Beware of password keepers that keep data in the cloud
LastPass users got an unwelcome surprise last week when the popular password management service experienced an outage that prevented many customers from being unable to log into websites for hours.
On August 12, starting around 4 a.m. Eastern Time, the company lost one of its data centers. While LastPass took action to migrate its service to other data centers, users continued to have trouble for a total of about 12 hours.
It wasn't supposed to go down like that. LastPass, after all, is intended to be a convenience. Like all password managers, LastPass stores all of the usernames and passwords securely, encrypted by a single master password. Instead of keeping track of dozens or even hundreds of passwords (or using a single password across multiple accounts), password managers make it possible to have a strong, unique password for each site and log in with a single click after entering the master password. And LastPass takes limited precautions against just this kind of data center failure; passwords are cached locally on user computers.
After the service went offline for some users, many customers took to Twitter and online forums to complain that the offline mode wasn't working, effectively locking them out of their own websites and online accounts.
This isn't the first time LastPass users were hit with an outage. In 2011, concerned that their service had been breached by a hacker, LastPass forced all users to change their master password. Unfortunately, the company's servers weren't able to handle the capacity of so many users changing their passwords simultaneously. Many users found their master password corrupted, and could not log in to access their passwords.
The latest outage didn't affect nearly as many users, but it was frustrating nonetheless. It's an interesting and unintended consequence of trusting a single service with all of your critical and day-to-day passwords.
There are workarounds, of course. For example, LastPass should have automatically kicked over to offline mode for affected users, allowing customers to continue to work (but not sync passwords across PCs or save new passwords). And it did work properly for some users -- just not all.
For those users who were truly desperate, there was always the password reset option. Even if you can't get into your password manager, it's possible to reset your password on the site you need to access, and record the new password manually for future reference. As long as you have access to your password recovery email account (and possibly the answer to security questions, depending on how your account is configured), you'll always be able to get to your critical sites.
Another consideration: Choose your password manager based on its offline strategy. Tools like Dashlane, 1Password, Roboform and KeePass, for example, all store passwords locally, on your PC. Even if the sync service fails completely, you can still get to your usernames and passwords.