Please see UPDATEs below.
Yesterday I mentioned that I'd found both convenience and (increased) security in the LastPass system for handling online passwords.
Late yesterday, LastPass announced that its engineers had detected a "network traffic anomaly" for which they could not immediately identify the "root cause." Then they found another small anomaly. As explained now on its blog:
"Because we can't account for this anomaly either, we're going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed. We know roughly the amount of data transfered and that it's big enough to have transfered people's email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn't remotely enough to have pulled many users encrypted data blobs.
"If you have a strong, non-dictionary based password or pass phrase, this shouldn't impact you - the potential threat here is brute forcing your master password using dictionary words, then going to LastPass with that password to get your data. Unfortunately not everyone picks a master password that's immune to brute forcing.
"To counter that potential threat, we're going to force everyone to change their master passwords. Additionally, we're going to want an indication that you're you, by either ensuring that you're coming from an IP block you've used before or by validating your email address. The reason is that if an attacker had your master password through a brute force method, LastPass still wouldn't give access to this theoretical attacker because they wouldn't have access to your email account or your IP."
I am headed to an airport again and don't have time to explain "salted password hashes" etc just now. The take-home messages of the LastPass announcement are:
a) All LastPass users will have to change their "master password," which is not that onerous -- and LastPass will check to be sure that the change is coming from a recognized address or user;
b) People who choose "dictionary words" for their passwords -- ie, normal words that a hacker could just try at random, in a "brute force" attack, to see if one is accepted -- are at greater risk than those who mix the passwords up. The mixing up can include numbers, special characters, multi-word phrases, etc -- password construction is a topic for another time, but mainly this is a reminder not to have things like "password" or "123456" as your special phrase.