Last pass having issues, not bashing them, but it is strange.

prime
prime
Community Member

I’ve been seeming Tweets about issues with Lastpass how customers can’t get into their vaults. How can this be? I can put my phone, tablet, or anything and I’m still able to get into 1Password. Are the mater passwords being transmitted to unlock?

https://www.zdnet.com/article/lastpass-is-in-the-midst-of-a-major-outage/


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • I haven't seen an update that lays things out clearly and I'm not familiar enough with LastPass myself to make a good guess, @prime. For that reason, I don't really want to opine on this specific issue nor imply I have any great wisdom about what can be or should have been done to avoid it. I do appreciate you taking the time to phrase this carefully, though. It's clear to me you're just looking to learn rather than criticize. It's easy to use these sorts of issues as an opportunity to claim superiority, but the reality is that we've all been on the icky side of media attention before and it isn't fun. I don't want to make the folks at LastPass's lives any harder than they already are today. Plus, since I'm not intimately familiar with the problem, there's some chance we could have potentially been bit by the same thing.

    Given that perspective, I prefer to think of these things as learning experiences for the whole industry. Rather than criticizing, we should endeavor to better understand these issues and use them as an opportunity to examine how we protect against this sort of problem as well as how we might do better. Working together as an industry to improve password managers across the board can only serve to make it safer and easier for more folks to take that important step of using one in the first place. More folks having access to the tools that keep them secure online can only serve to help us. Plus, our primary goal has always been to help as many folks as possible improve their online security. If we aren't a good fit for any one individual, family, or business, we genuinely hope they find a good fit with one of our competitors as that achieves our core mission far better than having them stick to reusing the same password everywhere.

    With that said, I can say is that we spend a lot of time thinking about the issue of availability. While I don't have an example at hand, I'm sure you'll find numerous comments on these forums from Jeff Goldberg (our Chief of Security) discussing the importance of availability as a component of security. What's more, the focus of conversations around password security is often on how you make that data unavailable to attackers without even a mention of how you keep it available to you – the person who needs it. As an industry, we need to make sure we're helping to educate and inform folks about this important component of keeping your data safe, whether passwords or otherwise. If memory serves, Jeff often says something like, "a system so secure even you can't access it isn't really secure at all".

    We make efforts to consider this oft-overlooked aspect of security in all we do. It's why 1Password thinks local first – your data is saved to your local database and encrypted there before it ever goes off to our servers. This ensures the integrity of the data you save even if our service is unavailable for any period. Your local data is persistent to ensure you have access to it even if you (or we) are offline. We consider a track record of reliability as paramount when choosing a hosting provider to ensure the need for such protections are as rare as we can make them. We chose to become SOC2 certified because part of that process requires that we do an intensive audit of our service's availability which allows us not only to demonstrate via a third-party certification that we're committed to data availability, but also forces us to look critically at what might make our service unavailable and ensure we're minimizing or eliminating those risks.

    This is an important issue and one I'm glad folks are talking about. I certainly wish it were under less upsetting circumstances, but the conversation is valuable regardless of its source. I'm sure our own engineering team is keeping an eye on this issue and will take a close look at 1Password to ensure we are protecting against this sort of problem and working on improvements if any can be made. And, of course, I'm glad that LastPass seems to have this sorted and their customers are back up and running. I'm sure it's been a rough day for them and at this point they're likely looking forward to some well-deserved rest. We can and should use this as an opportunity to discuss availability and make sure we're doing all we can to ensure that availability for our customers, but beyond that I hope we (and our customers) keep humanity and compassion at the core as you have here and avoid turning this into a confrontation. None of us is perfect and what's important is that we learn from our mistakes and work to make them right. :chuffed:

  • prime
    prime
    Community Member
    edited January 2020

    @bundtkate thanks for the feedback.

    Also, it says 2 people commented on this, but I don’t see the other post.

This discussion has been closed.