Sep 17, 2014

Get LastPass for iOS 8 Today!

The LastPass app for iOS 8 is here! As we announced last week, our updated app now fills your web logins with our new LastPass extension for Safari, and offers Touch ID integration for an even easier mobile authentication experience.

Today, we’re excited to introduce you to these new features and show you how they work:

With this app update, we’re introducing a mobile experience that’s much more in-line with our vision ... one that’s faster, simpler, and more powerful than ever on iOS.

Once you’ve updated your device to iOS 8, getting started with the new LastPass extension in Safari and the Touch ID integration requires a few simple setup steps:

The one-time setup steps include enabling Touch ID in the LastPass app and toggling the LastPass extension in Safari; please refer to our user manual for a more detailed walk-through.

Grab these new features by downloading or updating the LastPass app from the App Store after you’ve upgraded to iOS 8. A free 2-week trial is available for the LastPass app before upgrading to LastPass Premium for unlimited mobile sync.

Sep 16, 2014

The Scary Truth About Your Passwords: An Analysis of the Gmail Leak

A detailed analysis of last week's leak of 5 million Gmail logins reveals some alarming statistics. The infographic below takes a look at the reality of our bad password practices, highlighting the ongoing use of weak, dictionary-based passwords that are leaving us vulnerable:

If you're not using a password manager, now's the time to download LastPass and get started today!

Sep 12, 2014

Were Your Google Credentials Leaked?

Early on Tuesday, Google announced that a potential 5 million usernames and passwords associated with Gmail accounts have been leaked. It is unclear how many of them are current vs. outdated credentials. According to Google’s blog post, “less than 2 percent of the username and password combinations might have worked.”

Visit our email look-up tool to see if your account was part of the leaked data.  

We strongly suggest that you take this opportunity to change your Gmail account password and generate a new, strong password using LastPass. To protect our users, those who have reused their LastPass master password as their Gmail account password have been temporarily deactivated. For your security, note that it is very important to never use your LastPass master password for other logins.

If you’ve experienced trouble with your account, please contact LastPass Support so we may assist you in reactivating your account and creating a new, stronger master password.

Be Secure,

Sep 8, 2014

Introducing LastPass for iOS 8.

Following Apple’s announcement of iOS 8 in June, we’ve been hard at work to bring the platform’s new security and authentication features to the LastPass mobile experience. Now with the impending release of the platform, we’re thrilled to announce the LastPass app will be available for iOS 8 with Touch ID integration and a Safari extension for automated web logins. This marks a tremendous shift in our ability to bring a seamless login experience to LastPass users on iOS.

The LastPass Safari Extension

iOS 8 now allows third-party apps like ours to integrate directly into Safari as an extension. Once enabled in the browser, this means LastPass can fill web logins instantly without a user ever leaving the browser. The extension gives direct access to the LastPass vault, so you can use stored logins or save new accounts in less steps.

Touch ID Integration

With the release of the iPhone 5S, Apple launched Touch ID, a new fingerprint identity sensor for authenticating on iOS. By touching the Home button, the sensor reads your fingerprint, allowing you to unlock your phone and authorize other actions on your device.

For added security, you also have the option to enable Touch ID to unlock your LastPass vault to access your stored accounts. While browsing in Safari and launching the LastPass extension, you can respond to the Touch ID prompt to authorize LastPass to fill a web login.

A New Mobile Experience

Together, the LastPass Safari extension and the Touch ID integration allow us to provide a more streamlined, secure authentication experience for our iOS users. We hope to see Apple continue in this direction and provide even more flexibility for third-party security providers on iOS.

You’ll be able to grab the LastPass app from the iTunes app store within the next few weeks, and we'll soon have demonstrations of how these new features will work in the LastPass app. Note the iOS app is part of our LastPass Premium service for $12 per year.

Aug 28, 2014

Worried About the JPMorgan Chase Hack? 6 Steps to Take Now

News broke that US law enforcement is investigating a hack of JPMorgan Chase and four other financial institutions. Though it remains unclear what was compromised and how it affects consumers, the sophisticated cyber attack appears to have resulted in the loss of sensitive information, including account information.

Given the potential scope of the hack, our  recommendation is to be as proactive as possible. Take action now and practice good online security habits so you can mitigate the fallout from this cyber attack and prepare yourself moving forward.

Here are 6 actions we recommend taking today:

Change Your Passwords, Now.  

