Apr 16, 2014

Updating Passwords in the Wake of Heartbleed

With many online services now making the necessary security changes in the wake of Heartbleed, it’s time to start updating your passwords and improving your online security. Follow our steps to start using LastPass to update your passwords and better protect yourself going forward.

Before Getting Started


If you haven’t signed up yet, start by downloading LastPass, creating your account, and adding your sites to the vault.

LastPass will prompt you to import during the installer process. If any sites are stored in your browser, or a previous password manager, they can also be imported at any time by opening the LastPass browser icon, click the Tools menu, select Import, and select where you’re importing from. See our article for more information on importing to LastPass.

Getting Started


As a LastPass user, start by running the LastPass Security Check (click the LastPass Icon in your browser menu > Tools > Security Check).

This tool identifies potentially vulnerable passwords and tells you if it’s safe to start updating them.


For the sites that have the recommended action "Go update!", use LastPass to update the password to a new, generated one.

The security check will also identify weak and duplicate passwords. Prioritize updating those next, so that you have a strong, unique password for each online account.

Replacing Your Old Passwords


Using Gmail as an example, let’s walk through how to update a password using LastPass.

To begin, we’ll go to Gmail.com, login with our current username and password, and locate the Gmail settings page where we can update our password.

On the ‘Change Password’ page, we’re asked to enter the old password, as well as enter a new password twice.

In the current password field, we can click the * icon and select the existing login to fill that password:


Then, we click the "Generate" icon in the "New Password" field to create a random, unique password. If we want to add additional characters to the new password, we can click “Show Advanced Options”, update the settings, and generate a new password to use:


After clicking “Use Password”, LastPass fills both the “New Password” and “Confirm New Password” fields.

Since we are updating an account that is already stored in LastPass, we will see a dialog to either confirm we want to update the existing account, or save as a new account.


We’re going to select “Yes, Use for this Site” because we just want to update the account entry already saved by LastPass.

On the webpage, we’ll click “Save” to submit the account changes. Since we selected “Yes, use for this Site”, the change has also been saved in LastPass. It’s important that the save is made both on the website, and in LastPass, so that it is up-to-date in both places.

The next time you log in to your site, LastPass will autofill with the new, generated password!

Apr 9, 2014

LastPass Now Checks If Your Sites Are Affected by Heartbleed

Yesterday we informed our community of the Heartbleed OpenSSL bug. In our blog post, we explained how this security issue impacted our service and what our users should know about the situation. We also built a tool to help our users start checking to see if their sites and services had reissued their certificates, so that users would know if it was safe to start updating passwords for those sites: https://lastpass.com/heartbleed

To help our users take action and protect themselves in the wake of Heartbleed, we've added a feature to our Security Check tool. LastPass users can now run the LastPass Security Check to automatically see if any of their stored sites and services were 1) Affected by Heartbleed, and 2) Should update their passwords for those accounts at this time.

The LastPass Security Check can be run from the LastPass Icon menu. Click the LastPass icon in the browser toolbar, click the Tools menu, and select the Security Check.

In the Security Check results, we alert you to sites affected by Heartbleed:


We will continue to update the Security Check recommendations based on which sites we have seen take action and where it is safe to update your passwords. We'll monitor the situation in general and keep our community posted.

If you're not using LastPass yet, now is the time to get started with organizing and managing your passwords, and use our tools to generate new passwords for your online accounts.

Update: April 10th, 2:29PM ET

Many users are still concerned about what the Heartbleed situation means for their LastPass master passwords. To further clarify, we do not see a need at this time for existing LastPass users to update their master passwords. That said, if you would prefer to, there is no harm in doing so. We continue to update our LastPass Security Check tool to provide you the latest information regarding potentially-impacted sites. Thanks to our community for the feedback and input.

Apr 8, 2014

LastPass and the Heartbleed Bug

With news breaking on Monday, April 7th that the Heartbleed bug causes a vulnerability in the OpenSSL cryptographic library, which is used by roughly two-thirds of all websites on the Internet, we want to update our community on how this bug may have impacted LastPass and clarify the actions we’re taking to protect our customers.

In summary, LastPass customers do not need to be concerned about their LastPass accounts. Though LastPass employs OpenSSL, we have multiple layers of encryption to protect our users and never have access to those encryption keys.

What is the Heartbleed Bug?

The Heartbleed bug is a vulnerability in the OpenSSL cryptographic library that allows stealing of information normally protected by the SSL/TLS encryption used to secure the Internet. OpenSSL is open-source software that is widely used to encrypt web communications. SSL/TLS is what normally provides secure and private communication over the Internet via websites, email, IM, and VPNs. According to CNET, an attacker can exploit Heartbleed to essentially “get copies of a server's digital keys then use that to impersonate servers or to decrypt communications from the past or potentially the future, too.”

