browser internal versions can be very weak.

      Obviously, no password is secure when entered on a machine with a bot infection. No password manager, specialized or custom, can be secure on that machine either.

  19. xAdmin

    My favorite password manager is my ol’ noggin! It’s never let me down. 😛

    And instead of passwords, I use passphrases when possible and often substitute special characters instead of regular letters or numbers. Although, as I’ve gotten older and my memory is not as agile as it once was, I started to document hints in Outlook for various accounts that even if someone were to see them, it wouldn’t help them guess the password as its all stuff only relevant to the junk in my own head. 😉

    I just don’t like any type of credentials stored on a computer where they can be hacked. At least with my noggin, you’d just about have to water board me to get the info! 😛

Comments are closed.