LastPass, one of the best known, most popular password management apps to emerge in recent years yesterday announced that it may have been hacked. Coming on the heels of the Sony PlayStation Network breach, the news casts a cloud over the cloud.
LastPass, which on January 31 announced that it would give away an iPad to celebrate surpassing 1 million users, is an app that lets you use one "master password" to access all of your passwords.
LastPass remembers all of your passwords and you just need to remember the master password to access all of them. It also remembers the website addresses associated with each password, which is really convenient. Whenever you go to a site that requires a password, LastPass can fill it in for you. You can also LastPass to store encrypted notes.
LastPass thus holds the keys to the kingdom for most people. It stores passwords. It is all about security. It is all about protecting you. It's received rave reviews from just about every major tech publication--PC Mag, ZDnet, PCWorld, and many more. So LastPass saying that it might have been hacked is a big deal.
While LastPass should be credited for coming clean and announcing that it might have been hacked soon after it learned of a possible problem, the company has some explaining to do. It's fuzzy explanation of a possible breach is cause for concern.
To be sure, LastPass has behaved admirably by blogging about the possible breach and updating customers and the press throughout the day Thursday.
LastPass CEO Joe Siegrist yesterday morning posted a blog entry saying the company had noticed some anomalous activity on its servers and asked users that did not have strong passwords--one using capital leters, alphanumeric characters, and numbers to create a string of characters that not a word or proper noun--to create a new password.
Siegrist made this announcement because he suspected a breach. He did not know for sure if there had indeed been a breach, however. Yet he still made the announcement, damaging the company's reputation but maintaining its integrity.
All this is to be commended. LastPass is not evil.
What worries me is that LastPass did not understand the traffic anomaly that occurred on its servers.
LastPass is a huge target. It should be able to tell exactly why it is experiencing a traffic boom, who is causing it and how.
LastPass is cloud-based and I have tried it but don't use it. I've always favored RoboForm, which started as a desktop password manager and added a web-based system about a year ago--long after LastPass debuted. Since I had started using Roboform around 1999 and it had millions of users by the time LastPass started up, I felt more comfortable with RoboForm. I looked at LastPass as an upstart. But some of the most web-savvy, security-conscious people I know use LastPass.
I hope it turns out LastPass was not breached, and I hope LastPass establishes better monitoring of its servers so it does not have to guess about whether an anomaly in traffic is a breach.