Oct 22, 2014

Open Sourced LastPass Command Line Application Now Available

There’s big news here at LastPass! We’ve released and open sourced a new command line client application. Whether you work as a developer, or in IT operations, or are just a tech-savvy LastPass user, our command line application makes it easier for you to get to data stored in LastPass on the terminal on Mac, Linux, and Windows under Cygwin.

The LastPass command line application brings both better security and convenience by allowing you to access, add, modify, and delete entries in your online LastPass vault, all from the terminal. You can also generate passwords for every server you use and securely store those passwords directly in LastPass. LastPass Enterprise features are supported as well, including Shared Folders.
 

Diving Into the Details


Users who prefer the command line can access their data directly with “lpass ls” then using “lpass show -c --password Sitename” to put the Sitename password on the copy buffer. You can utilize “lpass show” to store passwords used in scripts, rather than putting passwords in the scripts themselves. LastPass can also be used as you work within the command line to help you login to servers. We’ve included some example scripts below.

The new tool is beneficial for LastPass users who want to use the command line to login to other machines as they work. There are examples such as contrib/examples/change-ssh-password.sh which shows automated password changing on a server. You could run it automatically on a nightly basis, regularly changing the password on the server as a security measure.

The command line application is hosted on Github at https://github.com/LastPass/lastpass-cli where we will continue to develop it for further applications and uses. We’d be happy to accept pull requests for further examples and increased capabilities.

lpass, like git, is comprised of several subcommands:


lpass login [--trust] [--plaintext-key [--force, -f]] USERNAME
lpass logout [--force, -f]
lpass show [--sync=auto|now|no] [--clip, -c] [--all|--username|--password|--url|--notes|--field=FIELD|--id|--name] {UNIQUENAME|UNIQUEID}
lpass ls [--sync=auto|now|no] [GROUP]
lpass edit [--sync=auto|now|no] [--non-interactive] {--name|--username|--password|--url|--notes|--field=FIELD} {NAME|UNIQUEID}
lpass generate [--sync=auto|now|no] [--clip, -c] [--username=USERNAME] [--url=URL] [--no-symbols] {NAME|UNIQUEID} LENGTH
lpass duplicate [--sync=auto|now|no] {UNIQUENAME|UNIQUEID}
lpass rm [--sync=auto|now|no] {UNIQUENAME|UNIQUEID}
lpass sync [--background, -b]

You can view the full documentation in the manpage,
'man lpass' or view it online.

Oct 17, 2014

Halfway There! Have You Improved Your Security This Month?


The past two weeks have quickly passed, and that means we’re now halfway through National Cyber Security Awareness Month. To kick off the month we challenged you to put your passwords to the test by running the LastPass Security Challenge and taking steps to improve your security score. That means generating new passwords to replace weak ones, or trying multifactor authentication, or updating your master password to an even stronger one. Have you made progress? You’ve still got two weeks, let’s see how high you can make your score!

https://lastpass.com/index.php?securitychallenge=1&lang=en-US&fromwebsite=1&lpnorefresh=1

And as we pause to think about ways we can better protect ourselves online, we’re sharing more tips below from STOP.THINK.CONNECT and StaySafeOnline.org, reminding you how to protect your data, your machines, and your community, this month and all year long:


Keep a Clean Machine

  • Keep security software current: Having the latest security software, web browser, and operating system are the best defenses against viruses, malware, and other online threats.
  • Automate software updates: Many software programs will automatically connect and update to defend against known risks. Turn on automatic updates if that’s an available option.
  • Protect all devices that connect to the Internet: Along with computers, your smartphones, gaming systems and other web-enabled devices also need protection from viruses and malware.
  • Plug & scan: USBs and other external devices can be infected by viruses and malware. Use your security software to scan them.

Protect Your Personal Information

  • Secure your accounts: Ask for protection beyond passwords. Many account providers now offer additional ways for you verify who you are before you conduct business on that site. 
  • Make passwords long and strong: Combine capital and lowercase letters with numbers and symbols to create a more secure password. (Hint: Use the LastPass password generator.)
  • Unique account, unique password: Having separate passwords for every account helps to thwart cybercriminals. (Hint: LastPass will remember each unique password for you.)
  • Write it down and keep it safe: Everyone can forget a password. Keep a list that’s stored in a safe, secure place away from your computer. (Hint: LastPass helps you securely manage your passwords & other important records.)
  • Own your online presence: Set the privacy and security settings on websites to your comfort level for information sharing. It’s ok to limit how and with whom you share information. 
 

