Aug 28, 2014

Worried About the JPMorgan Chase Hack? 6 Steps to Take Now

News broke that US law enforcement is investigating a hack of JPMorgan Chase and four other financial institutions. Though it remains unclear what was compromised and how it affects consumers, the sophisticated cyber attack appears to have resulted in the loss of sensitive information, including account information.

Given the potential scope of the hack, our  recommendation is to be as proactive as possible. Take action now and practice good online security habits so you can mitigate the fallout from this cyber attack and prepare yourself moving forward.

Here are 6 actions we recommend taking today:

Change Your Passwords, Now.  

Go directly to the websites of any financial institution where you have an online account, starting with JPMorgan Chase if applicable, then any banks, investment accounts, employee benefit accounts, and others that house financial assets. Use the password generator in LastPass to create a new, strong password for each of these accounts, saving the new password to LastPass as you submit the change on the website.

Use a Unique Master Password for Your Password Manager.  

Your LastPass Master Password should be a unique password that you do not reuse on any of your other online accounts. If you’ve used your Master Password for other accounts, now’s a good time to change it.

Avoid Clicking Questionable Links. 

Phishing attacks are a common way to get you to divulge sensitive information. If you receive an email to reset your bank’s password, just open a new tab or window in your browser and enter the web address for your bank, logging in there directly rather than clicking through the link.

Check Your Security Challenge Results. 

The LastPass Security Challenge gives you a comprehensive report on your password hygiene so you know where to take action. Located in the Tools menu of the LastPass browser icon, the Security Challenge alerts you to any weak or duplicate passwords, and tells you if any of your accounts were known to be affected by hacks of other online services - including this latest hack of JPMorgan Chase.

Enable Credit Monitoring. 

There are a range of credit monitoring and identity fraud detection services on the market. In LastPass, you can set up a Form Fill Profile and enable free credit monitoring alerts to receive real-time notifications if there’s any activity on your credit report. Should you be alerted to suspicious activity, you can request your free annual credit report.

Monitor Account Activity. 

Remain vigilant and watch for suspicious activity on your accounts, especially your financial, email, and social networking accounts. Watch for transactions you didn’t approve, emails you didn’t send, and posts you didn’t make- any of these could be an indication of unauthorized access to your accounts.

With an increasing number of cyber attacks affecting consumers, it’s more important than ever to be vigilant in protecting your identity and digital life, and to manage your passwords with the same care and diligence that you would the keys in your physical life.

Aug 26, 2014

LastPass Update for Android Prepares for Chrome Mobile Changes

We’re excited to announce that we have released an update to our Android app with improvements to our app autofill feature to accommodate changes that Google Chrome mobile will be rolling out in the next few weeks. For our Premium users, this means you will continue to be able to directly autofill logins in Chrome mobile!

For those of you who have been running Chrome Beta on your Android devices, you likely noticed that a recent update to the browser disabled LastPass’ ability to autofill directly into the browser and complete your logins for you. In an effort to employ stricter security policies, Google has moved to disable JavaScript injections on Chrome mobile, which LastPass relies on to automatically fill in your credentials as you log in to websites on the mobile browser.

After diligent work in investigating the new architecture, we have been able to update our functionality to be compatible with Google Chrome’s changes. LastPass will still be able to detect when you’re on a login page while browsing on Google Chrome, and you can continue to autofill usernames and passwords directly into the login fields with the LastPass prompts. You’ll continue to benefit from the ease of one tap to securely log into a site.

The update is now available in the Google Play Store. If you are interested in trying the LastPass Android app you can download it and try it out for 2 weeks for free. The upgrade to LastPass Premium is $12 per year for unlimited mobile sync and access to other Premium features.

Aug 25, 2014

Sharing Now Available in LastPass Android App

We’re excited to announce that LastPass for Android users will now be able to utilize the password and note sharing feature directly from Android devices. You will now be able to take full advantage of the secure sharing of sensitive information between LastPass users even while you’re on the go.

Partners, family, and friends co-managing online accounts, such as financial accounts or your TV streaming service, will be able to take advantage of easily sharing access to those logins.