Heartbleed is being taken so seriously because OpenSSL is widely used, essentially no servers locally encrypt their data the way LastPass does, and it’s been exploitable for some time.

How does it affect LastPass?

LastPass utilizes OpenSSL for HTTPS/TLS/SSL encryption and we were therefore “vulnerable” to this bug. For anyone who was using this tool: http://filippo.io/Heartbleed/#lastpass.com to check whether LastPass was vulnerable, it would have shown that we were vulnerable until this morning, when we restarted our servers after the patched OpenSSL software update.

However, LastPass is unique in that your data is also encrypted with a key that LastPass servers don’t have access to. Your sensitive data is never transmitted over SSL unencrypted - it’s already encrypted when it is transmitted, with a key LastPass never receives. While this bug is still very serious, it could not expose LastPass customers’ encrypted data due to our extra layers of protection. On the majority of the web, user data is not encrypted before being transmitted over SSL, hence the widespread concern.

Also, LastPass has employed a feature called “perfect forward secrecy”. This ensures that when security keys are changed, past and future traffic also can’t be decrypted even when a particular security key is compromised.

Our next steps

This bug has been out there for a long time, so we have to assume our SSL keys could have been compromised. We requested a reissued certificate this morning, and plan to roll it out today, while we’ve already deployed the OpenSSL software update after restarting our servers this morning.

LastPass customers should not be affected by the certificate transition, we expect it to be seamless with no interruptions to service. 

Because other websites may not be encrypting data the way LastPass does, we recommend that LastPass users generate new passwords for their most critical sites (such as email, banking, and social networks) if those sites utilize Apache, Nginx or show as vulnerable to the Heartbleed bug. However, users should wait until their sites have replaced their certificates, with a start date after today (April 8th, 2014). For more information on replacing passwords with newly-generated ones, please see this article.

Thank you to our community for your vigilance, and we’ll provide further updates if there are any changes to the situation.

Update: April 8th, 4:46PM ET

We have built a tool to help LastPass users check whether other sites and services they use may have been affected by Heartbleed, you can check it out at: https://lastpass.com/heartbleed

The new SSL certificates for LastPass and Xmarks have been reissued as well.

Update: April 9th

LastPass now alerts you if the sites stored in your vault may be impacted by Heartbleed. See our new blog post for more details: http://blog.lastpass.com/2014/04/lastpass-now-checks-if-your-sites-are.html 

Update: April 10th, 2:29PM ET

Many users are still concerned about what the Heartbleed situation means for their LastPass master passwords. To further clarify, we do not see a need at this time for LastPass users to update their master passwords. That said, if you would prefer to, there is no harm in doing so. We continue to update our LastPass Security Check tool to provide you the latest information regarding impacted sites. Thanks to our community for the feedback and input.

Apr 7, 2014

How to Spring Clean Your Digital Life with LastPass


It’s finally (finally!) that time of year again, where we dust off the remnants of Winter and welcome the warmer weather and sense of possibility of Spring. Spring is a perfect time to pause and make those much-needed changes you’ve been procrastinating on, especially when it comes to your online security. If you’re like us and you spend a fair bit of time sitting at your desk at work, it’s a great time to clean up your workspace and take stock of your online security efforts. Here’s how to do that with LastPass.

1. Collect & store random bits of personal information. 

In the chaos of the workweek, it’s easy to accumulate little notes scattered all over - in Google Docs, in your Sticky Notes, in your calendar, scribbled wherever was convenient at the time. Find all those abandoned pieces of paper or digital clutter, get rid of what you no longer need, and enter any passwords into LastPass. If you have important PINs, codes, software keys, or other one-off pieces of data to store, create secure notes in LastPass to safely store and remember them.

2. Back up important documents, now.

It’s so easy to say “I’ll do it tomorrow”. Make a commitment to do it today. That way, if a hard drive crash, a stolen laptop, or a bad case of malware happens to you, you’ll be able to breathe a little easier knowing you still have what’s critical for you to recover and start over. In LastPass, use attachments in secure notes to back up scanned documents of your passport or driver’s license (especially before a trip!), to keep digital copies of important legal documents, and pretty much any other image, PDF, document, or Excel file you just couldn’t afford to lose.

3. Get rid of old accounts. 

If it’s been a while since you’ve actually looked at what’s in your LastPass account, you might be surprised to see just how much you've accumulated over the years. When you run the LastPass Security Challenge, located in the Tools menu of the LastPass icon menu, it’s easy to see just how many accounts you’ve racked up. Take a stroll through your vault, and start shutting down accounts that you just don’t use anymore - for example, forgotten forum registrations or sign-ups from one-off purchases. You’ll likely reduce your incoming mail, too! Once you unsubscribe or delete an account, you can delete it in your LastPass vault, too.

4. Keep making progress on those weak passwords.

If you ran the Security Challenge, you may also have seen LastPass flag any weak and duplicate passwords stored in your vault. Use this knowledge to change those passwords. Log in to the accounts that have bad passwords, find where you can manage your settings, and update your password to one generated by LastPass. For more information, check out our article on replacing old passwords with generated ones.

What steps are you taking this Spring to improve your online security habits?

Mar 25, 2014

Logging Into Android Apps Just Got Easier


We’ve been hard at work to bring the latest in login technology to our Android experience. We’re excited to announce that the LastPass app for Android now autofills logins for your mobile apps, as well as websites in Chrome for Android.

Our updated Android app, which is part of our Premium service, is now available at the Google Play Store. Note that the new feature is available for apps on devices running Android 4.1 and later, and for Chrome on devices running Android 4.3 and later. Note that on Android 4.1 and 4.2, LastPass cannot autofill into apps, and will show copy buttons instead, and some apps may require that you manually paste the data.

So what makes this new functionality so awesome? It brings the same LastPass experience you’re used to on the desktop to all of your mobile apps and Chrome. When you launch a mobile app, LastPass can now detect that a username and password field are shown, and hover with a prompt for you to select a matching login. The new functionality eliminates more typing and tapping, making the mobile experience that much more fluid.

How It Works

 


To get started, the latest release of LastPass needs to be installed on your Android device. Once you’ve logged into LastPass, you will be prompted to enable the new functionality.

Then, you can launch an app of your choice from your homescreen. Once that app is launched, LastPass will detect the username and password fields. A pop-up will be displayed, prompting you to select a matching login that is stored in your vault.


Or, the prompt lets you know that no matching logins are stored for that app. If LastPass can’t find a matching login for the app, it will let you search your vault.


If you find the site login you need after searching your vault, LastPass will store that association, so it will match the entry in your vault automatically next time you use that specific app.


We’re also crowdsourcing app associations! Share your association with other LastPass users, and benefit from others sharing theirs, so LastPass can match more apps with sites automatically. When you confirm an app association, you will see an option to share it with other LastPass users.

New to LastPass on Android? Our app can be trialed for free for 2 weeks, simply search for LastPass at the Google Play store on your device and login with your LastPass account to start the trial. We also support the Dolphin HD and Firefox mobile browsers with LastPass addons, both part of our Premium service as well.

If you’re ready to upgrade to LastPass Premium, you can do so at https://lastpass.com/premium.php at any time.

Mar 20, 2014

We're Headed to Interop. Get a LastPass Tshirt If You Are, Too!


The LastPass team is excited to be heading to the Interop Las Vegas 2014 Conference (April 1st - April 3rd), the leading independent technology conference and expo series designed to inspire and inform the world's IT community. As an exhibitor we’ll be setting up shop at Booth 644 (bathed in red, of course), where we’ll be chatting about cybersecurity, Identity Access Management, and LastPass Enterprise.

If you’ll be heading there, too, let us know and we’ll send you a LastPass Tshirt!* You can rock the LastPass red on the conference floor. Just forward your Interop confirmation email to marketing@lastpass.com and we’ll send one your way!

For those who stop by Interop Booth 644 to say hello, we’ll also be giving away an extended 3 month trial of LastPass Enterprise.

If you’re not familiar with LastPass Enterprise, it’s the same great LastPass experience with added features and capabilities optimized for teams. LastPass Enterprise provides a centralized and cost-effective password management platform for organizations, with the option to add SAML-based single sign-on for federated identity management of cloud applications. LastPass Enterprise helps teams and organizations better manage employee access, optimize day-to-day tasks, and protect critical assets, offering:
  • One master password for employees to remember
  • Secure authentication for any device, even BYOD
  • A centralized control panel for administrators and auditors
  • Streamlined directory integration and provisioning
  • Real-time on-boarding and off-boarding
  • Employees have what they need on day one of the job
  • Access can be revoked immediately if needed
Try LastPass Enterprise today for free: https://lastpass.com/enterprise and if you have any questions please send us a note: https://lastpass.com/enterprise/contact-sales/.

See you in Vegas!

*While supplies last.

Mar 13, 2014

Update to SSL Certificate Tomorrow

A heads up for the LastPass community: Our SSL certificate for LastPass.com is due to expire soon, so we plan to rotate a new one in shortly.

For those who are interested, it will continue to be a Thawte Extended Validation Certificate (EV).

This is a behind-the-scenes change, so LastPass users should not see any interruption in service or functionality. Any reports or concerns, though, can be posted in the comments below or directed to our support team.

Thanks for tuning in,
The LastPass Team

Feb 17, 2014

Kickstarter CEO Recommends LastPass After Hack

In the wake of a hack that appears to have affected customer data, Kickstarter CEO Yancey Strickler has strongly recommended that users not only change their Kickstarter account password, and update passwords for any other accounts using the same one, but also start using a password manager like LastPass for help with password security.

In a blog post published Saturday, February 15th, Strickler announced that hackers had obtained unauthorized access to Kickstarter, the popular crowdfunding platform. Kickstarter was contacted by law enforcement officials on Wednesday night, alerting them to the hack, and they subsequently locked down the service and sent an email to the user base notifying them of the incident.

No credit card data was known to be affected, but other customer information was: usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords. Even though passwords were in an encrypted format, someone with enough computing power could try to guess and crack those passwords; weak and obvious passwords are most at-risk.

We applaud Kickstarter on taking the opportunity to mention how password managers can help customers recover from the hack. If any customers are using the same or similar passwords on other accounts, they should not only update their password on Kickstarter, but also log into other accounts and update their passwords there, too. LastPass can of course help manage this process.

For Kickstarter customers already using LastPass, you can go to the “Tools” menu of the LastPass icon and run the Security Challenge, which will tell you if you’re using your Kickstarter password elsewhere, and if you have any other weak or duplicate passwords that you should start changing.

You can help spread the word by recommending LastPass to friends and family (and earn Premium credit in the process!): https://lastpass.com/friendemail.php

For more tips on increasing your online security with LastPass, check out these other posts:

Your 3 Tasks for National Change Your Password Day
Start 2014 Right with These Security To-Do’s
Cybersecurity Tips for College Students (or anyone, really)

LastPass Updated with Performance Improvements

A LastPass update for all browsers is available. For most users, updates should go through automatically, though they can also be found on our downloads page here: https://lastpass.com/download

In the wake of our launch of LastPass 3.0, we’ve been working to make things faster and more powerful. Today’s release includes a number of bug fixes, performance enhancements, and fine-tuning of the product. For a full list of noted fixes and changes please see our release notes.

In addition, LastPass Premium users will enjoy some new features. On Android, the LastPass Premium app now supports the LastPass Security Challenge:


If you haven’t used this feature via the Tools menu of the desktop extension, the LastPass Security Challenge gives you a comprehensive overview of the data stored in your vault. The results identify all of your weak and duplicate passwords, and even alert you if your email address may have been involved in a breach, like Adobe’s in 2013. Now this great tool is at your fingertips!

Our Windows Phone users can also enjoy more multifactor authentication options with the LastPass mobile app, including Duo, Toopher, and Transakt by Entersekt.

We've got more changes in the works, so stay tuned!

Jan 31, 2014

Your 3 Tasks for "National Change Your Password Day"


Tomorrow, February 1st, is National Change Your Password Day (according to Gizmodo). We’re in full favor of any efforts to improve online security and spread awareness of the dangers of using the same passwords everywhere. So, it’s time to roll up your sleeves to make 3 positive changes for National Change Your Password Day:

1. Change the password of your primary email address.

The Yahoo attacks on January 30th show how critical this step is. Hackers attempted to use data from other breaches (such as the Adobe breach) to try to gain access to Yahoo email accounts, likely trying to leverage the email to access more critical accounts. Our email accounts are the keys to our digital world. Access to your primary email address could lead to the compromise of accounts like online banking or your online identity. That’s why it’s very important to keep your email address well-protected. With an unprecedented spree of hacks in 2013 and no signs of them slowing down in 2014, updating the password for your email address keeps you one step ahead. If you use the same password elsewhere, this is imperative. Follow our simple steps to generate a new one with LastPass.

Bonus task: Enable multifactor authentication for your email if you can.

2. Change your master password.

If you’ve been using the same master password for LastPass since 2009, time to update it. Over the years you may have logged in through friends’ computers, at hotel lobbies, at libraries, maybe at Internet cafes - any of these untrusted computers could have had malware or key logging software, putting your master password at risk. Check out our tips on creating a strong master password, and update it today by launching your LastPass vault from the LastPass icon, and open your “Settings” menu to enter a new one.

Bonus task: Enable multifactor authentication with LastPass.

3. Share this message!

You know about secure password management - but many people don’t. Please tell someone about using a password manager. Everyone should know that “improving their online security” is as easy as downloading a password manager like LastPass. With passwords centralized in one place (don’t store them in browsers!) and with a handy password generator to make unique, strong passwords, a password manager is the lazy way to rock your online life. What if those silly “bad password lists” were no longer a thing?

Well, it starts here, and you can be the change.