LastPass alerts users about potential master password breach


Computerworld – LastPass, an online password management provider, is forcing its users to change their master passwords after detecting what it described as a “traffic anomaly” on one of its database servers.

In a blog post on Wednesday, LastPass said it first noticed a network traffic irregularity on Tuesday morning when looking at the logs for one of its non-critical systems. It decided to dig deeper into the problem after it was unable to find a root cause for the problem.

“After delving into the anomaly we found a similar but smaller matching traffic anomaly from one of our databases in the opposite direction (more traffic was sent from the database compared to what was received on the server),” the blog post noted.

Because LastPass has been unable to account for this anomaly, it has decided to assume that the database has been compromised. The amount of data that was transferred out of its system is big enough to have contained people’s email addresses, their salted password hashes and the server salt, LastPass said.

Salting is a technique that is used to make it harder for people to misuse stolen passwords. A randomly generated key is added to the password before it is obscured, or hashed.

“We also know that the amount of data taken isn’t remotely enough to have pulled many users encrypted data blob,” LastPass noted.

LastPass is a service that lets users store their usernames, passwords and form-fill data online. The service then automatically fills in the information when the user visits a site that requires the information. The company offers a free service as well as a fee-based service.

Such services are designed to let people create strong and unique passwords for each site they use without having to worry about remembering each one of them. Users tend to use the same passwords for multiple sites because of this worry.

With services such as LastPass, users need to only remember one master password for logging into the service.

In its blog post, LastPass noted that the possible compromise is unlikely to affect anyone with a “strong, non-dictionary”-based master password or pass phrase.

The reason that LastPass is requiring everyone to change their master password is because of the potential for the intruders to use brute-force methods to guess at weaker master passwords, the company noted. “Unfortunately, not everyone picks a master password that’s immune to brute forcing.”

According to LastPass, the incident has accelerated its decision to implement stronger authentication measures. The company is also rebuilding the servers that were compromised and all source code underlying the Web site have been verified against the original repository to ensure no tampering was done.

Users will need to validate their email addresses or log in from an IP address they have used before to reset their master password, the company added.

“We realize this may be an overreaction and we apologize for the disruption this will cause, but we’d rather be paranoid and slightly inconvenience you than to be even more sorry later,” it said.

Several of the more than 700 comments posted by LastPass users on its blog site suggested that users had some trouble accessing their accounts following the master password reset request.

In most of the cases, the problems appeared to be the result of users not knowing how to proceed with the reset or not knowing about the need for them to do it.

In some cases, users appeared unsure what to do because the passwords to their email system had been stored in LastPass.

“For the third time — can someone give a solution,” one anonymous poster lamented. “Nothing works. What the hell should I do?”

[Story Source] [Contest win Rs 1000-100,000 now]

This post was submitted by prashant agarwal.

Related Posts
Before Diwali we will have a product made out of India, says Gionee India head Arvind Vohra – Tech2

Before Diwali we will have a product made out of India, says Gionee India head Arvind Vohra – Tech2

Gionee launched its flagship smartphone – the Elife E8 – at an event in New Delhi on 8 October. The smartphone sports a 24MP rear camera, comes with a MediaTek Helios X10 chipset with octa-core pr...
Google Calendar’s Enforced Birthdays Show The Ugly Side Of Algorithms  |  TechCrunch

Google Calendar’s Enforced Birthdays Show The Ugly Side Of Algorithms | TechCrunch

You may recall that Google’s mission is to “organize the world’s information”. So if you’ve been seeing the Birthdays of people you hardly know appearing UFO-like in your ...
Sony Begins Phased Restoration Of PlayStation Network

Sony Begins Phased Restoration Of PlayStation Network

Sony Corp. began a limited and phased restoration of its PlayStation Network and Sony Online Entertainment videogame services Saturday, bringing the company a step closer to normalcy following an ...
Sony’s Stringer Calls Hacker Attack ‘Hiccup’

Sony’s Stringer Calls Hacker Attack ‘Hiccup’

The hacker attack that crippled Sony Corp. (6758)’s PlayStation Network and Qriocity entertainment services was “a hiccup” in the company’s online strategy, Chairman and Chief Executive Officer Ho...
Kate’s engagement dress sells like hot cakes

Kate’s engagement dress sells like hot cakes

A sapphire-blue dress that British royal bride Kate Middleton wore during the announcement of her engagement to Prince William has been flying off the shelves in China. In a popular online store on...
How Do I Love Thee? Let Me Tweet The Ways

How Do I Love Thee? Let Me Tweet The Ways

Looking for your Romeo? The boom in Internet dating means there are more fish in the sea than ever before. Heading online is no longer seen as a last resort. Half the respondents in a survey by a...

Leave a Reply

We will keep You Updated...
Get Free Email Newsletter from VoteUpIndia Sign up for our free email newsletter. (Help?)
Read latest headlines in your favorite news reader
Follow VoteUpIndia  on Twitter Become a VoteUpIndia Fan on Facebook Subscribe to VoteUpIndia in Google Reader Add VoteUpIndia  to My Yahoo Add VoteUpIndia  to Netvibes Subscribe to Free Techie Buzz RSS Feed
Sponsored Links
Featured Video
Best Storytellers
Powered by Authors Widget
Recent Posts

McDonald's Suspends Employee, Probes Child's Eviction From Pune Outlet

PUNE: After reports emerged that an eight-year-old destitute child was thrown out of an outlet of...

Why Arjun Made a Humble Request to Cast Sonakshi in Tevar

It's all about wearing your Tevar, this new year. Arjun Kapoor looked dapper at the initial promotions...

5 things Modi needs to do ASAP, after Bihar loss

It's not correct to transpose the outcome from a state election as a referendum on the central government,...

Sehwag's half century in All Star tournament.

The first match has been really special. We thoroughly enjoyed being here. New York, you were brilliant....

Bihar Defeat May Lead to Silent Rebellion in BJP Against PM, Amit Shah: Arun Shourie to NDTV

NEW DELHI: In the aftermath of the BJP's debacle in Bihar, Arun Shourie, one time admirer of Narendra...

Court Refuses to Stop Gillette Razor Ad Starring Deepika Padukone

New Delhi: The Delhi High Court has refused to stop a Gillette razor advertisement starring Deepika...

Bigg Boss 9: Roopal Tyagi voted out of the house

TV actor Roopal Tyagi was evicted from reality show Bigg Boss on Sunday’s episode. Roopal is the...
Recent Comments
How i can submit my story...? and where i can see the staus of votes for this?
IFFI lose its art value,so it became lose it commercial value
Dear sir I am sending an article which is based on true story and needs your help to lime light such incidents which never come in
Thanks for the interesting article. Great Post. Keep it up
It is indeed heartening to learn that LSE, the world leader in higher education, will join hands with the most admired Reliance Foun
Tag Cloud