Lastpass forces users to change their master password

SECURITY SERVICE Lastpass is forcing users of its password management software to change their single master password after a possible breach of its systems.

Considering the Lastpass website immediately points you to the words "the last password you have to remember!", it's a pretty embarrasing situation for the company. Lastpass works by allowing you to store all the passwords you use in encrypted form, accessible with a master password.

But from the notification on the Lastpass blog, it looks like the firm pulled out all the stops to make sure that there was no serious breach of security. It was alerted by a network traffic anomaly on one of it's non-critical machines, with a similar but smaller anomaly coming from its database server in the opposite direction.

Lastpass said, "We know roughly the amount of data transfered and that it's big enough to have transferred people's email addresses, the server salt and their salted password hashes from the database."

It further said that people with strong non-dictionary based passwords shouldn't have a problem, but because not everybody picks one that's immune to brute force attack, it decided that users need to change "the last password you will have to remember".

It also wants users to indicate that they are who they should be, by coming from an IP block that they've used before or validating their email address. Lastpass is also using the disruption as an excuse to implement some additional security controls.

It said, "We realise this may be an overreaction and we apologise for the disruption this will cause, but we'd rather be paranoid and slightly inconvenience you than to be even more sorry later." µ