This feature also allows you to send other LastPass users private information saved within LastPass Secure Notes. Passport numbers, PIN codes, bank account numbers, or any information stored and shared within a note are encrypted and securely synced.

From your vault, you can tap on a site or note name, and select "Share". For sites, you can choose whether or not you want the recipient to be able to view the password. You'll be prompted for the email address of the LastPass user you want to share with, and once sent the login or note will be synced between both vaults.

Think of it as a secure alternative to texting or emailing your sensitive personal information.

The updated Android app, which is included in the LastPass Premium service for $12 per year, is now available on the Google Play Store. Users can try the Premium service for free for two weeks.

Aug 15, 2014

The LastPass Team Accepts the Ice Bucket Challenge

The LastPass Team has accepted the ALS #IceBucketChallenge and donated in honor of our dear friend's father, George Vasiloff.

You may have seen the Ice Bucket Challenge making the rounds on the Internet and the media. In an effort to raise awareness for ALS, also called Lou Gehrig's disease, people are recording themselves getting doused with buckets of ice water and then challenging others to do the same.

We have challenged our friends at CustomInk and SpiceWorks! They have two business days to complete the challenge and donate to the ALS Association.

We also encourage our community to consider supporting this cause. ALS is a progressive neurodegenerative disease that affects nerve cells in the brain and the spinal cord. To learn more, visit

A big thanks to Capital Audio Post and the Mosaic District in Fairfax, Virginia for their help in completing this project.

This was a special experience for the LastPass Team and we're proud to have had the opportunity to participate in the cause!


Aug 12, 2014

Update on LastPass Connectivity Errors

At 3:57 Eastern Time this morning, one of the data centers that LastPass relies on went down. Our team immediately took action to migrate LastPass to run entirely on a different data center. As a result, many users experienced connection errors with the LastPass service, and has been intermittently unavailable throughout the morning. We have been engaged with our data center provider the entire time to resolve the issues. Please note this does not impact the security of your data.

We are doing everything we can to mitigate the impact and resolve the situation as quickly as possible, and apologize for the inconvenience caused. We strongly recommend users login through the browser extensions to access their vault, where most users should have access though some may still see warnings that they are in “offline mode”.

We will continue to update our user base and appreciate your patience.

Update: 1:28 pm EST

Though one of our data centers remains completely down, the service is generally stable and should be available to the majority of users (with the exception of login favicons). Some users may see connection errors but should still be able to access their data. We continue to work as quickly as possible to get the service back to 100%.

Update: 4:13 pm EST

Most users should now be able to connect to LastPass browser extensions and without errors, though favicons still may not sync. We continue to closely monitor the situation.

August 13, 2014: Post Mortem of Yesterday’s Outage

As noted in our original post, on August 12th, 2014 a data center that LastPass relies on went down around 4 am Eastern Time. Below, we have outlined the timeline of events as they unfolded at the data center and with the LastPass service at large.

We again sincerely apologize for the inconveniences caused, and want to assure our community we are moving forward stronger than before, as we remain deeply committed to the security and reliability of our service for our users.

Joe Siegrist
CEO of LastPass

Summary of Events

The majority of users were unaffected due to having proper redundancy in place to deal with the loss of a data center, as well as the built-in offline access via the LastPass browser extensions. However, during our efforts to scale at the secondary data center to ensure sufficient capacity at peak of the day, we inadvertently worsened the situation through human error. Our team certainly has takeaways from the experience and will be implementing changes going forward, as detailed in the concluding statements below.

We did receive a full RFO from our data center confirming that the BGP routing table issues affecting other companies yesterday played a role as well. For more, see:

Timeline of Events (EDT)

3:50 am - We detected extreme latency and packet loss between one of our data centers and most major networks, including inter-connectivity with the other data center.

3:54 am - Our monitoring system detected the situation as critical and paged two operators.

4:00 am - We contacted our data center provider regarding the issue we were experiencing with their service.

5:00 am - With no update from our impacted data center provider, we switched from two data centers to run entirely on the second data center and disabled the affected data center.

