Tom Simonite

A View from Tom Simonite

A Tale of Two Hacks

News of another attack on user data shows that if handled correctly the cloud can be safe.

  • May 5, 2011

Last week thousands of people had their names, real addresses and even credit card details stolen when Sony’s Playstation servers were hacked. That and subsequent revelations of Sony’s lax security policies led many to question if we can rely on the cloud. The latest news of problems with servers storing user data suggests the answer is a qualified yes.

Popular service LastPass offers software that remembers online passwords for you, entering them as needed automatically via browser plugins. All those accounts are protected using one master password - “the last password you’ll ever need” - and stored in the cloud. Yesterday morning, the company had some bad news for users, saying it had noticed some odd internet activity around one of its stores of user data:

“Because we can’t account for this anomaly…we’re going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed,” wrote a staff member on LastPass’s blog.

This was different from what happened to Sony’s users in two ways. First, the company waited less than 24 hours before revealing there was a problem, compared to the week that Sony pondered its massive breach. Second, LastPass went to users even though it had no proof anything was actually stolen.

All its engineers saw was a few minutes of unexplained activity. But enough data was transferred for an attacker to have obtained users’ email addresses, encrypted passwords and the random “salt” used to create those encrypted versions. Contrast that to Sony, which stored its users’ passwords without such protection. LastPass passwords were encrypted so strongly that even a supercomputer would need years to get past the encryption.

“The only thing a thief could conceivably do with this data is attempt brute-force decryption by guessing at passwords. Success in such an endeavor is extremely unlikely; the odds are vanishingly small,” reported PCMag.

At least, the odds are small if you don’t have a very guessable password. Previous hacks have revealed that many people do (anyone using 123456 as a password for anything, please stop). LastPass has said that anyone with a “non dictionary based” password - i.e. not made up of real words - should be unaffected but is sensibly forcing all of its users to change their password anyway.

All this from a company much smaller than Sony, but with what appear to be better security policies and attitudes to what to do when they fail. No system will ever be completely fail proof, but if the right precautions are taken and users are kept informed trusting the cloud needn’t be so scary.

Cut off? Read unlimited articles today.

Become an Insider
Already an Insider? Log in.

Uh oh–you've read all of your free articles for this month.

Insider Premium
$179.95/yr US PRICE

More from Intelligent Machines

Artificial intelligence and robots are transforming how we work and live.

Want more award-winning journalism? Subscribe and become an Insider.
  • Insider Premium {! insider.prices.premium !}*

    {! insider.display.menuOptionsLabel !}

    Our award winning magazine, unlimited access to our story archive, special discounts to MIT Technology Review Events, and exclusive content.

    See details+

    What's Included

    Bimonthly magazine delivery and unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

    Access to the magazine PDF archive—thousands of articles going back to 1899 at your fingertips

    Special discounts to select partner offerings

    Discount to MIT Technology Review events

    Ad-free web experience

    First Look: exclusive early access to important stories, before they’re available to anyone else

    Insider Conversations: listen in on in-depth calls between our editors and today’s thought leaders

  • Insider Plus {! insider.prices.plus !}* Best Value

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus ad-free web experience, select discounts to partner offerings and MIT Technology Review events

    See details+

    What's Included

    Bimonthly magazine delivery and unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

    Access to the magazine PDF archive—thousands of articles going back to 1899 at your fingertips

    Special discounts to select partner offerings

    Discount to MIT Technology Review events

    Ad-free web experience

  • Insider Basic {! insider.prices.basic !}*

    {! insider.display.menuOptionsLabel !}

    Six issues of our award winning magazine and daily delivery of The Download, our newsletter of what’s important in technology and innovation.

    See details+

    What's Included

    Bimonthly magazine delivery and unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

/
You've read all of your free articles this month. This is your last free article this month. You've read of free articles this month. or  for unlimited online access.