Voice of Objectivity is an ongoing column meant to temper the tendency of the Techcited to run away with the most exciting or controversial ideas in technology’s near future. The opinions presented here do not necessarily represent the views of Techcitement or this writer. Someone’s got to keep a cool head around here. I guess I’ll just have to pretend it’s me.
Early last month, the online password manager LastPass suffered a serious breach. A significant quantity of data was accessed by an unknown source, potentially compromising the online identities of thousands of users. Because LastPass is a centralized locker for all your passwords, it could represent a potential disaster for anyone whose account was compromised. Forget email accounts and social networks, we’re talking about banks and sites with credit card information.
Fortunately, LastPass’s staff detected the incursion and went into lockdown, forcing anyone whose account was accessed from a new IP address (for most users, effectively meaning a new location) to reset their passwords. All users were notified, and those with weak master passwords were strongly encouraged to make a change, as they were the ones most vulnerable to having their accounts compromised by the breach.
Since that time, I’ve seen and heard this event referenced numerous times, and all of them come with a stern reminder about the dangers of an online password locker. That’s fair enough, because discussions of LastPass have always included that warning. But now there’s another admonishment attached to it. “They’ve already had a breach,” is the new mantra of those warning about the dangers of LastPass.
While it’s true that someone got access to some of the service’s information, I believe it’s important to keep in mind what actually happened here. This isn’t Sony losing huge amounts of customer information that was supposed to be secured or Citibank hiding a security failure for weeks. LastPass’s first line of security failed, sure, but their second line worked.
While usernames and passwords were stolen, the passwords were strongly encrypted. The data leak was detected soon after it happened. Users were notified immediately and were kept up to date extremely often on the situation during the first few days. By forcing password changes for anyone using the service through a new IP, LastPass effectively prevented anyone from making use of the stolen data. When the password reset system went down, LastPass made sure people knew how to access the offline cache of their passwords that their system stores automatically. LastPass has since initiated a third-party security audit and has plans to make such audits a regular part of their operation. They’ve also instituted several other new security measures.
Relying on someone else for your security is a scary prospect. As a longtime user of LastPass, I’ll be the first to admit that it gets even scarier when something goes wrong (you should have seen my face when I tried to log into my account at a friend’s house, just minutes after the lockdown began and before the emails went out to users). In the long run, this incident has increased my confidence in LastPass.
I would much rather rely on a company that would rather risk its own reputation by dealing with a major failure rapidly and effectively than a company that wants to hide its disasters in the shadows. LastPass’s entire product is essentially security, so failing there could literally destroy the company. But at the first sign of trouble, they brought the incident out into the open, if anything over-exaggerating the threat level involved. After the breach was discovered, LastPass’s biggest failure wasn’t an inability to handle the actual problem, but the fact that they were overwhelmed by the number of customers resetting their passwords. This inconvenienced many users (myself included) for a few days, but in no way further compromised security.
Perhaps most important of all, as of this writing there has not been, to my knowledge, a single user whose personal data was accessed as a result of this security failure. With all the hacking disasters of this year, that’s a rare accomplishment, and it’s entirely due to the strong security procedures and business ethic of the company involved. I’m done admonishing LastPass on this one. Let’s give them a moment’s praise for treating their customers right, even when times get tough.
Comments are closed.