Jul 21, 2014

Use Your Master Password to Achieve Your Next Goal

We’re all about productivity and efficiency here at LastPass, so we were intrigued when we heard about someone who had used their password to help them achieve their goals. In his recent post on Medium, Mauricio Estrella shares his insight that passwords can serve as powerful daily reminders of our goals, and motivate us to actually follow through with them.

After a divorce, Estrella took his boss’s advice and changed his password to a motivational phrase. Since he would have to type his password every day, he decided to use it as a reminder of the changes he wanted to make. He first wanted to forgive his ex-wife so that he could move on, so he changed his password to “Forgive@her”.

“It was obvious that I couldn’t focus on getting things done with my current lifestyle and mood. Of course, there were clear indicators of what I needed to do - or what I had to achieve - in order to regain control of my life, but we often don’t pay attention to these clues,” Estrella said in his post. “My password became the indicator.”

The daily reminders from his passwords not only helped him forgive his ex-wife, but also helped him achieve other goals he set for himself over the following months, including quitting smoking and saving for an international vacation, as you can read in his full story over on Medium (warning: strong language).

It seems then that there’s some truth to using passwords to reinforce your goals, and what better way to get yourself started on changing your life than using something you have to type every day anyway?

So we’re giving it a go with our LastPass master password, with a long passphrase (using multiple character types, of course) that serves as a daily reminder of something we’d like to achieve, too.

Have you used a password to motivate yourself? Do you think you’ll give it a go? Let us know in the comments below.

Jul 14, 2014

6 Mistakes Employees Are Making with Passwords

There’s nothing like a data breach to get a company’s name in the news these days, though likely not the press a brand would prefer. The upward trend in consumer database breaches requires everyone to revisit bad password practices, and get better ones in place, especially in the workplace where businesses stand to lose not only money but also critical assets and consumer trust. Corporate systems are only as secure as their weakest passwords.

Here are 6 mistakes we see employees making with company passwords. If you and your team are avoiding these mistakes, you’re already leagues ahead in protecting your company’s sensitive information.

1. Not systematically recording passwords.

While the proliferation of tools and services has been an immense boon for productivity in the workplace, it’s a nightmare when it comes to tracking logins. Without a system to track accounts and who has access to what, employees will inevitably be interrupting others’ workdays to try to track down that information or call the IT service desk to have passwords reset. Once they start to track passwords, employees are often surprised to discover just how many accounts they actually have. Without a system, neither employees nor the company even know who has access to what or what they should have access to, let alone quantify how many accounts are in use.

2. Storing passwords where they’re easily accessed.

Once employees do start using a system, be it a paper document, a digital document, a password manager - they have to be able to control who has access to it. Sticky notes posted on monitors or under keyboards, WiFi passwords scribbled across whiteboards that are then televised for the world to see, notebooks left out on desks - all are a potential invitation for someone to tamper with that information. Even browser password managers don’t prompt you to login by default, leaving any stored passwords exposed and usable. All passwords and accounts should be recorded in one safe place that can be controlled and locked down.

3. Sharing passwords too liberally.

In the spirit of cooperation and collaboration employees may not think twice about sharing a login, whether it be an account managed by the team or just “temporarily” so that a team member can look into something. But once shared, that password is in the wild. Should a disgruntled employee go rogue, or leave the company and still have access to those accounts, there’s a potential for damage to be done either to the brand or to customer data.

4. Not separating work passwords from personal ones.

Password reuse continues to be a problem, as employees struggle to keep track of dozens of passwords and create a system that makes them easier to remember. But by using the same password on a personal account as they do on a work account, an “insignificant breach” like that of an online retail account could lead to a very significant breach of a work account. By using a unique password for all sites, whether work or personal, employees would be able to eliminate this risk.

5. Logging in to corporate accounts on unsecured networks or devices.

Did you know that some 70% of employees access corporate data from a personal smartphone or tablet? Work and personal is more integrated than ever, and as the number of devices used in the workplace and at home proliferates, employees want to access to their services, where they want to, when they need to. There’s less distinction now between “company-only” and “personal-only”. Given that reality, employees may be exposing corporate accounts to risk by utilizing poor password hygiene across their accounts and devices.

6. Meeting the bare minimum password requirements.

It’s well known that password length and password complexity (the combination of several different character types into random sequences) are the most important factors in creating “uncrackable” passwords. Because most password requirements are onerous and employees are primarily concerned with just remembering them, they will default to the absolute bare minimum of the requirements in order to make it easiest on themselves. We don’t fault the employees - without tools to help employees create better, stronger passwords, and then remember those passwords for them, they’ll be stuck in the same old pattern.

What’s a company to do?

Half the battle in correcting these behaviors is providing tools and systems that not only encourage the behavior you want to see, but also make it easy on employees. Only by deploying company-wide password management that empowers the employee to take action will they be able to stop making the mistakes above.

Interested in learning more about a solution for your team? Check out LastPass Enterprise: https://LastPass.com/Enterprise

Jul 11, 2014

A Note from LastPass

LastPass is in part able to achieve the highest level of security for our users by looking to our community to challenge our technology.

In August 2013, a security researcher at UC Berkeley, Zhiwei Li, contacted us to responsibly disclose novel vulnerabilities with the LastPass bookmarklets (actively used by less than 1% of the user base) and One Time Passwords (OTPs). Zhiwei discovered one issue that could be exploited if a LastPass user utilized the bookmarklet on an attacking site, and another issue if the LastPass user went to an attacking site while logged into LastPass, and used their username to potentially create a bogus OTP.

Zhiwei only tested these exploits on dummy accounts at LastPass and we don't have any evidence they were exploited by anyone beyond himself and his research team. The reported issues were addressed immediately, as confirmed by their team, and we let them publish their research before discussing it.

If you are concerned that you’ve used bookmarklets before September 2013 on non-trustworthy sites, you may consider changing your master password and generating new passwords, though we don’t think it is necessary.

Regarding the OTP attack, it is a “targeted attack”, requiring an attacker to know the user’s username to potentially exploit it, and serve that custom attack per user, activity which we have not seen. Even if this was exploited, the attacker would still not have the key to decrypt user data. If you’d like to check your current OTPs you can do so here: https://lastpass.com/otp.php

We appreciate that, as the most popular password manager in the world, we have an active, dedicated community that challenges us to be better and is committed to helping us improve the security of our service. Again, we thank Zhiwei and his team for their important research.

Joe & The LastPass Team

Jul 1, 2014

Do You Follow These Security Tips When Traveling?

As we gear up for summer, it’s a good time to review best practices when it comes to your digital security while traveling. We’re all protective of our passports and our credit card information as we travel, but we need to be equally vigilant with our online activity and personal technology so we can reduce our risk of identity and financial theft while on the road.

Here are 12 tips to lock down your devices before you leave, and to minimize your risk while traveling.

Before You Travel

1. Leave it at home, if you can. While it’s tempting to travel with all of your gadgets, consider leaving a device at home if it’s not integral to the trip. It’s one less item to keep track of, and one less belonging to risk being stolen.

2. Enable PIN codes. On all smartphones, tablets, laptops, or e-Readers, enable the PIN code prompt. It’s an easy step to keep your device from prying eyes.

3. Enable multifactor authentication. Adding an extra login step makes it that much harder for someone to hack into your accounts. Enable multifactor authentication for LastPass, and for any other services you use that support it. Just be sure you take the multifactor authentication app or device with you!

4. Document your devices. Create a detailed list of the make and model numbers of your devices, the serial numbers, and other important details. You can store this information in a secure note in LastPass, especially if you need to report any stolen or lost devices.

5. Look into lost device protection services. There are a range of apps and services for mobile devices that help you track and retrieve them should they be lost or stolen. Look into options for your devices before you leave, and set them up. Lifehacker’s round-up of phone recovery tools might be a good place to start.

6. Log out of your apps. Launch each app and log out of any active sessions, as well as uncheck the “remember me” option on your apps. The LastPass Premium mobile apps will help you quickly log back in to any apps as needed.

7. Back up everything. For any devices you do choose to travel with, be sure to back up files, photos, music, and any other information you would not want to lose should the device crash, break, or be stolen. You can also back up important travel documents, such as a copy of your passport, as attachments to LastPass secure notes.

While You Travel

8. Avoid public WiFi. For payment transactions, online banking, and any other online activity that may involve user names, passwords, and personal information, avoid using open WiFi that could leave your information exposed to anyone snooping the network. Save those activities for secured WiFi connections. If you can’t avoid open WiFi, at least be sure you’re connecting to your sites via HTTPS (and update your passwords when you return home).

9. Don’t select “remember me”. If you have to login on public computers (like one in a hotel lobby) do not use the “remember me” setting. This could leave your session active long after you’re done browsing, giving someone else easy access to your accounts. And don't forget to logout of any accounts when you're done!

10. Clear browser history & cache. Before leaving a public computer, be sure to clear the browsing history and the browser cache to remove easily-accessible traces of your activity.

When You Return from Traveling

11. Update your passwords. Once you return home to a trusted device and a trusted network, be sure to update the passwords to any accounts you had to access on open WiFi or on public computers. LastPass makes this easier by generating and remembering new passwords for you.

12. Keep an eye on your accounts. Even if you were very careful while traveling, be sure to keep an eye on your credit card and online banking activity for any suspicious transactions, as well as your email and social accounts for any unusual activity.

Do you have any tips or recommendations for preparing your tech for travel?

Jun 6, 2014

Your LastPass Account Is Safe From the New OpenSSL Vulnerability

About 2 months after the discovery of Heartbleed, more OpenSSL vulnerabilities have now been announced. Though organizations should patch their servers, security experts have stated the latest flaws are not nearly as bad as Heartbleed.

The most critical of the new OpenSSL vulnerabilities is known as an “Injection Vulnerability”. If exploited, this flaw could result in a “man-in-the-middle attack”. Essentially, this means someone positioned on the network between your computer and a server could eavesdrop or alter encrypted data traffic. In theory, sensitive information such as email addresses, passwords, and credit card information could be at risk.

So does this impact LastPass?

In regards to LastPass, please note:

  • Your data stored in LastPass is not affected by this bug
  • Your master password is never shared with LastPass
  • Your vault is encrypted with AES 256-bit encryption before being sent to LastPass over SSL
  • Our servers’ SSL libraries have been updated with the latest fixes
  • You can use LastPass' tool to also identify affected sites: https://lastpass.com/opensslccs/

What should I do?

Although the threat is small, if you have used open or untrusted WiFi, we recommend updating the passwords for any online accounts you may have accessed at that time. LastPass will help you update the password to a new, generated one.

We recommend that users continue to exercise caution on untrusted networks, most notably on public WiFi, and remove WiFi networks from their devices that they no longer need or trust. Most other websites do not encrypt data before transmission like LastPass, and so there may be a risk of exposure to the OpenSSL flaws on other websites over public WiFi.

We will continue to update our community of any developments in the situation.

The LastPass Team

Jun 4, 2014

What Apple’s Announcements Could Mean For LastPass

Apple’s WWDC 2014 in San Francisco kicked off on June 2nd with a momentous keynote address that announced the arrival of iOS 8 and OS X 10.10 Yosemite. We’re very excited to see Apple taking a new direction, including increased consideration of the user experience regarding security and authentication. This new, more flexible direction allows services like ours to provide a better experience for our users.

Perhaps most relevant to LastPass are the changes on mobile with iOS 8. In the keynote, Apple indicated that they now support:
  • TouchID fingerprint authentication
  • Keyboard integration
  • Extension functionality implemented through interactive notifications
  • A more open ecosystem where apps can “talk” to one another
We want our community to know that, though it remains to be seen how flexible these new functionalities are, and to what extent we can utilize them for the LastPass app specifically, we are optimistic that we’ll be able to provide an improved LastPass experience on iOS. Overall, these changes seem to signal a move by Apple towards a more flexible platform that empowers developers.

At LastPass, we're committed to innovation and implementing the latest technologies to deliver the best possible user experience. We look forward to further exploring the possibilities of iOS 8.

Jun 3, 2014

LastPass for Android Gets In-App Payments

Our highly-rated LastPass Android app just got better. A new update hits the app store today, with two exciting new features:

In-App Purchasing

You can now upgrade and renew your Premium via the LastPass app itself, charged to your Google Play account:


Getting Started Wizard

New users of the Premium app will have more step-by-step help in learning how to use the app's features:

Note that with the in-app purchasing of Premium, autorenewal is not available, only a 1-year payment option at this time. We do plan to offer the ability to purchase subscriptions in a later update.

These usability improvements follow several other major additions to our Android app in the last few months alone, including the addition of biometric support for Samsung Galaxy S5 and automated app filling to streamline logging in to other apps on your Android device. We continue to work to improve the mobile experience, with the latest technology available.

The LastPass Android app is part of our Premium service for $12 per year, and the latest update is already available on the Google Play app store.

May 15, 2014

Heartbleed Was Scary, But Did Anything Change?

Dubbed the “ultimate web nightmare”, Heartbleed was arguably the biggest security issue to hit the Internet in recent years. Heartbleed caused wide concern because affected websites were vulnerable for some two years, an attack to exploit the bug and gain access to sensitive information is shown to be undetectable, and the affected version of OpenSSL was used by some two-thirds of the web.

For several days, news of Heartbleed and the risks it posed dominated the press. Consumers were advised to update passwords as soon as websites announced they had pushed updates to patch Heartbleed. So Heartbleed caused quite a stir (and a fashionable one at that, given that it’s the first security vulnerability to have its own logo).

But the question remains: Did anything actually change? Do we as consumers have a better grasp of the risks to our data online and how to start better protecting it?

Statistics from a recent Pew study show that despite a large percentage of Internet users hearing about Heartbleed (ranging from 47% in one study by LifeLock to 64% in the study by Pew) less than half of those informed consumers took action to change passwords. Another study by Software Advice echoed similar findings, showing that some 67% of Internet users haven’t changed passwords after Heartbleed. Perhaps the more alarming statistic was that over 75 percent of respondents say they’ve received no advice about Heartbleed in the workplace, despite showing willingness to cooperate if they were asked to change passwords.

In summary - some took action after Heartbleed, but not nearly enough, given the breadth of Heartbleed. In addition, businesses are not taking the responsibility they should for educating their employees and empowering them to protect both corporate and personal data.

So What’s To Be Done?

For consumers and for businesses, Heartbleed is an opportunity to prioritize security. Every day that passes in which passwords for critical accounts are not updated to stronger ones, and in which bad password practices are permitted to flourish, is another day in which consumers and businesses leave themselves exposed to costly breaches.

Businesses need to create an action plan prioritizing the implementation of password management, and the mandatory change of critical passwords. Any efforts to change passwords will not be effective if a system is not in place to help employees manage strong passwords. Getting a system in place is a critical first step, then education should be an ongoing, regular effort. If you’re ready to get your company’s passwords organized, try LastPass Enterprise: LastPass.com/Enterprise

Consumers need to manage passwords with a password manager, and use actionable data like that in the LastPass Security Challenge to prioritize updating passwords. By using a tool that creates strong passwords and remembers them, following online security best practices is easy.

Have you changed your passwords because of Heartbleed? Have you had opportunities to educate others about password management and why its important after Heartbleed?

May 7, 2014

Hackable to Uncrackable: World Password Day 2014

Here at LastPass, we believe strongly in spreading the word about better password management and helping our community protect themselves against online security threats. That's why we're supporting World Password Day 2014 and encouraging everyone to use this as an opportunity to update passwords and get started with a password management system like LastPass.

In January 2013, Deloitte analysts estimated that 90% of all passwords are simple enough to be hacked in seconds. Since then, Heartbleed  headlines prompted Internet users to change their passwords, yet only 38% of users did. We want to help change that. Observed every May 7th, World Password Day asks people to do one simple thing, made even simpler by using a password manager like LastPass: change your password.

Since 2013, more than 170 organizations including LastPass, Intel, Microsoft, and the National Cyber Security Alliance have participated in World Password Day. Last year, over 32,000 people pledged to upgrade their passwords to stronger ones.

This year, World Password Day has launched a new website at passwordday.org, a video game that pits the player against real leaked passwords, and simple tips and tricks for strengthening your passwords. Take the pledge to upgrade your password, get started with a password manager if you aren't already using one, and go from hackable to uncrackable today.

Some Password Facts

  • The most common password is "123456." The second most common is "password."
  • 1 in 5 Internet users have had an email or social networking account compromised or taken over without permission.
  • Data breaches exposed some 552 million identities from popular websites in 2013, a 62% increase from 2012 - and the trend doesn't seem to be slowing.
  • The Heartbleed security flaw could have exposed sensitive data from up to 66% of active websites.

What Can You Do Today?

What are you doing to support World Password Day? Tell us in the comments below.

May 1, 2014

5 Actions Every Company Should Take in the Aftermath of Heartbleed

In the wake of Heartbleed, many organizations are asking us what they should do to protect their employees and their clients from any damage the bug may have caused, in addition to how best to protect both company data and employee privacy going forward.

Being touted as the “ultimate web nightmare”, Heartbleed certainly has the potential to be one of the most devastating bugs to hit the Internet, due to the fact that OpenSSL is employed by so many sites and that the bug was technically out there for some 2 years.

Here are 5 concrete steps that your company should take now to mitigate the risks and be better prepared for the next big security issue.

1. Acknowledge that company passwords are a problem.

Passwords are one of those things that we all know we should do better but many secretly feel helpless to do anything to change. Insecure sharing of passwords is rampant in organizations, and due to the burden of password requirements and password changes, employees default to the easiest passwords they can remember and get on with their lives.

The first step is for leadership to recognize that there’s a password problem, and that it poses a serious security risk to your organization.

2. Get a plan in place.

It’s one thing to tell everyone that they have to update their passwords, and then force those changes on them. It’s another thing to give them tools and a framework that enables them to painlessly make those changes and follow best security practices going forward.

This is where an Enterprise password management system is critical. It is nearly impossible for employees to follow best password practices without one. Not only that, but employee productivity is bolstered by having a tool that fills passwords for them, keeps them from having to call the helpdesk to reset passwords, and enables them to manage everything from one secure portal. With a system like LastPass Enterprise, the team can implement both password vaulting and SAML Single Sign-On in one secure place. Committing to a password manager helps the company get a plan in place and map out how to implement password security improvements.

3. Enforce policies that support your security goals.

Once you have deployed a password management system like LastPass Enterprise, you can spend time reviewing the policies and security restrictions available to help your organization gently enforce security standards. For example, LastPass policies can be set to disallow access from outside the company office, or other trusted locations - and policies can be both inclusive and exclusive, so that everyone but a few can be given a separate set of restrictions. Policies allow you to enforce strong master passwords, restrict mobile access, disallow use of features like exporting, and more. The key is to create a customized security environment that meets your compliance needs.

4. Prioritize updating critical accounts.

LastPass makes it easy for admins and employees alike to understand where they are using weak or duplicated passwords for their online accounts, and helps with the process of creating strong new passwords. Admins who manage a shared account can prioritize those critical updates, while employees can take responsibility of their logins that need updating. The LastPass Security Check helps both employees and admins keep an eye on progress and work towards concrete goals.

5. Enable multifactor authentication.

Multifactor authentication adds a layer of protection to LastPass accounts by requiring that a user complete an extra step before being given access to their account. Typically this means providing data from something you have access to like a device that generates a one-time code or a mobile app that generates a temporary code or biometrics such as a fingerprint scan. LastPass Enterprise simplifies the deployment of multifactor authentication and integrates seamlessly with a range of options. Companies can choose the methods that work best for their devices and environment.

Bonus tip: Do a password sweep.

The password management system you put in place is only as good as your employees’ adoption of it. Consider doing a “password sweep”, and walk around the office to see if any passwords are posted in plain sight - perhaps posted on a cork board or written on a white board. Save all of these data points to the password manager and share them through that system.

What actions have you taken in the wake of Heartbleed? How has your company responded?