LastPass alerts users about potential master password breach

Computerworld - LastPass, an online password management provider, is forcing its users to change their master passwords after detecting what it described as a "traffic anomaly" on one of its database servers.

In a blog post on Wednesday, LastPass said it first noticed a network traffic irregularity on Tuesday morning when looking at the logs for one of its non-critical systems. It decided to dig deeper into the problem after it was unable to find a root cause for the problem.

"After delving into the anomaly we found a similar but smaller matching traffic anomaly from one of our databases in the opposite direction (more traffic was sent from the database compared to what was received on the server)," the blog post noted.

Because LastPass has been unable to account for this anomaly, it has decided to assume that the database has been compromised. The amount of data that was transferred out of its system is big enough to have contained people's email addresses, their salted password hashes and the server salt, LastPass said.

Salting is a technique that is used to make it harder for people to misuse stolen passwords. A randomly generated key is added to the password before it is obscured, or hashed.

"We also know that the amount of data taken isn't remotely enough to have pulled many users encrypted data blob," LastPass noted.

LastPass is a service that lets users store their usernames, passwords and form-fill data online. The service then automatically fills in the information when the user visits a site that requires the information. The company offers a free service as well as a fee-based service.

Such services are designed to let people create strong and unique passwords for each site they use without having to worry about remembering each one of them. Users tend to use the same passwords for multiple sites because of this worry.

With services such as LastPass, users need to only remember one master password for logging into the service.

In its blog post, LastPass noted that the possible compromise is unlikely to affect anyone with a "strong, non-dictionary"-based master password or pass phrase.

The reason that LastPass is requiring everyone to change their master password is because of the potential for the intruders to use brute-force methods to guess at weaker master passwords, the company noted. "Unfortunately, not everyone picks a master password that's immune to brute forcing."

According to LastPass, the incident has accelerated its decision to implement stronger authentication measures. The company is also rebuilding the servers that were compromised and all source code underlying the Web site have been verified against the original repository to ensure no tampering was done.

Users will need to validate their email addresses or log in from an IP address they have used before to reset their master password, the company added.

"We realize this may be an overreaction and we apologize for the disruption this will cause, but we'd rather be paranoid and slightly inconvenience you than to be even more sorry later," it said.

Several of the more than 700 comments posted by LastPass users on its blog site suggested that users had some trouble accessing their accounts following the master password reset request.

In most of the cases, the problems appeared to be the result of users not knowing how to proceed with the reset or not knowing about the need for them to do it.

In some cases, users appeared unsure what to do because the passwords to their email system had been stored in LastPass.

"For the third time -- can someone give a solution," one anonymous poster lamented. "Nothing works. What the hell should I do?"

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at  @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com.

Read more about Data Security in Computerworld's Data Security Topic Center.