LastPass Demonstrates Impeccable Crisis Handling

Tuesday, May 17, 2011

Ben Kepes

4c1c5119b03285e3f64bd83a8f9dfeec

By now it’s old news – password service LastPass (possibly my favorite app of all time) noticed some unusual activity from their logs and went into the highest levels of DEFCON, contacting all its users (myself included) and forcing a password change and other measures.

There’s been a bit of to-ing and fro-ing in different blogs about what this means for the web, for the cloud, for password sites and the like. I’ll not dwell on that aspect other than to say that, in my opinion at least, there are two options.

Firstly to have unique and secure passwords for your different services in the hands of a company whose very existence rests on keeping those password secure.

Secondly, to rely on (as is generally the case) one password for all your sites, to hardly ever change that password and (sacre bleu) to write said password on a post-it note attached to the inside of your laptop.

What I really wanted to talk about is the actions of LastPass and in particular their CEO, Joe Siegrist. It’s also worthwhile contrasting his actions with those of Sony during the recent security debacle where thousands of user details, of the highest sensitivity, where breached.

Bear in mind that in the case of LastPass, there is no proof that a real loss occurred, and yet Siegrist came out with a hyper-cautious approach and embarked on a course of action that included multiple levels of checks and balances.

It is well worth reading an exclusive interview over on PC World. Most telling is Siegrist’s final statement;

We tried to handle this the way we’d want it to be handled if we were users. And that’s what we’re looking at. We’re trying our best to do what’s right.

In my opinion the actions of LastPass have been exemplary – the actual loss in this instance was either non-existent or negligible. Many larger companies would have simply brushed this under the table and perhaps introduced some new security measures under the cloak of a version update.

LastPass however was completely up-front and transparent about what happened, what they knew and, more importantly, what they didn’t know, potential results and solutions to the issue.

In the process, of course, LastPass got huge amounts of media attention that, once the storm over the security breach has died down, will have an ongoing benefit.

I’ve met Siegrist however and have talked at length to him about what he’s doing and I totally buy the story that his handling of the incident was purely and simply a desire to “do the right thing”.

If only other vendors had the same moral perspective…

Cross-posted from Diversity

Possibly Related Articles:
14053
Breaches
Service Provider
Cloud Security Incident Response Managed Services breach password LastPass
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.