I guess it was inevitable that a consumer-oriented password manager service would get hacked, and today we’ve learned that one did: Gizmodo.com.
So is there a lesson here for us? A few, I suppose:
- Security is only as good as the weakest link. I don’t think plaintext passwords were exposed, and it’s not even clear that encrypted ones got leaked, but password recovery hints did, and that may be enough to compromise some passwords.
- The size of a target matters. I’m sure hackers much prefer to compromise popular systems to obscure ones. For consumers, this leads to the following interesting guidance: see where the herd is running – and run the other way. Choose less commonly used services if you can (but subject to other constraints, like commercial viability and likelihood of the service being well/professionally operated – have fun figuring out which is which).
- The push to federate will only accelerate. Nobody wants separate passwords for various web sites, when the operators of those sites could easily federate to Facebook, Google, etc. Why solve the problem yourself if you can simply farm it out, for free?
If you are/were a lastpass user, you have a couple of options:
- Change everything – your master password and your hints.
- Delete your profile. Take your business elsewhere or give up on this class of application.