LastPass.com, a free password management service that lets users unlock access to all of their password protected sites with a single master password, is forcing all of its approximately 1.25 million users to change their master passwords after discovering that intruders may have accessed the company’s user database.
In an alert posted to the company’s blog late Wednesday, LastPass said that on Tuesday morning it spotted a “traffic anomaly” — unexplained transfers of data — from one of the company’s databases. From that blog entry:
“Because we can’t account for this anomaly either, we’re going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed. We know roughly the amount of data transfered [sic] and that it’s big enough to have transfered people’s email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn’t remotely enough to have pulled many users encrypted data blobs.
If you have a strong, non-dictionary based password or pass phrase, this shouldn’t impact you – the potential threat here is brute forcing your master password using dictionary words, then going to LastPass with that password to get your data.Unfortunately not everyone picks a master password that’s immune to brute forcing.
To counter that potential threat, we’re going to force everyone to change their master passwords.”
LastPass consists of a core software application that sits on user machines, and a browser plug-in. Passwords are stored on the user’s system, so that no one at LastPass can access the information. What the company does keep is an encrypted blob of gibberish data that is generated by taking the user’s master password and email address and hashing the two. Any sensitive data saved to an account is secured by the encryption key on the user’s system and then sent to LastPass. Since the user’s encryption key is locally created each time users submit their master password and email to LastPass, all that the company stores is users’ encrypted data.