6:00 am - We noticed IPv6 has suddenly started working at the now-disabled data center, making it clear to us that major networking changes were being made.

7:00 am - Our report was escalated by the impacted data center provider.

8:00 am - We determined that the outage will likely be extended, so we executed on a plan to add some spare machines into load balancing at the second data center to ensure we would have plenty of spare capacity at the peak of the day.

8:15 am - We began to receive alerts of intermittent connectivity issues at our second (now only) data center.

8:30 am - A small percentage of users reported logout errors that prevented them from utilizing offline mode.

9:00 am - We continued trying to work with our impacted data center provider, but received no updates on the situation or information on resolution.

9:30 am - Latency and connectivity issues increased at the second (now only) data center, which we began investigating.

10:00 am - We received acknowledgement from our impacted provider indicating this is a widespread problem, and indicated they would reload the core routers. They noted that it may be an extended outage.

10:30 am - The impacted data center's network went completely down.

12:00 pm - We tracked down the source of an issue at the second data center, in which 3 machines we had added were running at 100Mbps instead of Gigabit (despite having Gigabit cards and being connected to Gigabit switches) and were network saturated.

12:45 pm - We resolved the issue with the 3 additional machines, and fully restored service still running on the second data center only, though favicons remained disabled.

2:15 pm - Impacted provider indicated they were fully online, though those machines remained unreachable for us.

2:30 pm - We authorized the impacted data center staff to reboot our networking equipment, with no effect.

3:30 pm - We discovered the underlying issue with why some users are being logged off immediately after login and resolved.

3:45 pm - Members of our team arrived at the impacted data center, and verified that our networking equipment was still down.

4:15 pm - We completed a swap to spare equipment, bringing the impacted data center back online.

8:45 pm - We completed testing and confirmed that replication to secondary data center looked good, and were fully restored with both data centers active again.

Conclusions & Lessons Learned

As a result of yesterday’s events, we have formed the following key takeaways and action steps:

  • We have moved our status page to be hosted outside our network, since it was inaccessible for periods of time.
  • In an effort to gather more detailed information for our community, we delayed communicating about the situation. Going forward, we will share what information we have, however sparse, and work to update the community from there, via the blog, the status page, our social accounts, and email where appropriate.
  • Our monitoring checks now verify port speed:
for i in `ip addr show | grep UP | egrep -v 'tun[0-9]+:|lo:' | awk -F ': ' '{print $2}'`;do echo -n $i ; ethtool $i | grep "Speed:"; done
  • We are considering moving to another data center provider.
  • In an effort to improve the situation, we worsened it through our actions, and we will be more cautious in taking preventative actions when running on a single data center.
  • We're moving to a hosted model for DNS that includes external service checks. 
  • Though we designed some systems to be 'non-critical', such as favicons for sites, we'll be improving our systems to minimize visual disruption during a massive outage.
  • A small number of users were impacted by an inability to access the service offline, we continue to investigate and test this.
  • We will be implementing more disaster and redundancy tests of our systems to better prepare for a catastrophic, single data center scenario. 

Aug 6, 2014

The CyberVor Data Breach: What You Need to Know

News broke on August 5th that Hold Security, an information security and investigations company, discovered a Russian cybercrime ring that had amassed over 4.5 billion consumer records. According to the New York Times, the records mostly consisted of stolen login credentials (usernames and passwords) accumulated from over 420,000 websites, containing over half a billion unique email addresses. The cybercrime ring was dubbed “CyberVor”, Vor meaning “theft” in Russian.

While some sources remain skeptical of the details, news of the "CyberVor breach" has caused widespread concern. Allegedly, "CyberVor" used stolen credentials from the black market to distribute malware and build a botnet, then perpetrated vulnerabilities on websites big and small in order to gather more data.

As we monitor the situation and ascertain the authenticity of the details, we highly recommend using our steps below to mitigate any potential impact of the CyberVor breach and to increase your password hygiene. While your LastPass account is not affected, if you have reused your master password on any other sites it is absolutely critical that you update it now (via the LastPass vault in the "Settings" menu).

