Password manager LastPass goes titsup: Users locked out Popular password management service LastPass went on the blink today, leaving users locked out of their accounts. Reg reader Tim Stephenson, head of IT at Liftshare, told us that the firm’s employees had experienced timeouts trying to access the site, browser plugins weren’t responding and users couldn’t authenticate …
I thought lastpass was pretty good, but dumped it in favour of another method that did not depend upon other people's services or software.
There are other password manglers out there and they all seem to me to lock your eggs up in thier basket. I suppose that is the nature of the beast.
"There are other password manglers out there and they all seem to me to lock your eggs up in thier basket. I suppose that is the nature of the beast."
Try a .txt file stored in a truecrypt volume. Sure it doesn't have all the conveniences of LastPass, KeePass or Firefox built in tools but nor does it have the failure modes. My eggs, my basket.
>Try a .txt file stored in a truecrypt volume. Sure it doesn't have all the conveniences of LastPass, KeePass or Firefox built in tools but nor does it have the failure modes. My eggs, my basket.
How does a text file on an encrypted volume differ from something like KeePass, which is an encrypted XML document? If the encryption failed on either (data corruption etc.) you'd be boned.
KeePass keeps the data locally but the software is closed so as you say you're boned.
LastPass keeps your data in the house of cards called 'cloud'.
Firefox, bit of each I think but I confess I've not dug deeply.
Truecrypt as a project seems to be dead but Truecrypt the storage format and Truecrypt the software (7.1a) isn't, so far these have stood up to independent scrutiny. Since the volume format is open and documented there are other programs that can open a truecrypt volume. If Truecrypt the software became untrusted I can use something else to get my data back. If Truecrypt the storage format gets busted I can simply use 7.1a to migrate my data to a new container.
> KeePass keeps the data locally but the software is closed so as you say you're boned.
There is other software that can read KeePass files e.g. KeePassDroid on Android, KyPass on IOS. The decryption algorithm must be out there, so you can migrate to something else if necessary.
@phil
fair comment - i did mean cloud in general though - wheres all the autofailover stuff? why doesnt it work? multiple data centres, clusters, failover etc etc...this has been in development for years and years hasnt it? or does it just not work? ive been in small business IT for 10 years now so i am well out of the big toys stuff, but we were doing this at neverfail nearly 20 years ago.
as for truecrypt, well, sure maybe the version later than 7.1a are suspect, but to who? even if 7.1a can be cracked, who by? anyone that interested in my stuff can just break into my office or my online backup,crack my wifi pass and jump on the network, tunnell in from next door.....the nsa could do it at will probably, so could gchq? big deal - i dont care. they arent interested in me, if they are, they arent going to find anything worth having.
i use 7.1a anyway. then i back that encrypted container up to carbonite. i have the last 5 versions stored on carbonite. i also have a local windows image backup with versioning. its not expensive, and i know where my stuff is. if the shit really hit the fan in the office, ive got instant access to my cloud backup. if something happened to that at the same time, then i guess ive got (and all of humanity) more to worry about than some passwords, like running for cover from the tsunami/nuclear winter/metoer strike...hence the icon
"They learn well enough: If the service is outsourced, then management wrath will strike far away when things do not work. It's the risk-free option"
Well the reverse is also true, i.e. we can outsource to another company and pass the risk to them. it if goes wrong we're ok, we can blame them....
>"There are other password manglers out there and they all seem to me to lock your eggs up in thier basket. I suppose that is the nature of the beast."
The PasswordMaker Firefox plugin doesn't require remote services as far as I can tell. Its cross platform (edge to firefox plugins) and open source as well.
"The PasswordMaker Firefox plugin doesn't require remote services as far as I can tell. Its cross platform (edge to firefox plugins) and open source as well."
If you are a premium user of LastPass, as a lot of the people affected clearly are, then you are login off line on your mobile device where your vault is stored locally. In fact the main reason to go premium is that you get the mobile versions included. So I think all of these people complaining that they could not get any work done actually *could* have done but chose not to, so the outage was not as much of a big deal as they are making out.
That said, it looks like LastPass dealt with it really badly from a PR POV.
>Try a .txt file stored in a truecrypt volume.
The problem is then you know the actual password (no deniable culpability for draconian UK password laws) and type it every time so any potential keyloggers get it also. With PasswordMaker you type a master password (which you can not store at all (enter each time), store in memory (until app close) or even store to disk (terrible idea IMHO)) and then it creates a unique password for each different site. The only real drawback is you have to keep good track of your PasswordMaker Firefox plugin install directory as its unique for each install and if blown away you lose access to your passwords until you reset them.
Just to clarify it creates a unique password for each website (based on one way hash of master password) which you use at first to create the password on the site (you can also control the domain of allowable characters in password) and then using the same master password it recreates the same password for the site when you revisit and tell it to fill the password field (and possibly having to enter the master password again based on how you decide to store it). Also unless you choose too look you generally don't even know the actual passwords for each site this way.
