When the announcement came last week that some data might have been compromised on servers at LastPass, the password management company that hosts my encrypted password database, I wasn't too worried.
But I did change my master password, for reasons I'll get to shortly. The experience also made me reexamine how I manage my password data. Users with strong passwords had little to worry about. But there are three other key things you need to do to protect yourself.
Why I use it
I use LastPass to synchronize my password database between the different devices I use - home PC, Mac Mini, MacBook, iPad, etc. I could store all of my data locally, but LastPass allows me to store a local copy of my password data on each device and maintain a master copy in the cloud that keeps all of those local copies up to date.
LastPass has some very sophisticated methods for protecting your data, but it can't protect users from themselves. Your hosted data is encrypted, but access to your data is only as secure as your master password and the other security protections LastPass offers to help you protect it.
LastPass doesn't know your master password. Software running on your local computer encrypts your master password, applies a salted hash to it and sends the data to LastPass.com. LastPass stores the result of the salt and uses that, not your master password, to authenticate you. This makes it even harder for a stolen password to be used.
The potentially compromised data from LastPass' servers included the salted hash and user names. "That would be enough to set up a potential attacker so they could start going through and looking for people with weak master passwords without having to hit our servers," said LastPass CEO Joe Seigrist, who explained the "network traffic anomaly" in a PC World interview.
Sameer Kochhar, director at LastPass, says, "We only had the salted hash in our database, so they'd have to guess password, compute the salted hash, and then compare it to the value stored in the database. But even if they managed to do this they still don't have access to your actual encrypted data (sites, usernames, passwords, formfills, etc.).
"We secured against this threat by locking down all user accounts. Specifically, if a user tries to log into their LastPass vault from a new location (an IP address from which they never logged in before), then we would deny them access. To gain access, they have to prove to us that they are who they say they are by clicking on an link that we send them by email."
In other words, to protect users who might have had a weak master password, LastPass prevented everyone from getting access to the online password vault from an unrecognized IP address until they responded to an e-mailed verification. It also prompted users to change their master passwords upon login.
A hint of trouble
Fortunately, I didn't have a weak password, although I did run LastPass' security check feature just to double check. But what worried me was that my password hint, which also might have been compromised, might possibly be used to figure out my master password. My hint was a little too cute, allowing me to glean the groups of values that make up my master password.
So I did try to change my master password -- and that's where I ran into trouble. While you can log into your local copy of LastPass and access your data locally, you need to log into LasPass.com to change your master password. Unfortunately, LastPass' servers were overwhelmed when the news hit, and I was unable to log in. So I had to wait -- something that would have been nerve wracking had I used a weak password.
But I had another reason to chill: I use LastPass's Grid two-factor authentication feature, which is required from any computer except one in my home office. That means any hacker not only would need to crack my user name and master password but also enter a string of data that only I know. LastPass's Grid feature generated a random grid of numbers which I printed out and carry in my wallet. It randomly asks for the numbers from different positions on that grid every time I log in. No numbers, no passwords. The product also supports two other multifactor authentication schemes: the software-based Sesame, which runs from a thumb drive, and Yubikey, a USB-based hardware key, for additional security.
One thing about this whole episode did give me pause: As LastPass has grown, it -- and my data -- have become a bigger target than if I had simply hosted my encrypted password database in my own cloud-based shared storage service. That is something that a competing product, 1Password, allows you to do with third-party services such as DropBox. But 1Password does not offer two-factor authentication -- a feature I feel is essential if you're going to host your password data in the cloud.
Four tips for locking down LastPass
So if you're going to use LastPass and store your password data in the cloud, how should you protect yourself? Here are my four recommendations:
- Use a strong master password - and verify the strength using LastPass' Security Check feature.
- Don't use a password hint. Or, if you do, don't think you're so clever that a hacker can't reverse engineer your thinking. If it's not completely unfathomable to anyone except you, don't use it. A better method: Write your master password down, store it in your safe deposit box and user your key to retrieve it if you forget.
- Have a strong password on your e-mail account. Because LastPass uses your e-mail address as your user ID and allows users to recover from a forgotten master password via e-mail (as do many online accounts, including banking), a weak e-mail password can unravel everything.
- Use multi-factor authentication - either Grid or Sesame or Yubikey. In each case you need to carry something with you. I use the Grid feature, which requires that I enter both the master password and numbers located in randomly selected positions in a randomly generated, printed number grid that I have with me at all times. Yes, entering a master password and four randomly selected alphanumeric characters from a grid in my wallet is a hassle -- inserting a Sesame or Yubikey USB device is much faster -- but the Grid simply requires a piece of paper in my wallet, not a key I might lose. And LastPass lets me exempt specific machines, such as my home PC. So I only really need to use it when I travel.