Mitigating the Impact of the CyberVor Breach

Start using a password manager. If you are not yet using LastPass or a password manager, we advise getting started immediately. Using a password manager centralizes your logins and passwords in one, secure place. Many people are surprised by just how many passwords they have once they pull what they have saved in their browsers into a password manager. A password manager also makes it easy to follow best practices with passwords and online security.

Run the Security Check. The LastPass Security Check identifies any weak or duplicate passwords, tells you if any sites were affected by Heartbleed, and gives you an overall “security score” so you can understand how you’re progressing with your password security. To run it, click the LastPass icon in your browser toolbar, then under the “Tools” sub-menu select the “Security Check”.

Replace duplicate passwords with generated ones. After running the Security Check, you’ll know which sites have weaker passwords, and you can start updating them. Begin with the most important sites - financial, email, and social. You can launch the site straight from the security check and login, then go to your account settings page on that website, and use LastPass to replace the old password. Repeat for all sites using weak, duplicate, and old passwords. Learn more.

Turn on multifactor authentication.
Multifactor authentication adds another security layer to your account by requiring that you confirm “something you have” (like a Google Authenticator code) after submitting “something you know” (your LastPass email address and master password). LastPass supports 10 multifactor authentication options, giving you the flexibility to choose one that suits your work flow best. Learn more.

Online security is about mitigation and remaining proactive. The protection of your online identity is in part dependent on utilizing strong, unique passwords for all of your online accounts. Just like you wouldn't give your one house key to someone you don't trust, don't give the same password to every website you use. By replacing weak and duplicate passwords, using multifactor authentication, and centralizing your accounts with a password manager, you’ll help mitigate the potential impact of this massive data breach and others in the future.

Jul 29, 2014

Google Android "Fake ID" Security Flaw Discovered: What You Need to Know

Bluebox Labs, the mobile security research team at BlueBox Security, announced the discovery of an Android flaw they have dubbed “Fake ID”. “Fake ID” exploits a device’s digital signature, which Android uses to verify that apps are who they say they are.

Essentially, the issue is that while Android checked that an app had the correct ID before granting it special privileges, it failed to check that the ID was in fact valid and not forged. As reported to the BBC, the researchers liken it to a visitor flashing his valid-looking badge to a security guard, but the guard failing to call the employer of that visitor to verify he is who he says he is. “Fake ID” is concerning because no action or approval is required of the device owner and any actions taken are hidden. In one example, the faked certification signature could be exploited by an app to impersonate Google Wallet to obtain payment data. The flaw is said to affect Android from the January 2010 release of 2.1 up to Android 4.3.

For in-depth technical details on how the exploits work, see Bluebox Lab’s post here.

Does this affect the LastPass Android app?

If you do not install apps from untrusted sources, you're likely safe. Google has scanned all of the apps in the Google Play store, and confirmed they have not seen anyone attempt to exploit this flaw to date. Since the flaw has just been released, it is unlikely that any malware has been written to take advantage of it yet.

Because it can be used to exploit this flaw, we have disabled the Adobe Flash plugin from loading in the LastPass browser, and have issued an update to our app. This affects only Android 4.3 and earlier, since Android 4.4 and later does not include Flash, and is therefore not susceptible to this bug. Even if a malicious app were to gain control of the device, all it would be able to get from LastPass would be a highly encrypted, unusable blob of data. Disabling offline access in the LastPass app’s preferences would also prevent this blob from being stored locally.

Advice on actions to take:

While this flaw is serious, most Android users should be able to avoid being affected by:
  • Only downloading apps from the Google Play Store - apps downloaded from outside the store are not regulated by the app store policies.
  • Avoiding untrusted apps - only download apps published by companies you know and trust.
  • Removing unused or untrusted apps from your devices.
  • Updating your phone to the latest Android version available with this issue patched.
We remain vigilant of any security discoveries that may affect the LastPass community and will update our users if any other details come to light.