@ Gotno iShit Wantno iShit. I agree on the matter of True Crypt, though there is the question mark, it seems the earlier version may be safe. However and in addition I use Mirek W's PINs package (http://www.mirekw.com/winfreeware/index.html) which is free and sits very nicely in an encrypted container. In the past I used another free package called Oubliette (French for 'forget' I believe), but it has not been subject to development for some years. Mirek has a forum, is in reach, and the package is OSI Certified Open Source Software. It has a lot of very useful features, including 448 bit blowfish encryption, and a very good password generator, reminders when passwords are out of date, and so on. Alternatively Gibson at grc.com has a funky password generator.
As to True Crypt, I keep an archive of all software that I use to enable reversion in the event of such problems. In addition I also keep backups of the appropriate *.tc files, on three separate systems, one my backup server the others being portable drives. When I travel I copy the True Crypt files to my notebook, and then back them up to the portable drives by rotation. I would use the massive USB drives that I have but don't have much faith in their longevity. That sort of traffic would probably cripple them.
I use Mirek W's PINs: http://www.mirekw.com/ It's open source and has quite a few useful features, including a Blowfish 448 bit encryption algorithm, complex password generator (including symbols), a file eraser and an awful lot more. Because it can be run from a USB stick this means I can double protect it by using encrypting the drive or creating an encrypted container.
In the distant past I used Oubliette but it went into maintenance and then dead mode. I will never, ever let someone look after my passwords. It is still available, or was when I checked a year back.
<colo outage, all database monitoring tools have flatlined or are flashing red. Customer calls start coming in to Tech Support>
Management to TS> Don't communicate on a downtime to clients!!! No global information email must be sent. Tell the customers that you have an "exceptional situation that only affects them" if they call
TS> There is no current known problem. Everything is working just fiiiiiine... Oh, really? Let me check. Hum, there may be an exceptional slowdown at the moment though, I can see your account is a bit slow. We'll keep you informed <trollface.jpg>
Cust 2>My system is down
TS>There is no current problem we can see, monitoring seems good <iLied.jpg>
<...snip...>
Cust 96> I called 20 minutes ago, your exceptionnal and temporary problem is a lie, my friends also use your service, and they are up shit creek too...
TS to Management> Can we make a bloody customer mailing to tell them there is an outage FFS, keep everyone informed, if not happy? We are in meltdown here with 35 mails and 90 calls in 40 minutes and we only have 300 customers in this country!
20 minutes later, get the OK for a mail to all clients that a "temporary problem" affecting a "small amount of users" for "10 minutes" and that it "happned due to elements out of our control at our ISP" (aka, admins stuffed a planned upgrade that was not tested before or at least deployed on one machine at a time in a rolling upgrade rather than all at once).
Looks like LastPass took a page out of our management's support handling policy
AC because even if this is no longer management policy following a buyout, it's frowned upon talking about it.
Even so, telling the customer's the truth does not hurt (much), and it's easier to tell the truth than remember continual lies about the uptime and availability SLA's...
right on.
Thats almost as much fun as :
"Yes we are aware of the problem , our engineers are working on it"
(Engineers in a different town who never answer the phone, email or instant msgr )
"How long will it be"
"I cant say"
can you ask them?
no, cant get in contact with them
this is system is always down!
um.....
what did I pay all that money for? can I speak to Roger the md?
no im not allowed to put you through to anyone
can i speak to to your manager
no im not allowed to put yoiu through
can you give me any idea how long the outage will be? hours? days?
no im afraid theyre not telling me anything yet
take a guess
I cant because sometimes in the past its been hours , sometimes its been days
your not a lot of help are you
no , I'm really sorry , trust me I'm almost as pissed off as you are.........
-------------------------------------------------------------
.... so i left that job
In the case of a major outage, customers prefer communication to actually fixing the thing. They are more bothered about being kept informed than they are about the outage itself. Took me many years to learn this.
The customer prefers knowing that the outage will last 3 hours than not knowing how long it will last, and having it come back after 1.5 hours.
Actually its a great idea. It spares the nuisance of being told 'userid inot available' which can get tiresome after several tries. Click 'generate password', use the result as userid. Click again for a password. (Or not if you like to live dangerously.) Job done.
And a third party with seemingly poor failover within their infrastructure?
This is one thing I would never entrust to "the cloud" - ever.
OpenSSO, CAS, heck even Active Directory if you really must are all reasonably easy to implement in house.
I suspect quite a few IT managers are looking at the alternatives with some urgency right now.
> so I presume you either just write all your passwords down on sticky notes, or you've written your own encryption software?
Don't know about him, but I simply remember them. After all, I already speak a human language¹ with an "everyday" vocabulary of 30,000 to 70,000 words², so a few dozen more to learn are neither here nor there. :-)
¹ Six of them actually, but that is beside the point.
² Depending on whose numbers you believe.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
