May 12, 2011
By now it’s old news – password service LastPass (possibly my favorite app of all time) noticed some unusual activity from their logs and went into the highest levels of DEFCON, contacting all its users (myself included) and forcing a password change and other measures. There’s been a bit of to-ing and fro-ing in different blogs about what this means for the web, for the cloud, for password sites and the like. I’ll not dwell on that aspect other than to say that, in my opinion at least, there are two options. Firstly to have unique and secure passwords for your different services in the hands of a company whose very existence rests on keeping those password secure. Secondly to rely on 9as is generally the case) one password for all your sites, to hardly ever change that password and (sacre bleu) to write said password on a post-it note attached to the inside of your laptop.
What I really wanted to talk about is the actions of LastPass and in particular their CEO, Joe Siegrist. It’s also worthwhile contrasting his actions with those of Sony during the recent security debacle where thousands of user details, of the highest sensitivity, where breached. Bear in mind that in the case of LastPass, there is no proof that and real loss occurred, and yet Siegrist came out with a hyper-cautious approach and embarked on a course of action that included multiple levels of checks and balances.
We tried to handle this the way we’d want it to be handled if we were users. And that’s what we’re looking at. We’re trying our best to do what’s right.
In my opinion the actions of LastPass have been exemplary – the actual loss in this instance was either non-existent or negligible. Many larger companies would have simple brushed this under the table and perhaps introduced some new security measures under the cloak of a version update. LastPass however was completely up-front and transparent about what happened, what they knew and, more importantly, what they didn’t know, potential results and solutions to the issue.
In the process, of course, LastPass got huge amounts of media attention that, once the storm over the security breach has died down, will have an ongoing benefit. I’ve met Siegrist however and have talked at length to him about what he’s doing and I totally buy the story that his handling of the incident was purely and simply a desire to “do the right thing”.
If only other vendors had the same moral perspective…