LastPass Enterprise Outage

LastPass is down. Such an outage of a mission-critical IT component can have severe consequences. While LastPass team is coping with the problem, we take our time to look into reliability of cloud technologies.

Here we talk about LastPass backup strategies and general questions of policies and reliability of cloud technologies.

Disclaimer On this web site you might read about or get access to various kinds of software and technology, including but not limited to libraries, operating systems, software for communications, mobile phones and tablets, Android software and Linux, even cars and motorcycles, security and penetration testing software, software used in security research and forensics, some samples of software which can be used (elsewhere) for malicious or illegal purposes. You will read about or be provided with the ways to change it, to operate it and to use it. You might find advice and recommendations, which are only an opinion, and not a legal advice or commercial recommendation..
Bear in mind, please, that everything you do, you do solely at your own risk and responsibility. In no way the author of this web site, information, graphics and other materials presented here or related to it can be made liable or anyhow else responsible for your own actions as well as actions of any third party and their direct or indirect results or consequences with or without the use of this information as well as the software, technology and systems mentioned and/or presented here, no matter if developed by the author or by any third party.
In no way it is guaranteed that you will meet any suitability for any particular purpose, safety, security, legality or even simply functioning of the software and systems described here. You have to make sure each time yourself, whether what you do, is really what you intend to do, and that you are ready to be yourself responsible for. All the recommendations and experiences described here are the opinions of corresponding authors and are to be taken with care and own full responsibility.
The software provided on or through this web site, linked to from this web site or anyhow else related to this web site is provided by the corresponding authors on their own terms. We provide all the software here as is without any guarantees to you. You are responsible for deciding whether it is suitable for you or not. You are also responsible for all direct or indirect consequences of using this software.
Other web sites linked to from the current one are out of the author's control, we can not guarantee anything about their content, its quality or even legality. We can not be liable for any use of the linked to web sites or of the information presented there.
We reasonably try to keep this website running smoothly and to deliver information to the best of our knowledge corresponding to the state of the art at the times when the information is composed, usually presented together with the information, and out of good intents. We can not however guarantee and can not be liable for this website being temporarily or permanently unavailable, presenting unreliable information or software, or any other similar or not malfunctioning or functioning not up to your expectations as well as any consequences which might result from this site's operation.

For about six month now the company I am working at is using LastPass Enterprise for passwords management. It has been a great experience but for a few moments. And today it is one of these moments: we are facing an outage of LastPass for the second time.

LastPass outage – screenshot of status.lastpass.com and downdetector.com - click to zoom

Now, what do you do about it?

It depends…

It depends on what you have used the LastPass for.

Three cases of being in trouble

In the easiest case, your session is still active on some website and you can keep using it, no password is required. Let’s go to a more complex case.

Once LastPass is used to manage passwords to a technology which you posses and can control without a password – it is alright as well. You could reset the password, store it on your off-line password manager and go ahead using the system, the access is granted. Same with the resources you do not own but have a chance to reset a password for. Let’s get to an even more complex case.

Imagine, you have stored a password, or even better, a cryptographic key in the LastPass and the technology to which this key is used does not allow you to restore the password.

Some cases like this:

• a shared SSH key which you haven’t stored locally
• a password to a computer, which you do not administer and can not reset
• a password to a computer BIOS or another not-easily resettable hardware
• a full disk encryption passphrase
• the so-called HDD password for a self-decrypting hard drive

Well.. then you might be in trouble actually. Similarly when you stored in secure notes some important non-credentials-like information.

In such a case multiplied by an outage of LastPass servers you might really want to have a backup of your LastPass account locally.

Wait, but what about the LastPass offline mode? - Please, read online, it does not work reliably, still...

Backing up LastPass

LastPass provides you with a chance to back up everything through an export. The provided format is either CSV or a LastPass encrypted format. The encrypted format is likely the same CSV but encrypted on a key with PBKDF algorithm. It is a proprietary format, so likely, to have more flexibility when the LastPass is down, you would have to go for the CSV option.

The CSV unfortunately does not store all of your enterprise information. Passwords and their associations with folders are stored, but the users, the groups, permissions, ploicies - all the enterprise configuration is not backed up. Another problem with the CSV is that it is a clear text file with all your passwords!

Simply storing such a backup somewhere on a hot drive is a bad idea. Encrypting it should be a default choice. I would use Veracrypt and a good passphrase for it. A really good one. Something similarly good as your Master password in LastPass.

In the enterprise environment you will definitely have users who will not back up their LastPass account. And it is even maybe for good. Very likely if you’d ask to backup, you’ll get plain text backups stored on multiple machines.

What could be done to improve the enterprise backup effect?

First, there is a chance to set up a policy in the LastPass to share implicitly with the LastPass Enterprise Administrator all the shared with someone passwords. This policy will include the shared passwords in the administrator’s back up as well. LastPass recommended this policy in their webinars. I am forwarding it to you.

Second, you would need to rely that you will have a backup of the administrator password to a given resource. In this case you would be able to reset the users’ access to the resource itself directly. Sharing the password gets complicated however, once your enterprise cloud password wallet is down.

Obviously the passwords to third-party resources which are not shared are getting inaccessible still.

Good if it is “just” an outage. Much worse if the user or users willingly or by using a compromised machine have actually deleted the passwords irreversibly.

Cloud services reliability and backup

Actually, such class of problems is typical for cloud services. Loss of data is very much possible there. Please, consider the erroneous deletion case.

We rely on cloud services data loss protection. Sometimes too much. Organizations are bought through nice marketing into thinking that there is no need for administration in the cloud case at all. Unlikely.

Going for the policies part, when choosing a cloud provider, I would pay attention if they allow for off-line and local backup of all the account’s data. The ability to restore this data from the offline backup timely and easily is also a crucially important and is not self-evident feature.

More, it is nice to have a cloud solution, which keeps working in the case of the cloud or the Internet outage. The LastPass outage happening now is the best illustration for it…

Once an off-lineable technology is preferred and selected, a regular reliable backup strategy should be considered. Maybe you know the 3-2-1 rule for backups?