Connect with Care

  • When in doubt, throw it out: Links in email, tweets, posts and online advertising are often the ways cybercriminals compromise your computer. If it looks suspicious, even if you know the source, it’s best to delete or, if appropriate, mark as junk email. 
  • Get savvy about WiFi hotspots: Limit the type of business you conduct and adjust the security settings on your device to limit who can access your machine. 
  • Protect your $: When banking and shopping, check to be sure the site is security-enabled. Look for web addresses with “HTTPS://,” which means the site takes extra measures to help secure your information. “HTTP://” is not secure.

Be Web Wise

  • Stay current. Keep pace with new ways to stay safe online. Check trusted websites for the latest information, share with friends, family and colleagues and encourage them to be web wise.
  • Think before you act: Be wary of communications that implore you to act immediately, offer something that sounds too good to be true or ask for personal information.
  • Back it up: Protect your valuable work, music, photos, and other digital information by making an electronic copy and storing it safely.

Be a Good Online Citizen

  • Safer for me, more secure for all: What you do online has the potential to affect everyone – at home, at work and around the world. Practicing good online habits benefits the global digital community.

Find a downloadable version of the above tips and more great resources at StaySafeOnilne.org.

Oct 16, 2014

What Does Your Password Say About You?

A deeper dive into the passwords from the recent Gmail leak reveal some interesting psychology on why we choose the passwords we do. For one thing, the generated passwords are very easy to spot when you take a look at the data, because they’re so rare. That means most of us are still creating our own short passwords rather than using a password generator. And when we create those passwords, we default to words, phrases, or variations of familiar patterns, because they're easier to remember.

Check out what our follow-up analysis of the Gmail data reveals:

Oct 13, 2014

6 Ways to Lock Down LastPass on iOS


LastPass offers many security features to help you protect your account and be safer online. Did you know there are also mobile settings to help you better secure your LastPass app? Check out these 6 mobile security features for iOS today:

1. Use Multifactor Authentication


As we’ve mentioned before, multifactor authentication adds another layer of security to your LastPass account by requiring a second login step before allowing access to your vault. Usually this means entering a code or otherwise proving that you are who you say you are.


LastPass is compatible with many multifactor authentication options that are also available for mobile use. Apps like Duo Security, Toopher, Transakt, and Google Authenticator all install on your mobile device and allow convenient mobile access, while still maintaining the security benefits of running multifactor authentication with LastPass.

2. Add a Fingerprint Prompt with Touch ID



With the release of iOS 8, LastPass now supports Touch ID verification as an alternative to the master password reprompt on the iPhone 5S and 6. This means that when you turn on master password reprompt options, account-wide or on a site-by-site basis, you can use Touch ID as a replacement to entering the master password when using the LastPass Safari extension (and we continue to expand this new feature!). In situations where the app would prompt for the master password, you’ll instead be prompted to authenticate with your finger. For more on setting up and using this feature, check out our video tutorials.

3. Restrict Access to Specific Mobile Devices


Whenever you login to the LastPass mobile apps, LastPass remembers that mobile device for you. On your desktop, you can see this list by opening your LastPass Vault, launch Settings, and view the Mobile Devices tab. Any smartphone or tablet you’ve used with the LastPass app will be listed there, with a unique identifier for each device.


LastPass then lets you restrict your logins on mobile devices to just that list. So, let’s say you have an iPhone and an iPad that you use regularly. After logging in to those devices, you could launch your account settings and check the option to restrict login to those two mobile devices only. If someone were to ever try logging in on another mobile device that isn’t on the list, they won’t be able to complete the login. And if a device is ever lost or stolen, you can disable it in your Mobile Devices settings, or you can delete it completely to remove it from the list of permitted devices.

4. Require a PIN Code when Returning to the App



In the LastPass iOS app, you can open the settings menu to toggle the “Use PIN Code” option. Enabling the PIN reprompt options allows you to protect your LastPass app by requiring a PIN code every time you multitask away from and then back to the app. It’s more convenient than constantly re-entering your master password, but more secure than leaving your app logged in and unprotected.

