LastPass & DropBox breach thoughts

LastPass, the online cloud based password manager, and Dropbox, the cloud based storage service, both reported possible security concerns.  A dropbox vulnerability(?) was discovered where an attacker with physical access to a PC can steal a certain config file and access your dropbox storage from a different machine.  Everyone’s getting their panties in a bunch about this dropbox vulnerability but it requires access to data on your PC. If an attacker has access to your PC you have other problems to worry about.  The bigger issue with Dropbox is the fact that they possess a recovery key to your data and can grant access to the government.  Always encrypt your data first with something like Truecrypt before uploading to the cloud.

LastPass also reported noticing a network anomaly which has prompted them to take action including recommending users to update their master password.  Again this is not a major deal.  I use LastPass and will continue to use it.  LastPass doesn’t have plaintext data —- they have your password list stored as an encrypted blob and they have your master password hash.  If any of LastPass’ client data was leaked it’s only a matter of time before cryptographically weak master password hashes are brute forced (salt?) .  You should update your critical passwords (banks, finance, email) just in case —- BTW, how often are you changing passwords?  90 days?  Yearly? Never?  I update my key passwords monthly (gmail & banking).

 LastPass, I still love you….

Dear LastPass User,
On May 3rd, we discovered suspicious network activity on the LastPass internal network. After investigating, we determined that it was possible that a limited amount of data was accessed. All LastPass accounts were quickly locked down, preventing access from unknown locations. We then announced our findings and course of action on our blog and spoke with the media.
As you know, LastPass does not have access to your master password or your confidential data. To further secure your account, LastPass now requires you to verify your identity when logging in. You will be prompted to validate your email if you try to log in from a new location. This prompt will continue to appear until you change your master password or indicate that you are comfortable with the strength of your master password.
Please visit for more information.
The LastPass Team

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s