LastPass responds to possible hack


LastPass responded well to a possible hack

It's not been a great time of late for online passwords, with Sony's PlayStation Network being a particularly high-profile casualty. In the last week of April, it was revealed the company's servers had been hacked and all kinds of details had been pilfered; within hours, people unlucky enough to use a single password across online services were discovering other accounts had been compromised.

It's poor form for such a huge company to be hit in this manner, but it's even more embarrassing if password protection is the core of your business. LastPass ("the last password you'll ever need") now finds itself in this position, although seemingly more through being alarmist and responsive than due to any real danger to the majority of its users. According to a post on the company's blog (opens in new tab), the service "saw a network traffic anomaly for a few minutes from [a] non-critical machine" on Tuesday, couldn't find the root cause, and has taken steps to deal with the matter. (PCWorld reports that the site is "forcing every user to prove to us that they're coming from an IP that we've seen them come from before, or prove that they still have access to their email".)

The company maintains that it's unlikely many passwords could have been compromised, but warns users with weak 'master passwords' are at least at some risk and should therefore change them to something that is non-dictionary based. While LastPass should be congratulated for its response time (under 24 hours, for something that may in the end affect very few users, compared to Sony taking nearly a week to admit millions of users' details were compromised), the incident should again serve as a warning to anyone using the most basic of passwords (such as '123456'); that said, Thomas Baekdal would no doubt argue against LassPass's assertion that passwords should be a complex soup of semi-random characters. In a follow-up to his now-much-linked article on the usability of passwords, he argues common dictionary passwords can actually be more secure than random sets of characters, and with the added benefit of being memorable. The assumption though is the user includes at least three words and that the words aren't related directly to them.

For web developers, there's also a lesson here: ensure users are strongly encouraged to avoid overly simple passwords when signing up to any site you create, and ensure that your password system doesn't have a low character limit and that it supports extended characters and even spaces.

Thank you for reading 5 articles this month* Join now for unlimited access

Enjoy your first month for just £1 / $1 / €1

*Read 5 free articles per month without a subscription

Join now for unlimited access

Try first month for just £1 / $1 / €1

The Creative Bloq team is made up of a group of design fans, and has changed and evolved since Creative Bloq began back in 2012. The current website team consists of six full-time members of staff: Editor Kerrie Hughes, Deputy Editor Rosie Hilder, Deals Editor Beren Neale, Senior News Editor Daniel Piper, Digital Arts and Design Editor Ian Dean, and Staff Writer Amelia Bamsey, as well as a roster of freelancers from around the world. The 3D World and ImagineFX magazine teams also pitch in, ensuring that content from 3D World and ImagineFX is represented on Creative Bloq.