The LastPass Breach, and why I’m not worried about it

Years ago, when the net was young, I, like many others, used one password for everywhere I went.

Before long, I realized that this was not a good plan, so I went to Plan B: a handful of passwords; one for “Important” sites (i.e., where money is involved), a second one for less important sites (such as shopping and utility-billing sites), and… a third password for anything else.

The problem with this approach is that if ONE of your “Important” sites is breached, and they try your password on a bunch of banks… there goes your life savings.

I needed a better approach, and I found it… in LastPass.

I was first exposed to LastPass in Episode 256 of the Security Now Podcast, hosted by Leo Laporte and Steve Gibson. Steve loved it, and after trying it out, so did I.

That was almost a year ago. I had been toying with the idea of writing a piece in how good LastPass is, but something more interesting happened.

LastPass got breached

And I am OK with that. Here’s why:

  1. The breach was a relatively minor one — LastPass noticed some anomalous traffic — “we saw a network traffic anomaly for a few minutes from one of our non-critical machines” — and investigated. they went public in short order, (unlike, for instance, Sony, who shut down a compromised network for a week before telling us why). They “also know that the amount of data taken isn’t remotely enough to have pulled many users encrypted data blobs” — the amount of “leaked” data corresponds to the encrypted information for a few hundred users. The chances that my data was part of that leak was therefore quite low.
  2. I use a strong master password, containing all four classes of character (upper, lower, numbers, special characters). This would make a brute-force attack very difficult.
  3. LastPass has gone to great pains to point out that no plain-text data is stored. Everything that is stored on their servers is encrypted. In fact, NOTHING unencrypted leaves your machine.

LastPass’ responses were laudable. They informed people early on — if anything they overreacted. They required verification if users were logging in from “unexpected” IP addresses. They encouraged people to change their passwords.

Some users were inconvenienced, claiming that they were locked out of LastPass as a result of a password change that went wrong, or being unable to get into their e-mail because the email password was stored in… LastPass.

There are two solutions to this: First, regularly take an encrypted backup of the password database and keep it on a flash drive with a copy of the “LastPass pocket” program (this allows tou you get to your password when you have no Internet Connection). Secondly, NEVER store the password to your master e-mail address (the one LastPass uses as your username) in LastPass. If something goes wrong with LastPass, you will need to get into this e-mail.

The press have had a field day with this one, and like newsies everywhere they have overplayed the sensationalism and underplayed the facts.

But the security-conscious will still worry, and rightly so. So what are you worrying about? For me, the worst-case scenario is that they have gotten my entire blob and hammer it offline until they figure out the username and password.

LastPass’ advice — change your Master Password — is certainly good advice, but it does not help in this situation; if they have decrypted the blob, they now have all of the passwords for every site without having to go to Here’s what I recommend:

  1. Use LastPass to generate new passwords for those sites that involve money (Financial Institutions and Web shopping sites that store payment info, such as Amazon). I use PayPal to purchase stuff online wherever possible. This took me less than an hour, and means that the important passwords in the stolen blob are now useless. Most other sites aren’t that critical — if someone wants to go online as me and pay my bills, I say let ’em.
  2. Use two-factor authentication for all non-trusted machines. LastPass supports two types: Grid (free) or Yubikey, that will make it impossible to get in using a non-trusted machine without an extra piece of information or hardware that the bad guys simply will not have. I use a Yubikey, which costs $25 to buy, and requires LastPass premium, which costs $12/year. Well worth it, in my opinion.

Bottom line: LastPass Passes, Sony Fails

Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: