Jul 28, 2014

User Case Study: Why a Financial Planner Uses LastPass

My clients place a high level of trust in me to provide them with the advice and guidance they need to achieve their financial goals. They also trust me to protect their confidential information and ensure that what they share with my firm is always secure. This includes everything from investment account statements and tax returns, to their life insurance policies and estate plans.

As a financial planner and investment advisor, I take password security and encryption very seriously. I do everything in my power to safeguard sensitive client and business information at all times. When it comes to preventing unauthorized access to bank and investment accounts, there is literally no room for error.

That's why I'm honestly not sure what I would do without LastPass. I use LastPass literally every day to manage nearly 300 complex business and personal passwords. Considering that my typical password is 12 to 16 random characters, including upper and lower case letters, numbers, and symbols, there is no way I could remember all of them without it.

Likewise, I need a way to access my passwords on-demand and from anywhere. With LastPass, it doesn't matter if I'm working at the office, from home, or on the road, I can login to any site I need to quickly and easily. Even better, I can access LastPass from my desktop, tablet, and my smartphone.

Most importantly, because LastPass encrypts data locally, before it is transmitted over the Internet, I feel much more confident about storing passwords with the software. This is absolutely critical when it comes to any login that I use to access client information. I simply won't do it any other way.

Although there are many features that I really love with LastPass, there are three that really standout for me:

  • Multifactor authentication – As secure as my master password might be, I believe that a second form of authentication is an absolute must. With LastPass and Google Authenticator I have a simple two-step verification system to ensure that even if my master password was compromised, my other passwords would still be safe. Tip: If you are a Google Apps for Business user, you can enable two-factor authentication for your Google account as well.
  • Auto-generate secure passwords – One of the biggest downfalls when it comes to password security is the repeat use of the same (often weak) password across many different sites. I admit that before finding LastPass the only time I used a different password was if a web site forced me to because of specific restrictions on the characters they'd allow. Thankfully, I wised up several years ago and changed every important password I use to a new one that I randomly generated using the LastPass secure password generation tool. Creating complex, random passwords literally couldn't be any easier.
  • Auto-save and update on the fly – The LastPass plugin (in my case for Chrome) is a web user's dream. Not only can I log in automatically to almost any site on the web (with a master password re-prompt of course), but I can also save new passwords on the fly. Finally, whenever I change a password, LastPass knows and asks me if I want to update the existing entry or save a new one. This makes password management so easy, you almost forget about it.

As someone who is committed to putting clients first, security is a top priority. I've worked for companies before that literally stored usernames and passwords in an Excel file. If that sounds familiar, you need LastPass! With LastPass available on Windows, Mac, Linux, and mobile, there is no reason to risk exposing your personal or your professional passwords to the world. If you aren't using LastPass, download it today and give it a try. It's free and I promise you'll love it!

Jonathan K. Duong, CFA, CFP® is a fee-only investment advisor and financial planner in Denver, CO. He is the president of Wealth Engineers, which he founded to provide an alternative to the high costs and conflicts of interest of a typical financial advisor. Jonathan specializes in working with busy professionals, entrepreneurs, and athletes to help them navigate through the unique financial challenges they each face and build a more confident path to achieving their goals. Thank you, Jonathan, for coming on the LastPass blog to share your story!

Jul 21, 2014

Use Your Master Password to Achieve Your Next Goal

We’re all about productivity and efficiency here at LastPass, so we were intrigued when we heard about someone who had used their password to help them achieve their goals. In his recent post on Medium, Mauricio Estrella shares his insight that passwords can serve as powerful daily reminders of our goals, and motivate us to actually follow through with them.

After a divorce, Estrella took his boss’s advice and changed his password to a motivational phrase. Since he would have to type his password every day, he decided to use it as a reminder of the changes he wanted to make. He first wanted to forgive his ex-wife so that he could move on, so he changed his password to “Forgive@her”.

“It was obvious that I couldn’t focus on getting things done with my current lifestyle and mood. Of course, there were clear indicators of what I needed to do - or what I had to achieve - in order to regain control of my life, but we often don’t pay attention to these clues,” Estrella said in his post. “My password became the indicator.”

The daily reminders from his passwords not only helped him forgive his ex-wife, but also helped him achieve other goals he set for himself over the following months, including quitting smoking and saving for an international vacation, as you can read in his full story over on Medium (warning: strong language).

It seems then that there’s some truth to using passwords to reinforce your goals, and what better way to get yourself started on changing your life than using something you have to type every day anyway?

So we’re giving it a go with our LastPass master password, with a long passphrase (using multiple character types, of course) that serves as a daily reminder of something we’d like to achieve, too.

Have you used a password to motivate yourself? Do you think you’ll give it a go? Let us know in the comments below.

Jul 14, 2014

6 Mistakes Employees Are Making with Passwords

There’s nothing like a data breach to get a company’s name in the news these days, though likely not the press a brand would prefer. The upward trend in consumer database breaches requires everyone to revisit bad password practices, and get better ones in place, especially in the workplace where businesses stand to lose not only money but also critical assets and consumer trust. Corporate systems are only as secure as their weakest passwords.

Here are 6 mistakes we see employees making with company passwords. If you and your team are avoiding these mistakes, you’re already leagues ahead in protecting your company’s sensitive information.

1. Not systematically recording passwords.

While the proliferation of tools and services has been an immense boon for productivity in the workplace, it’s a nightmare when it comes to tracking logins. Without a system to track accounts and who has access to what, employees will inevitably be interrupting others’ workdays to try to track down that information or call the IT service desk to have passwords reset. Once they start to track passwords, employees are often surprised to discover just how many accounts they actually have. Without a system, neither employees nor the company even know who has access to what or what they should have access to, let alone quantify how many accounts are in use.

2. Storing passwords where they’re easily accessed.

Once employees do start using a system, be it a paper document, a digital document, a password manager - they have to be able to control who has access to it. Sticky notes posted on monitors or under keyboards, WiFi passwords scribbled across whiteboards that are then televised for the world to see, notebooks left out on desks - all are a potential invitation for someone to tamper with that information. Even browser password managers don’t prompt you to login by default, leaving any stored passwords exposed and usable. All passwords and accounts should be recorded in one safe place that can be controlled and locked down.

3. Sharing passwords too liberally.

In the spirit of cooperation and collaboration employees may not think twice about sharing a login, whether it be an account managed by the team or just “temporarily” so that a team member can look into something. But once shared, that password is in the wild. Should a disgruntled employee go rogue, or leave the company and still have access to those accounts, there’s a potential for damage to be done either to the brand or to customer data.

4. Not separating work passwords from personal ones.

Password reuse continues to be a problem, as employees struggle to keep track of dozens of passwords and create a system that makes them easier to remember. But by using the same password on a personal account as they do on a work account, an “insignificant breach” like that of an online retail account could lead to a very significant breach of a work account. By using a unique password for all sites, whether work or personal, employees would be able to eliminate this risk.

5. Logging in to corporate accounts on unsecured networks or devices.

Did you know that some 70% of employees access corporate data from a personal smartphone or tablet? Work and personal is more integrated than ever, and as the number of devices used in the workplace and at home proliferates, employees want to access to their services, where they want to, when they need to. There’s less distinction now between “company-only” and “personal-only”. Given that reality, employees may be exposing corporate accounts to risk by utilizing poor password hygiene across their accounts and devices.

6. Meeting the bare minimum password requirements.

It’s well known that password length and password complexity (the combination of several different character types into random sequences) are the most important factors in creating “uncrackable” passwords. Because most password requirements are onerous and employees are primarily concerned with just remembering them, they will default to the absolute bare minimum of the requirements in order to make it easiest on themselves. We don’t fault the employees - without tools to help employees create better, stronger passwords, and then remember those passwords for them, they’ll be stuck in the same old pattern.

What’s a company to do?

Half the battle in correcting these behaviors is providing tools and systems that not only encourage the behavior you want to see, but also make it easy on employees. Only by deploying company-wide password management that empowers the employee to take action will they be able to stop making the mistakes above.

Interested in learning more about a solution for your team? Check out LastPass Enterprise: https://LastPass.com/Enterprise

Jul 11, 2014

A Note from LastPass

LastPass is in part able to achieve the highest level of security for our users by looking to our community to challenge our technology.

In August 2013, a security researcher at UC Berkeley, Zhiwei Li, contacted us to responsibly disclose novel vulnerabilities with the LastPass bookmarklets (actively used by less than 1% of the user base) and One Time Passwords (OTPs). Zhiwei discovered one issue that could be exploited if a LastPass user utilized the bookmarklet on an attacking site, and another issue if the LastPass user went to an attacking site while logged into LastPass, and used their username to potentially create a bogus OTP.

Zhiwei only tested these exploits on dummy accounts at LastPass and we don't have any evidence they were exploited by anyone beyond himself and his research team. The reported issues were addressed immediately, as confirmed by their team, and we let them publish their research before discussing it.

If you are concerned that you’ve used bookmarklets before September 2013 on non-trustworthy sites, you may consider changing your master password and generating new passwords, though we don’t think it is necessary.

Regarding the OTP attack, it is a “targeted attack”, requiring an attacker to know the user’s username to potentially exploit it, and serve that custom attack per user, activity which we have not seen. Even if this was exploited, the attacker would still not have the key to decrypt user data. If you’d like to check your current OTPs you can do so here: https://lastpass.com/otp.php

We appreciate that, as the most popular password manager in the world, we have an active, dedicated community that challenges us to be better and is committed to helping us improve the security of our service. Again, we thank Zhiwei and his team for their important research.

Joe & The LastPass Team

Jul 1, 2014

Do You Follow These Security Tips When Traveling?

As we gear up for summer, it’s a good time to review best practices when it comes to your digital security while traveling. We’re all protective of our passports and our credit card information as we travel, but we need to be equally vigilant with our online activity and personal technology so we can reduce our risk of identity and financial theft while on the road.

Here are 12 tips to lock down your devices before you leave, and to minimize your risk while traveling.

Before You Travel

1. Leave it at home, if you can. While it’s tempting to travel with all of your gadgets, consider leaving a device at home if it’s not integral to the trip. It’s one less item to keep track of, and one less belonging to risk being stolen.

2. Enable PIN codes. On all smartphones, tablets, laptops, or e-Readers, enable the PIN code prompt. It’s an easy step to keep your device from prying eyes.

3. Enable multifactor authentication. Adding an extra login step makes it that much harder for someone to hack into your accounts. Enable multifactor authentication for LastPass, and for any other services you use that support it. Just be sure you take the multifactor authentication app or device with you!

4. Document your devices. Create a detailed list of the make and model numbers of your devices, the serial numbers, and other important details. You can store this information in a secure note in LastPass, especially if you need to report any stolen or lost devices.

5. Look into lost device protection services. There are a range of apps and services for mobile devices that help you track and retrieve them should they be lost or stolen. Look into options for your devices before you leave, and set them up. Lifehacker’s round-up of phone recovery tools might be a good place to start.

6. Log out of your apps. Launch each app and log out of any active sessions, as well as uncheck the “remember me” option on your apps. The LastPass Premium mobile apps will help you quickly log back in to any apps as needed.

7. Back up everything. For any devices you do choose to travel with, be sure to back up files, photos, music, and any other information you would not want to lose should the device crash, break, or be stolen. You can also back up important travel documents, such as a copy of your passport, as attachments to LastPass secure notes.

While You Travel

8. Avoid public WiFi. For payment transactions, online banking, and any other online activity that may involve user names, passwords, and personal information, avoid using open WiFi that could leave your information exposed to anyone snooping the network. Save those activities for secured WiFi connections. If you can’t avoid open WiFi, at least be sure you’re connecting to your sites via HTTPS (and update your passwords when you return home).

9. Don’t select “remember me”. If you have to login on public computers (like one in a hotel lobby) do not use the “remember me” setting. This could leave your session active long after you’re done browsing, giving someone else easy access to your accounts. And don't forget to logout of any accounts when you're done!

10. Clear browser history & cache. Before leaving a public computer, be sure to clear the browsing history and the browser cache to remove easily-accessible traces of your activity.

When You Return from Traveling

11. Update your passwords. Once you return home to a trusted device and a trusted network, be sure to update the passwords to any accounts you had to access on open WiFi or on public computers. LastPass makes this easier by generating and remembering new passwords for you.

12. Keep an eye on your accounts. Even if you were very careful while traveling, be sure to keep an eye on your credit card and online banking activity for any suspicious transactions, as well as your email and social accounts for any unusual activity.

Do you have any tips or recommendations for preparing your tech for travel?

Jun 6, 2014

Your LastPass Account Is Safe From the New OpenSSL Vulnerability

About 2 months after the discovery of Heartbleed, more OpenSSL vulnerabilities have now been announced. Though organizations should patch their servers, security experts have stated the latest flaws are not nearly as bad as Heartbleed.

The most critical of the new OpenSSL vulnerabilities is known as an “Injection Vulnerability”. If exploited, this flaw could result in a “man-in-the-middle attack”. Essentially, this means someone positioned on the network between your computer and a server could eavesdrop or alter encrypted data traffic. In theory, sensitive information such as email addresses, passwords, and credit card information could be at risk.

So does this impact LastPass?

In regards to LastPass, please note:

  • Your data stored in LastPass is not affected by this bug
  • Your master password is never shared with LastPass
  • Your vault is encrypted with AES 256-bit encryption before being sent to LastPass over SSL
  • Our servers’ SSL libraries have been updated with the latest fixes
  • You can use LastPass' tool to also identify affected sites: https://lastpass.com/opensslccs/

What should I do?

Although the threat is small, if you have used open or untrusted WiFi, we recommend updating the passwords for any online accounts you may have accessed at that time. LastPass will help you update the password to a new, generated one.

We recommend that users continue to exercise caution on untrusted networks, most notably on public WiFi, and remove WiFi networks from their devices that they no longer need or trust. Most other websites do not encrypt data before transmission like LastPass, and so there may be a risk of exposure to the OpenSSL flaws on other websites over public WiFi.

We will continue to update our community of any developments in the situation.

The LastPass Team

Jun 4, 2014

What Apple’s Announcements Could Mean For LastPass

Apple’s WWDC 2014 in San Francisco kicked off on June 2nd with a momentous keynote address that announced the arrival of iOS 8 and OS X 10.10 Yosemite. We’re very excited to see Apple taking a new direction, including increased consideration of the user experience regarding security and authentication. This new, more flexible direction allows services like ours to provide a better experience for our users.

Perhaps most relevant to LastPass are the changes on mobile with iOS 8. In the keynote, Apple indicated that they now support:
  • TouchID fingerprint authentication
  • Keyboard integration
  • Extension functionality implemented through interactive notifications
  • A more open ecosystem where apps can “talk” to one another
We want our community to know that, though it remains to be seen how flexible these new functionalities are, and to what extent we can utilize them for the LastPass app specifically, we are optimistic that we’ll be able to provide an improved LastPass experience on iOS. Overall, these changes seem to signal a move by Apple towards a more flexible platform that empowers developers.

At LastPass, we're committed to innovation and implementing the latest technologies to deliver the best possible user experience. We look forward to further exploring the possibilities of iOS 8.

Jun 3, 2014

LastPass for Android Gets In-App Payments

Our highly-rated LastPass Android app just got better. A new update hits the app store today, with two exciting new features:

In-App Purchasing

You can now upgrade and renew your Premium via the LastPass app itself, charged to your Google Play account:


Getting Started Wizard

New users of the Premium app will have more step-by-step help in learning how to use the app's features:

Note that with the in-app purchasing of Premium, autorenewal is not available, only a 1-year payment option at this time. We do plan to offer the ability to purchase subscriptions in a later update.

These usability improvements follow several other major additions to our Android app in the last few months alone, including the addition of biometric support for Samsung Galaxy S5 and automated app filling to streamline logging in to other apps on your Android device. We continue to work to improve the mobile experience, with the latest technology available.

The LastPass Android app is part of our Premium service for $12 per year, and the latest update is already available on the Google Play app store.

May 15, 2014

Heartbleed Was Scary, But Did Anything Change?

Dubbed the “ultimate web nightmare”, Heartbleed was arguably the biggest security issue to hit the Internet in recent years. Heartbleed caused wide concern because affected websites were vulnerable for some two years, an attack to exploit the bug and gain access to sensitive information is shown to be undetectable, and the affected version of OpenSSL was used by some two-thirds of the web.

For several days, news of Heartbleed and the risks it posed dominated the press. Consumers were advised to update passwords as soon as websites announced they had pushed updates to patch Heartbleed. So Heartbleed caused quite a stir (and a fashionable one at that, given that it’s the first security vulnerability to have its own logo).

But the question remains: Did anything actually change? Do we as consumers have a better grasp of the risks to our data online and how to start better protecting it?

Statistics from a recent Pew study show that despite a large percentage of Internet users hearing about Heartbleed (ranging from 47% in one study by LifeLock to 64% in the study by Pew) less than half of those informed consumers took action to change passwords. Another study by Software Advice echoed similar findings, showing that some 67% of Internet users haven’t changed passwords after Heartbleed. Perhaps the more alarming statistic was that over 75 percent of respondents say they’ve received no advice about Heartbleed in the workplace, despite showing willingness to cooperate if they were asked to change passwords.

In summary - some took action after Heartbleed, but not nearly enough, given the breadth of Heartbleed. In addition, businesses are not taking the responsibility they should for educating their employees and empowering them to protect both corporate and personal data.

So What’s To Be Done?

For consumers and for businesses, Heartbleed is an opportunity to prioritize security. Every day that passes in which passwords for critical accounts are not updated to stronger ones, and in which bad password practices are permitted to flourish, is another day in which consumers and businesses leave themselves exposed to costly breaches.

Businesses need to create an action plan prioritizing the implementation of password management, and the mandatory change of critical passwords. Any efforts to change passwords will not be effective if a system is not in place to help employees manage strong passwords. Getting a system in place is a critical first step, then education should be an ongoing, regular effort. If you’re ready to get your company’s passwords organized, try LastPass Enterprise: LastPass.com/Enterprise

Consumers need to manage passwords with a password manager, and use actionable data like that in the LastPass Security Challenge to prioritize updating passwords. By using a tool that creates strong passwords and remembers them, following online security best practices is easy.

Have you changed your passwords because of Heartbleed? Have you had opportunities to educate others about password management and why its important after Heartbleed?

May 7, 2014

Hackable to Uncrackable: World Password Day 2014

Here at LastPass, we believe strongly in spreading the word about better password management and helping our community protect themselves against online security threats. That's why we're supporting World Password Day 2014 and encouraging everyone to use this as an opportunity to update passwords and get started with a password management system like LastPass.

In January 2013, Deloitte analysts estimated that 90% of all passwords are simple enough to be hacked in seconds. Since then, Heartbleed  headlines prompted Internet users to change their passwords, yet only 38% of users did. We want to help change that. Observed every May 7th, World Password Day asks people to do one simple thing, made even simpler by using a password manager like LastPass: change your password.

Since 2013, more than 170 organizations including LastPass, Intel, Microsoft, and the National Cyber Security Alliance have participated in World Password Day. Last year, over 32,000 people pledged to upgrade their passwords to stronger ones.

This year, World Password Day has launched a new website at passwordday.org, a video game that pits the player against real leaked passwords, and simple tips and tricks for strengthening your passwords. Take the pledge to upgrade your password, get started with a password manager if you aren't already using one, and go from hackable to uncrackable today.

Some Password Facts

  • The most common password is "123456." The second most common is "password."
  • 1 in 5 Internet users have had an email or social networking account compromised or taken over without permission.
  • Data breaches exposed some 552 million identities from popular websites in 2013, a 62% increase from 2012 - and the trend doesn't seem to be slowing.
  • The Heartbleed security flaw could have exposed sensitive data from up to 66% of active websites.

What Can You Do Today?

What are you doing to support World Password Day? Tell us in the comments below.