Jul 28, 2014

User Case Study: Why a Financial Planner Uses LastPass

My clients place a high level of trust in me to provide them with the advice and guidance they need to achieve their financial goals. They also trust me to protect their confidential information and ensure that what they share with my firm is always secure. This includes everything from investment account statements and tax returns, to their life insurance policies and estate plans.

As a financial planner and investment advisor, I take password security and encryption very seriously. I do everything in my power to safeguard sensitive client and business information at all times. When it comes to preventing unauthorized access to bank and investment accounts, there is literally no room for error.

That's why I'm honestly not sure what I would do without LastPass. I use LastPass literally every day to manage nearly 300 complex business and personal passwords. Considering that my typical password is 12 to 16 random characters, including upper and lower case letters, numbers, and symbols, there is no way I could remember all of them without it.

Likewise, I need a way to access my passwords on-demand and from anywhere. With LastPass, it doesn't matter if I'm working at the office, from home, or on the road, I can login to any site I need to quickly and easily. Even better, I can access LastPass from my desktop, tablet, and my smartphone.

Most importantly, because LastPass encrypts data locally, before it is transmitted over the Internet, I feel much more confident about storing passwords with the software. This is absolutely critical when it comes to any login that I use to access client information. I simply won't do it any other way.

Although there are many features that I really love with LastPass, there are three that really standout for me:

  • Multifactor authentication – As secure as my master password might be, I believe that a second form of authentication is an absolute must. With LastPass and Google Authenticator I have a simple two-step verification system to ensure that even if my master password was compromised, my other passwords would still be safe. Tip: If you are a Google Apps for Business user, you can enable two-factor authentication for your Google account as well.
  • Auto-generate secure passwords – One of the biggest downfalls when it comes to password security is the repeat use of the same (often weak) password across many different sites. I admit that before finding LastPass the only time I used a different password was if a web site forced me to because of specific restrictions on the characters they'd allow. Thankfully, I wised up several years ago and changed every important password I use to a new one that I randomly generated using the LastPass secure password generation tool. Creating complex, random passwords literally couldn't be any easier.
  • Auto-save and update on the fly – The LastPass plugin (in my case for Chrome) is a web user's dream. Not only can I log in automatically to almost any site on the web (with a master password re-prompt of course), but I can also save new passwords on the fly. Finally, whenever I change a password, LastPass knows and asks me if I want to update the existing entry or save a new one. This makes password management so easy, you almost forget about it.

As someone who is committed to putting clients first, security is a top priority. I've worked for companies before that literally stored usernames and passwords in an Excel file. If that sounds familiar, you need LastPass! With LastPass available on Windows, Mac, Linux, and mobile, there is no reason to risk exposing your personal or your professional passwords to the world. If you aren't using LastPass, download it today and give it a try. It's free and I promise you'll love it!

Jonathan K. Duong, CFA, CFP® is a fee-only investment advisor and financial planner in Denver, CO. He is the president of Wealth Engineers, which he founded to provide an alternative to the high costs and conflicts of interest of a typical financial advisor. Jonathan specializes in working with busy professionals, entrepreneurs, and athletes to help them navigate through the unique financial challenges they each face and build a more confident path to achieving their goals. Thank you, Jonathan, for coming on the LastPass blog to share your story!

Jul 21, 2014

Use Your Master Password to Achieve Your Next Goal

We’re all about productivity and efficiency here at LastPass, so we were intrigued when we heard about someone who had used their password to help them achieve their goals. In his recent post on Medium, Mauricio Estrella shares his insight that passwords can serve as powerful daily reminders of our goals, and motivate us to actually follow through with them.

After a divorce, Estrella took his boss’s advice and changed his password to a motivational phrase. Since he would have to type his password every day, he decided to use it as a reminder of the changes he wanted to make. He first wanted to forgive his ex-wife so that he could move on, so he changed his password to “Forgive@her”.

“It was obvious that I couldn’t focus on getting things done with my current lifestyle and mood. Of course, there were clear indicators of what I needed to do - or what I had to achieve - in order to regain control of my life, but we often don’t pay attention to these clues,” Estrella said in his post. “My password became the indicator.”

