LastPass Sets The Bar

   The only way (IMHO) today to have multiple unique strong passwords is to use a password management application {Chapter 7 Security+ 3ed}.  One of my favorite is LastPass, which is a cloud-based service for storing usernames and passwords online. When you visit a site that asks you to login LastPass will automatically fill in the information through your browser (there's both a free and a fee-based service). 

   On Wednesday (May 4 2011) LastPass announced that there could be a problem and users should reset their master password just in case.  Yet there are several interesting elements to this story.

   First, LastPass discovered the potential problem because they monitor all traffic and noted an anomaly: traffic going out from one of their databases was more than what was coming in.  (I wonder how many sites monitor traffic like this?).  Secondly, LastPass can't say there was a breach, but "we're going to be paranoid and assume the worst that the data we stored in the database was somehow accessed."  (Compare this with the Sony Online Entertainment breach last week that leaked out information on 77 million users yet Sony waited six days before saying anything.  Who is more proactive here?).  Third, when logging in LastPass will check to see that you are coming from an IP block that you have used before or by asking for your e-mail address.  This will prevent an attacker who may have successfully broken a stolen password through brute force from accessing any stored passwords. (Another good idea). Fourth, LastPass is now implementing the Password-Based Key Derivation Function (PBKDF2) which is part of PKCS #5 (Chapter 12 Security+ 3ed} using SHA-256 {Chapter 11 Security+ 3ed} and a 256-bit salt {Chapter 7 Security+ 3ed}. (Strong stuff).

   It's interesting to compare LastPass' proactive stance (there's still no evidence that there even was a breach) with what other vendors have done.  I'd say that LastPass has set the bar pretty high as a model for other vendors to follow.

   You can read about it at http://blog.lastpass.com/2011/05/lastpass-security-notification.html.

   Stay secure!

http://community.cengage.com/infosec