5. Logout Automatically When You’re Not Using the App



To ensure your LastPass app logs out when you’re no longer using it, you can go to the app’s settings menu to tap “Never logoff when idle” and set a time limit. If you’re using the app and then multitask away for a while, your session will end and you’ll be logged out when the designated amount of time has passed.

6. Safely Remove Data by Clearing the Clipboard

 


If you’ve been copy-pasting any data from the LastPass app to other apps on your phone, you can open the LastPass app settings to tap “Clear Clipboard”, to ensure that the last thing you copied will not be usable.

Try out these features today by downloading the LastPass app from the App Store, and subscribing to LastPass Premium.

Oct 9, 2014

LastPass Enterprise Is Now RSA Ready

https://lastpass.com/enterprise_overview.php


LastPass Enterprise, used by 8,000 companies to help employees manage passwords and secure logins, has joined the RSA Ready Technology Partner Program and now supports RSA SecurID as a second factor of authentication.

RSA SecurID is a “token” (hardware or software) that’s assigned to a user and generates codes at fixed intervals that are unique for that user. Until now, RSA SecurID has focused on internal system access. With the new integration with LastPass, companies can expand the benefits of RSA SecurID across all platforms.

By pairing SecurID with LastPass’ Enterprise password management system, companies can help lower the threat of password misuse, mitigate the risk of breaches, and improve compliance organization-wide.

Once RSA SecurID is enabled on a LastPass Enterprise account, users are first prompted for their LastPass login (their email address and master password) and are then asked to enter the RSA token code. Since new codes are constantly generated (typically every 60 seconds), user accounts are better protected from attacks.

Over 40 million people and 30,000 companies are already using RSA SecurID, providing the opportunity for many to maximize their investment by pairing RSA SecurID with LastPass Enterprise.

LastPass Enterprise administrators can configure RSA SecurID from the Enterprise Admin Console, and will need to open up RADIUS access to LastPass' servers.

Get started with a free trial today to see how LastPass Enterprise can help you and your team be more productive and secure, or reach out to our Sales team with any questions.

https://lastpass.com/enterprise_trial.php

Oct 8, 2014

Getting More Done on Android Has Never Been So Easy

With the LastPass app for Android, the only thing you have to worry about is your LastPass master password, and LastPass takes care of the rest.

Logging in to an app? LastPass fills it for you.
Browsing on Chrome mobile and need to login? LastPass fills it for you.
Have a fingerprint reader on your phone? Add it to LastPass as a PIN code alternative.

Everywhere you go, LastPass is there to streamline your mobile experience. See it in action:



For more details on how to set up and get started with these features, check out our video tutorial. (And if you're an Apple user, see our post here for great new features on iOS, too!)

Our latest update to the Android app supports Shared Folders for both LastPass Premium and LastPass Enterprise users. Universal access and real-time updates are a priority for us, and these new features give you easier on-the-go access to data and the ability to change settings at a moment’s notice.


You can open the “Manage Shared Folders” feature from the menu on the top right of the vault (or your device’s menu button). From there you can create new Shared Folders, add users to the Shared Folders, edit permissions, and remove users from the folders. Add logins to the folders by changing the "Folder" field in the site "edit" menu.

Shared Folders and the logins added to them will sync automatically to the vaults of any LastPass users given access to the Folders.

Other updates include changes to reduce the network and memory usage of the app, to help you save even more battery life on your smartphone.

And in addition to our existing support for the fingerprint readers on Samsung phones and tablets, we’ve also added support for the Synaptics fingerprint readers that other manufacturers are now adding to their phones, like the new XOLO Q2100.

The update is now available in the app store! The LastPass Android app is part of our Premium service for $12 per year and our Enterprise service for teams. Both have a free trial so you can check out the features first or upgrade today to sync LastPass to all of your mobile devices.

https://lastpass.com/go-premium

Oct 7, 2014

7 Ways to Make Your LastPass Account Even More Secure

So you know you should be using strong passwords to protect your online accounts. And you ran the LastPass Security Challenge to help you keep improving your passwords.

