Global users of password management service LastPass were left unable to access their online accounts for much of Tuesday after one of the firm’s datacenters went down for several hours.
The outage occurred at 03.57 Eastern Time (8.57 BST), according to LastPass.
“Our team immediately took action to migrate LastPass to run entirely on a different datacenter. As a result, many users experienced connection errors with the LastPass service, and LastPass.com has been intermittently unavailable throughout the morning,” the firm said in a service update.
“We have been engaged with our datacenter provider the entire time to resolve the issues. Please note this does not impact the security of your data.”
At the time LastPass urged users to login through browser extensions to access their vault, although even then it admitted that “some may still see warnings that they are in ‘offline mode’.”
An update at 1.28pm Eastern claimed that although the malfunctioning datacenter was still down “the service is generally stable and should be available to the majority of users (with the exception of login favicons)”.
A final update of the day at 4.13pm Eastern Time claimed that “most users” should be able to access LastPass browser extensions and LastPass.com, although favicons still may not sync.
Judging by the comments left below the updates, LastPass will have a tough time convincing enterprise users to stay with the service – which is designed to simplify and bolster log-in security by managing multiple passwords with just one master authentication credential to remember.
Amichai Shulman, CTO of Imperva, argued the outage shows the importance of guaranteed levels of up-time from cloud service providers.
“For example, a service that guarantees 99% up-time is expected to be down almost four days a year,” he told Infosecurity.
“A home user may accept such service level (especially as it comes for free) but an enterprise would probably require a higher level of service. Additionally, cloud services can compensate for some downtime by resorting to some local end-point cache.”
David Stubley, CEO at security testing firm 7 Elements, added that storing important data in a single place can always have an unintended impact on business continuity.
“Organizations using any third party supplier should consider the impact should a supplier fail or in the case of using the cloud should the organization be unable to connect to the internet,” he said.
Colin Miles, CTO of Pirean, told Infosecurity the incident proves that any enterprise security product or service “will need to find the balance between user convenience, security and the critical demands of the business itself”.
Mark James, security specialist at ESET, told Infosecurity that password managers are still a god thing if used correctly and from a good supplier.
“A good redundancy infrastructure could have resolved their [LastPass’] problems and I am sure they will act accordingly to do their best to protect against this in future and if you absolutely had to access that website or service during the time of the blackout, a quick password reset I am sure is possible, but not ideal,” he added.
“There are both online and offline password managers and it’s important to understand the pros and cons of both when choosing your product.”
Finally, Toyin Adelakun, vice president of products at Sestus, argued that firms like LastPass need to up their game when it comes to availability and security – especially as many will become a target for attackers as they get more popular.
“The better password-management offerings will have local copies of passwords in user devices, and synchronise them in ACIDic fashion with cloud copies,” he explained.
“Better yet, the password management product would have locking and other signalling under-the-hood methods to ensure that changes which cannot be committed — on account of internet connectivity problems, for instance — will be signalled clearly and simply to the user, so that the user can make informed choices in respect of changing or deleting password.”