Go directly to the websites of any financial institution where you have an online account, starting with JPMorgan Chase if applicable, then any banks, investment accounts, employee benefit accounts, and others that house financial assets. Use the password generator in LastPass to create a new, strong password for each of these accounts, saving the new password to LastPass as you submit the change on the website.

Use a Unique Master Password for Your Password Manager.  

Your LastPass Master Password should be a unique password that you do not reuse on any of your other online accounts. If you’ve used your Master Password for other accounts, now’s a good time to change it.

Avoid Clicking Questionable Links. 

Phishing attacks are a common way to get you to divulge sensitive information. If you receive an email to reset your bank’s password, just open a new tab or window in your browser and enter the web address for your bank, logging in there directly rather than clicking through the link.

Check Your Security Challenge Results. 

The LastPass Security Challenge gives you a comprehensive report on your password hygiene so you know where to take action. Located in the Tools menu of the LastPass browser icon, the Security Challenge alerts you to any weak or duplicate passwords, and tells you if any of your accounts were known to be affected by hacks of other online services - including this latest hack of JPMorgan Chase.

Enable Credit Monitoring. 

There are a range of credit monitoring and identity fraud detection services on the market. In LastPass, you can set up a Form Fill Profile and enable free credit monitoring alerts to receive real-time notifications if there’s any activity on your credit report. Should you be alerted to suspicious activity, you can request your free annual credit report.

Monitor Account Activity. 

Remain vigilant and watch for suspicious activity on your accounts, especially your financial, email, and social networking accounts. Watch for transactions you didn’t approve, emails you didn’t send, and posts you didn’t make- any of these could be an indication of unauthorized access to your accounts.

With an increasing number of cyber attacks affecting consumers, it’s more important than ever to be vigilant in protecting your identity and digital life, and to manage your passwords with the same care and diligence that you would the keys in your physical life.

Aug 26, 2014

LastPass Update for Android Prepares for Chrome Mobile Changes

We’re excited to announce that we have released an update to our Android app with improvements to our app autofill feature to accommodate changes that Google Chrome mobile will be rolling out in the next few weeks. For our Premium users, this means you will continue to be able to directly autofill logins in Chrome mobile!

For those of you who have been running Chrome Beta on your Android devices, you likely noticed that a recent update to the browser disabled LastPass’ ability to autofill directly into the browser and complete your logins for you. In an effort to employ stricter security policies, Google has moved to disable JavaScript injections on Chrome mobile, which LastPass relies on to automatically fill in your credentials as you log in to websites on the mobile browser.

After diligent work in investigating the new architecture, we have been able to update our functionality to be compatible with Google Chrome’s changes. LastPass will still be able to detect when you’re on a login page while browsing on Google Chrome, and you can continue to autofill usernames and passwords directly into the login fields with the LastPass prompts. You’ll continue to benefit from the ease of one tap to securely log into a site.

The update is now available in the Google Play Store. If you are interested in trying the LastPass Android app you can download it and try it out for 2 weeks for free. The upgrade to LastPass Premium is $12 per year for unlimited mobile sync and access to other Premium features.

Aug 25, 2014

Sharing Now Available in LastPass Android App

We’re excited to announce that LastPass for Android users will now be able to utilize the password and note sharing feature directly from Android devices. You will now be able to take full advantage of the secure sharing of sensitive information between LastPass users even while you’re on the go.

Partners, family, and friends co-managing online accounts, such as financial accounts or your TV streaming service, will be able to take advantage of easily sharing access to those logins.

This feature also allows you to send other LastPass users private information saved within LastPass Secure Notes. Passport numbers, PIN codes, bank account numbers, or any information stored and shared within a note are encrypted and securely synced.

From your vault, you can tap on a site or note name, and select "Share". For sites, you can choose whether or not you want the recipient to be able to view the password. You'll be prompted for the email address of the LastPass user you want to share with, and once sent the login or note will be synced between both vaults.

Think of it as a secure alternative to texting or emailing your sensitive personal information.

The updated Android app, which is included in the LastPass Premium service for $12 per year, is now available on the Google Play Store. Users can try the Premium service for free for two weeks.

Aug 15, 2014

The LastPass Team Accepts the Ice Bucket Challenge

The LastPass Team has accepted the ALS #IceBucketChallenge and donated in honor of our dear friend's father, George Vasiloff.

You may have seen the Ice Bucket Challenge making the rounds on the Internet and the media. In an effort to raise awareness for ALS, also called Lou Gehrig's disease, people are recording themselves getting doused with buckets of ice water and then challenging others to do the same.

We have challenged our friends at CustomInk and SpiceWorks! They have two business days to complete the challenge and donate to the ALS Association.

We also encourage our community to consider supporting this cause. ALS is a progressive neurodegenerative disease that affects nerve cells in the brain and the spinal cord. To learn more, visit

A big thanks to Capital Audio Post and the Mosaic District in Fairfax, Virginia for their help in completing this project.

This was a special experience for the LastPass Team and we're proud to have had the opportunity to participate in the cause!


Aug 12, 2014

Update on LastPass Connectivity Errors

At 3:57 Eastern Time this morning, one of the data centers that LastPass relies on went down. Our team immediately took action to migrate LastPass to run entirely on a different data center. As a result, many users experienced connection errors with the LastPass service, and has been intermittently unavailable throughout the morning. We have been engaged with our data center provider the entire time to resolve the issues. Please note this does not impact the security of your data.

We are doing everything we can to mitigate the impact and resolve the situation as quickly as possible, and apologize for the inconvenience caused. We strongly recommend users login through the browser extensions to access their vault, where most users should have access though some may still see warnings that they are in “offline mode”.

We will continue to update our user base and appreciate your patience.

Update: 1:28 pm EST

Though one of our data centers remains completely down, the service is generally stable and should be available to the majority of users (with the exception of login favicons). Some users may see connection errors but should still be able to access their data. We continue to work as quickly as possible to get the service back to 100%.

Update: 4:13 pm EST

Most users should now be able to connect to LastPass browser extensions and without errors, though favicons still may not sync. We continue to closely monitor the situation.

August 13, 2014: Post Mortem of Yesterday’s Outage

As noted in our original post, on August 12th, 2014 a data center that LastPass relies on went down around 4 am Eastern Time. Below, we have outlined the timeline of events as they unfolded at the data center and with the LastPass service at large.

We again sincerely apologize for the inconveniences caused, and want to assure our community we are moving forward stronger than before, as we remain deeply committed to the security and reliability of our service for our users.

Joe Siegrist
CEO of LastPass

Summary of Events

The majority of users were unaffected due to having proper redundancy in place to deal with the loss of a data center, as well as the built-in offline access via the LastPass browser extensions. However, during our efforts to scale at the secondary data center to ensure sufficient capacity at peak of the day, we inadvertently worsened the situation through human error. Our team certainly has takeaways from the experience and will be implementing changes going forward, as detailed in the concluding statements below.

We did receive a full RFO from our data center confirming that the BGP routing table issues affecting other companies yesterday played a role as well. For more, see:

Timeline of Events (EDT)

3:50 am - We detected extreme latency and packet loss between one of our data centers and most major networks, including inter-connectivity with the other data center.

3:54 am - Our monitoring system detected the situation as critical and paged two operators.

4:00 am - We contacted our data center provider regarding the issue we were experiencing with their service.

5:00 am - With no update from our impacted data center provider, we switched from two data centers to run entirely on the second data center and disabled the affected data center.

6:00 am - We noticed IPv6 has suddenly started working at the now-disabled data center, making it clear to us that major networking changes were being made.

7:00 am - Our report was escalated by the impacted data center provider.

8:00 am - We determined that the outage will likely be extended, so we executed on a plan to add some spare machines into load balancing at the second data center to ensure we would have plenty of spare capacity at the peak of the day.

8:15 am - We began to receive alerts of intermittent connectivity issues at our second (now only) data center.

8:30 am - A small percentage of users reported logout errors that prevented them from utilizing offline mode.

9:00 am - We continued trying to work with our impacted data center provider, but received no updates on the situation or information on resolution.

9:30 am - Latency and connectivity issues increased at the second (now only) data center, which we began investigating.

10:00 am - We received acknowledgement from our impacted provider indicating this is a widespread problem, and indicated they would reload the core routers. They noted that it may be an extended outage.

10:30 am - The impacted data center's network went completely down.

12:00 pm - We tracked down the source of an issue at the second data center, in which 3 machines we had added were running at 100Mbps instead of Gigabit (despite having Gigabit cards and being connected to Gigabit switches) and were network saturated.

12:45 pm - We resolved the issue with the 3 additional machines, and fully restored service still running on the second data center only, though favicons remained disabled.

2:15 pm - Impacted provider indicated they were fully online, though those machines remained unreachable for us.

2:30 pm - We authorized the impacted data center staff to reboot our networking equipment, with no effect.

3:30 pm - We discovered the underlying issue with why some users are being logged off immediately after login and resolved.

3:45 pm - Members of our team arrived at the impacted data center, and verified that our networking equipment was still down.

4:15 pm - We completed a swap to spare equipment, bringing the impacted data center back online.

8:45 pm - We completed testing and confirmed that replication to secondary data center looked good, and were fully restored with both data centers active again.

Conclusions & Lessons Learned

As a result of yesterday’s events, we have formed the following key takeaways and action steps:

  • We have moved our status page to be hosted outside our network, since it was inaccessible for periods of time.
  • In an effort to gather more detailed information for our community, we delayed communicating about the situation. Going forward, we will share what information we have, however sparse, and work to update the community from there, via the blog, the status page, our social accounts, and email where appropriate.
  • Our monitoring checks now verify port speed:
for i in `ip addr show | grep UP | egrep -v 'tun[0-9]+:|lo:' | awk -F ': ' '{print $2}'`;do echo -n $i ; ethtool $i | grep "Speed:"; done
  • We are considering moving to another data center provider.
  • In an effort to improve the situation, we worsened it through our actions, and we will be more cautious in taking preventative actions when running on a single data center.
  • We're moving to a hosted model for DNS that includes external service checks. 
  • Though we designed some systems to be 'non-critical', such as favicons for sites, we'll be improving our systems to minimize visual disruption during a massive outage.
  • A small number of users were impacted by an inability to access the service offline, we continue to investigate and test this.
  • We will be implementing more disaster and redundancy tests of our systems to better prepare for a catastrophic, single data center scenario. 

Aug 6, 2014

The CyberVor Data Breach: What You Need to Know

News broke on August 5th that Hold Security, an information security and investigations company, discovered a Russian cybercrime ring that had amassed over 4.5 billion consumer records. According to the New York Times, the records mostly consisted of stolen login credentials (usernames and passwords) accumulated from over 420,000 websites, containing over half a billion unique email addresses. The cybercrime ring was dubbed “CyberVor”, Vor meaning “theft” in Russian.

While some sources remain skeptical of the details, news of the "CyberVor breach" has caused widespread concern. Allegedly, "CyberVor" used stolen credentials from the black market to distribute malware and build a botnet, then perpetrated vulnerabilities on websites big and small in order to gather more data.

As we monitor the situation and ascertain the authenticity of the details, we highly recommend using our steps below to mitigate any potential impact of the CyberVor breach and to increase your password hygiene. While your LastPass account is not affected, if you have reused your master password on any other sites it is absolutely critical that you update it now (via the LastPass vault in the "Settings" menu).

Mitigating the Impact of the CyberVor Breach

Start using a password manager. If you are not yet using LastPass or a password manager, we advise getting started immediately. Using a password manager centralizes your logins and passwords in one, secure place. Many people are surprised by just how many passwords they have once they pull what they have saved in their browsers into a password manager. A password manager also makes it easy to follow best practices with passwords and online security.

Run the Security Check. The LastPass Security Check identifies any weak or duplicate passwords, tells you if any sites were affected by Heartbleed, and gives you an overall “security score” so you can understand how you’re progressing with your password security. To run it, click the LastPass icon in your browser toolbar, then under the “Tools” sub-menu select the “Security Check”.

Replace duplicate passwords with generated ones. After running the Security Check, you’ll know which sites have weaker passwords, and you can start updating them. Begin with the most important sites - financial, email, and social. You can launch the site straight from the security check and login, then go to your account settings page on that website, and use LastPass to replace the old password. Repeat for all sites using weak, duplicate, and old passwords. Learn more.

Turn on multifactor authentication.
Multifactor authentication adds another security layer to your account by requiring that you confirm “something you have” (like a Google Authenticator code) after submitting “something you know” (your LastPass email address and master password). LastPass supports 10 multifactor authentication options, giving you the flexibility to choose one that suits your work flow best. Learn more.

Online security is about mitigation and remaining proactive. The protection of your online identity is in part dependent on utilizing strong, unique passwords for all of your online accounts. Just like you wouldn't give your one house key to someone you don't trust, don't give the same password to every website you use. By replacing weak and duplicate passwords, using multifactor authentication, and centralizing your accounts with a password manager, you’ll help mitigate the potential impact of this massive data breach and others in the future.