But did you know there are even more security features in LastPass that can help you better protect your account and the data you store in it? Check out these seven security features, and challenge yourself to enable at least one today:

1. Lock Down Your Account with Multifactor Authentication


Multifactor authentication, or two-factor authentication, requires that a second piece of information be entered before allowing access to your account. This essentially creates another barrier to entry if someone’s trying to gain unauthorized access to your account.


LastPass supports 10 multifactor authentication options, so choose the one that works best for your workflow and enable it in your LastPass Settings in your vault. If you have a smartphone, we recommend checking out Duo Security, Toopher, or Google Authenticator. For LastPass Premium users, we recommend checking out the YubiKey.

2. Restrict Access to A Specific Country



Lock down your account by only allowing access from a specific country or countries. For example, if you only ever login from the US, then you would restrict access to the US. Open the “Settings” menu in your LastPass vault to adjust your restrictions. If you plan to travel, just be sure to add any new countries before you leave, and remove them when you return!

3. Logoff Automatically When You’re No Longer Browsing


Keep your LastPass account safe from prying eyes by setting it to logoff automatically. In the LastPass browser extension icon, you can launch the Preferences menu to enable the autologoff options. You can set LastPass to logoff automatically after a set period of time when the browser is either closed or goes idle.

4. Reprompt for the Master Password 

 


LastPass can also prompt you for your master password when you take specific actions (viewing a password, editing secure notes, etc) or when you’re launching specific websites (such as banking or billing logins). The password prompts help protect your account from prying eyes, should someone start browsing while you’re still logged in to LastPass. Turn these prompts on in the LastPass Settings menu from your vault, or edit a specific login in your vault to reprompt on a site-by-site basis.

5. Monitor Account Activity with Security Notifications



LastPass can alert you to certain actions taken within your account, which can help you confirm changes you made as well as identify any unauthorized access to your data. In the Settings menu in your vault, go to the “Security” tab to manage your email preferences, where you can enable the alerts for master password changes, email address changes, site login username or password changes, and more.

6. Keep LastPass Activity Hidden with a Secret Email Address


Rather than have LastPass send critical account notifications to your primary email address, you can set up a secondary, secret email address that is only used as a security email for LastPass.


Once you add this email address in your Settings under the “Security” tab, this means that any sensitive notifications, such as those for account recovery or disabling multifactor authentication, will be sent to the security email address rather than your primary email address. So even if someone gets access to your primary email address, they won’t be able to login to LastPass if you’ve locked it down with a strong master password, multifactor authentication, and an obscure security email address.

7. Combat Keylogging with One Time Passwords


If you know you’ll be traveling or using an untrusted computer, like that in a library, hotel, or even at a friend’s, use a “throwaway” password to login to your account. The throwaway password, or one time password, works exactly like it sounds - the password that’s generated for you can only be used to login to your account once.


Generate the throwaway passwords by clicking the menu at the top right of your vault and launching the one time passwords page. You can generate as many as you need and print off the list to be carried with you. When you login at www.LastPass.com you can choose the One Time Password login option, and type in one of the OTPs. This protects you from keylogging by allowing you to bypass entering your master password with the secure one time password.

Oct 3, 2014

The Growth of Technology Comes with Increased Risk

http://staysafeonline.org/ncsam/resources/anniversary-national-cyber-security-awareness-month-infographic


Did you know that there are over 500 million victims of cybercrime a year? That means that every second, some 18 people are victims of cybercrime - and the numbers grow more alarming every year.

StaySafeOnline.org's infographic for National Cyber Security Awareness Month (#NCSAM) shows just how much the Internet has changed over the last decade. Computers and mobile devices have proliferated, and so has our reliance on web technologies. That trend has also spurred the growth of cybercrime into a multibillion dollar industry!

Click through the image below to see the infographic detailing the journey the Internet has taken, and where it's likely headed in the next few years.

Are your security practices keeping up? Be sure to take the #LastPassChallenge and put your passwords to the test!

http://staysafeonline.org/ncsam/resources/anniversary-national-cyber-security-awareness-month-infographic

Oct 1, 2014

Are You Ready to Put Your Passwords to the Test?

Do Heartbleed, Shellshock, and CyberVor ring any bells? How about the Target, Home Depot, and JPMorgan Chase breaches? All of these incidents compromised our security - putting our passwords, credit cards, and online accounts at risk of getting hacked.

October is here and that means National Cyber Security Awareness Month is back! Spearheaded by StaySafeOnline.org, NCSAM reminds us that cyber security is important and shows us how to keep improving our online security habits.

We want to make it as hard as possible for hackers to access your data. You wouldn’t leave your doors at home wide open and unlocked at all times, right? The data we use and store online should also be protected with strong locks.

Take the LastPass Security Challenge!


To kick off the month, take a pledge with us: Run the LastPass Security Challenge, and pledge to make your score better. Or, if you're not using LastPass, download it now and add your accounts so you can take the Security Challenge.

https://lastpass.com/index.php?securitychallenge

Improving your passwords = improving the strength of the locks you use to keep your information safe.

The LastPass Security Challenge performs an “audit” of your passwords, highlighting weak or duplicate passwords, and alerting you if your accounts may have been affected by a breach at another website.

The challenge will help you measure progress as you work to randomize your passwords and implement better security with LastPass. Just open your LastPass browser extension menu, and launch the Security Challenge from the Tools submenu.

Take a snapshot of your score and use #LastPassChallenge to share your pledge with us. How high do you think you can get that score by the end of the month? Let’s find out!

Stay tuned for more great tips and action items over the coming weeks. And if you’re not using a password manager yet, get started today by creating an account, adding your passwords, and improving them with the LastPass Security Challenge. 

https://lastpass.com/download

Sep 26, 2014

What You Need to Know About the Shellshock Bash Bug


A newly-discovered security vulnerability dubbed the “ShellShock bug” could be more widespread and damaging than Heartbleed.

What is the Shellshock Bash Bug?


Bash, a unix shell typically used on Mac, Linux, and Unix systems, has had flaws that allow someone to trick Bash into doing things it’s not supposed to do, like running programs or modifying data.

The bug could affect any network or website that relies on Unix and Linux operating systems, including Mac OS X. Though you may be running Windows, most web servers on the Internet run on some variant of Unix, so your business or the services you use on a daily basis are likely to run these platforms. In short, the Shellshock bug puts untold millions of computer networks and consumer records at risk of compromise.

By exploiting the Shellshock bug, an attacker can essentially have full access to that server. Since the attacker could take any action that the web server itself could take, the consequences could be disastrous: the compromise of a database, access to files, access to source code, data being deleted, data being changed, running programs, and, perhaps worst of all, deploying malware to compromise the system. This is far worse than Heartbleed, which could reveal data from server memory but didn’t allow direct action on a machine.

Is LastPass Affected?


No, LastPass is not vulnerable to the Bash bug. LastPass does not use Bash on web-exposed interfaces, and we’ve applied the latest patches as well.

We have seen evidence of attempts to exploit the bug on LastPass systems, unsuccessfully. Other companies and researchers have reported observing the same, indicating it’s likely other web services and networks are at risk.

Is There a Fix?


Yes, there’s a patch for most Linux systems, though Apple has yet to release a fix for Mac OS X. The initial patch making the rounds Wednesday was not an effective fix, so the patch should be reapplied. Those managing computer systems should update their networks and machines with the proper patches as they’re released.

What Should You Do?


At the moment, LastPass customers and others should avoid using open, unsecured WiFi if using Mac OS X, until Apple releases a patch. Linux desktop users should update their systems as soon as possible. Windows desktop users are unaffected.

If other services you use indicated they were patched, you can update your passwords and proactively monitor for signs of breach, such as things installing to your machine without action on your part, or suspicious activity on your online accounts.

And if you’re not yet using a password manager, now’s a good time to start. By using a different password for every online account, you make it much more difficult for someone to compromise your most critical online accounts and your personal identity.

https://lastpass.com/download

Update: Tuesday, September 30th


Apple has now released patches for the "Shellshock" Bash bug that affected Mac OS X, the update should be available from your computer's Software Updates, or you can download them directly from Apple here:

OS X Mavericks: http://support.apple.com/kb/DL1769
OS X Mountain Lion: http://support.apple.com/kb/DL1768
OS X Lion: http://support.apple.com/kb/DL1767