Possible security breach provides lessons to anyone using simple passwords and devs who build restrictive systems
It's not been a great time of late for online passwords, with Sony's PlayStation Network being a particularly high-profile casualty. In the last week of April, it was revealed the company's servers had been hacked and all kinds of details had been pilfered; within hours, people unlucky enough to use a single password across online services were discovering other accounts had been compromised.
It's poor form for such a huge company to be hit in this manner, but it's even more embarrassing if password protection is the core of your business. LastPass ("the last password you'll ever need") now finds itself in this position, although seemingly more through being alarmist and responsive than due to any real danger to the majority of its users. According to a post on the company's blog, the service "saw a network traffic anomaly for a few minutes from [a] non-critical machine" on Tuesday, couldn't find the root cause, and has taken steps to deal with the matter. (PCWorld reports that the site is "forcing every user to prove to us that they're coming from an IP that we've seen them come from before, or prove that they still have access to their email".)
The company maintains that it's unlikely many passwords could have been compromised, but warns users with weak 'master passwords' are at least at some risk and should therefore change them to something that is non-dictionary based. While LastPass should be congratulated for its response time (under 24 hours, for something that may in the end affect very few users, compared to Sony taking nearly a week to admit millions of users' details were compromised), the incident should again serve as a warning to anyone using the most basic of passwords (such as '123456'); that said, Thomas Baekdal would no doubt argue against LassPass's assertion that passwords should be a complex soup of semi-random characters. In a follow-up to his now-much-linked article on the usability of passwords, he argues common dictionary passwords can actually be more secure than random sets of characters, and with the added benefit of being memorable. The assumption though is the user includes at least three words and that the words aren't related directly to them.
For web developers, there's also a lesson here: ensure users are strongly encouraged to avoid overly simple passwords when signing up to any site you create, and ensure that your password system doesn't have a low character limit and that it supports extended characters and even spaces.