May 5th, 2011

It can be overwhelming remembering all your different passwords (and you should use different passwords) for various websites and services. LastPass aims to make that easier on you by storing all your passwords and allowing you to access them with one master password. Only what if someone were to get that master password?

You’d be screwed… and that’s exactly what LastPass is saying might have happened to their customers. Perhaps they should change their slogan:

Of course LastPass also has an Android Application that allows you to carry all your passwords around with you, auto-fill logins/passwords in the browser, add/update secure notes and more. If you’ve currently got LastPass installed on your phone, it means you probably use LastPass services, which mean your data may have be compromised and you should probably start changing some passwords around.

Uninstalling that app might not be a bad idea either and I’m sure they’ll be getting some bad ratings in the market because of this. Having one location for all your passwords sounds helpful, but it also becomes the Fort Knox of data theft opportunities and if the bad guys get ALL your passwords, you’re pretty screwed.

In this particular case, the company may be reacting to a false alarm:

we’re going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed. We know roughly the amount of data transfered and that it’s big enough to have transfered people’s email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn’t remotely enough to have pulled many users encrypted data blobs.

Obviously, when it comes to such a sensitive issue, there isn’t such thing as overreacting. Did any of you have LastPass installed on your phones? Did you like it? Will you continue using it, switch to another password provider, or stop using password consolidators altogether?