5:28 p.m. | Updated Adding more background and information from interview with the company’s chief executive.
LastPass, a service for managing passwords, said late Wednesday that out of concern about a possible hacking attack, it would force its more than 1 million users to change their master passwords, which they use to retrieve passwords for other sites across the Web.
The news comes in the wake of several recent high-profile hacks of computer-security companies, including another maker of technology designed to make access to Web sites more secure, RSA Security.
In a blog post, LastPass, which offers free and paid products, said that last Tuesday it had detected two “traffic anomalies,” including one leaving the company’s database, and could not explain the causes. That sparked fears that intruders may have made off with user information.
“We’re going to be paranoid and assume the worst,” LastPass said. It said its analysis so far suggests hackers could have acquired users’ e-mail addresses and might be able to decipher their master passwords using “brute force” methods, if those passwords are simple enough.
In addition to requiring its users to set new master passwords, LastPass said it would confirm that users of its system are legitimate by matching the numerical Internet Protocol addresses tied to their computers with IP addresses used by them in the past, or by validating them through e-mail.
The password information stored by LastPass clearly makes it a tempting target for hackers.
“The data that they store, it’s the keys to the kingdom” for many consumers and company employees using LastPass to store passwords for bank accounts and sensitive corporate systems, said Jeremy Conway, a senior threat researcher at NitroSecurity, who was formerly part of the team defending NASA’s network. “It’s a high-value target.”
But security professionals praised LastPass’s swift disclosure and action to protect users as a model of how to handle a security problem. Security experts have been relentless in their criticism of other companies that have suffered hacks recently and were slow to report them or provided few details.
Two security firms, RSA, whose SecurID technology was raided by hackers, and Comodo, whose system for certifying Web site authenticity was hit, have come under particular criticism for security fumbles and slow or incomplete disclosure.
However, some, including Mr. Conway, questioned the adequacy of LastPass’s internal security, noting that the company’s description of the incident suggested it was not using available technology that would provide more visibility into activities on its network and are necessary to understanding the true extent of a data breach.
“They don’t know what data was accessed. Why not?” Mr. Conway said. “It shows that they are immature in their security practices. They have issues they need to address.”
Joe Siegrist, LastPass’s chief executive, said that the growing popularity of the company’s service has made it more attractive to attackers, and that it would look for ways to make itself harder to hit. For one, he said he would hire a security firm to audit its systems.
LastPass’s rapid action also sparked problems for some users. The company was triggering password resets by asking users to enter the e-mail address associated with their account when they entered in their master password, and then sending an e-mail with a link to a site where they would enter a new master password. In a Catch-22, many users found they were unable to get the e-mail because, without a working master password, they were locked out of their e-mail accounts. Others ran into different roadblocks trying to reset their master passwords.
“Was this mandatory panic thoroughly thought about before being initiated?” asked one anonymous “paying customer” who commented on LastPass’s blog post. “It will take a lot for Lastpass to restore trust in the system, because I am out as soon as this fiasco is over.”
LastPass conceded that its systems were overwhelmed by the task of resetting so many passwords and responding to customers running into difficulties. In response, it slowed things down by forcing immediate resets only on users visiting its service from unfamiliar IP addresses. And it encouraged other users to wait to reset their master passwords until LastPass prompted them to do so.
With the extent of the potential breach unknown, experts said extra-cautious users may also want to change their passwords, especially for sensitive accounts, stored with LastPass.
没有评论:
发表评论