The daily reminders from his passwords not only helped him forgive his ex-wife, but also helped him achieve other goals he set for himself over the following months, including quitting smoking and saving for an international vacation, as you can read in his full story over on Medium (warning: strong language).

It seems then that there’s some truth to using passwords to reinforce your goals, and what better way to get yourself started on changing your life than using something you have to type every day anyway?

So we’re giving it a go with our LastPass master password, with a long passphrase (using multiple character types, of course) that serves as a daily reminder of something we’d like to achieve, too.

Have you used a password to motivate yourself? Do you think you’ll give it a go? Let us know in the comments below.

Jul 14, 2014

6 Mistakes Employees Are Making with Passwords

There’s nothing like a data breach to get a company’s name in the news these days, though likely not the press a brand would prefer. The upward trend in consumer database breaches requires everyone to revisit bad password practices, and get better ones in place, especially in the workplace where businesses stand to lose not only money but also critical assets and consumer trust. Corporate systems are only as secure as their weakest passwords.

Here are 6 mistakes we see employees making with company passwords. If you and your team are avoiding these mistakes, you’re already leagues ahead in protecting your company’s sensitive information.

1. Not systematically recording passwords.

While the proliferation of tools and services has been an immense boon for productivity in the workplace, it’s a nightmare when it comes to tracking logins. Without a system to track accounts and who has access to what, employees will inevitably be interrupting others’ workdays to try to track down that information or call the IT service desk to have passwords reset. Once they start to track passwords, employees are often surprised to discover just how many accounts they actually have. Without a system, neither employees nor the company even know who has access to what or what they should have access to, let alone quantify how many accounts are in use.

2. Storing passwords where they’re easily accessed.

Once employees do start using a system, be it a paper document, a digital document, a password manager - they have to be able to control who has access to it. Sticky notes posted on monitors or under keyboards, WiFi passwords scribbled across whiteboards that are then televised for the world to see, notebooks left out on desks - all are a potential invitation for someone to tamper with that information. Even browser password managers don’t prompt you to login by default, leaving any stored passwords exposed and usable. All passwords and accounts should be recorded in one safe place that can be controlled and locked down.

3. Sharing passwords too liberally.

In the spirit of cooperation and collaboration employees may not think twice about sharing a login, whether it be an account managed by the team or just “temporarily” so that a team member can look into something. But once shared, that password is in the wild. Should a disgruntled employee go rogue, or leave the company and still have access to those accounts, there’s a potential for damage to be done either to the brand or to customer data.

4. Not separating work passwords from personal ones.

Password reuse continues to be a problem, as employees struggle to keep track of dozens of passwords and create a system that makes them easier to remember. But by using the same password on a personal account as they do on a work account, an “insignificant breach” like that of an online retail account could lead to a very significant breach of a work account. By using a unique password for all sites, whether work or personal, employees would be able to eliminate this risk.

5. Logging in to corporate accounts on unsecured networks or devices.

Did you know that some 70% of employees access corporate data from a personal smartphone or tablet? Work and personal is more integrated than ever, and as the number of devices used in the workplace and at home proliferates, employees want to access to their services, where they want to, when they need to. There’s less distinction now between “company-only” and “personal-only”. Given that reality, employees may be exposing corporate accounts to risk by utilizing poor password hygiene across their accounts and devices.

6. Meeting the bare minimum password requirements.

It’s well known that password length and password complexity (the combination of several different character types into random sequences) are the most important factors in creating “uncrackable” passwords. Because most password requirements are onerous and employees are primarily concerned with just remembering them, they will default to the absolute bare minimum of the requirements in order to make it easiest on themselves. We don’t fault the employees - without tools to help employees create better, stronger passwords, and then remember those passwords for them, they’ll be stuck in the same old pattern.

What’s a company to do?

Half the battle in correcting these behaviors is providing tools and systems that not only encourage the behavior you want to see, but also make it easy on employees. Only by deploying company-wide password management that empowers the employee to take action will they be able to stop making the mistakes above.

Interested in learning more about a solution for your team? Check out LastPass Enterprise: