Jan 6, 2010

The LastPass Security Challenge and 1.64.4 released

Make one of your New Years resolutions greater security; take the LastPass security challenge:


As you may already know there has been another high profile release of millions of plain text passwords, in this case RockYou had 32 million users passwords in plain text, downloaded with a simple SQL Injection attack.

It's clear millions of plain text passwords are going to keep being taken. If RockYou hadn't been publicly exposed they may not have even known! SQL Injection attacks often don't leave a lot of traces of what occurred.

With every password you use an employee at the site or hacker could obtain it if the site doesn't use a non-reversible hash to store your password. If they don't properly salt the hash you could still be quite vulnerable despite the site operators believing they implemented things the right way (see: http://en.wikipedia.org/wiki/Rainbow_table ). If you use the same passwords on multiple domains you're opening yourself up to your password being taken at one site and used at another.

The security challenge will download and decrypt your data (locally as always), then compare it to a number of known poor passwords, and show you which domains you use the same password on. It'll help you protect yourself from these attacks in the future. LastPass will give you a score so you know how well you're doing and keeps track of your score history so you can track your improvement.

We'd recommend using Firefox or IE to update your sites, as the 'Fill Current Password' + 'Generate' notification bar hasn't been added to Chrome or Safari yet.

1.64.4 adds the security challenge to the menus (under Tools), and includes some long requested features: IE can run in 'tool button' mode, IE and Firefox share login state, better updating process in IE better menus in Chrome and more.

If your IE asks you to download more than once, please reinstall via: https://lastpass.com/lastpass.exe

25 comments:

  1. And how do I updated on Chrome?

    ReplyDelete
  2. You shouldn't need to do anything to get Chrome to update. For most updates, you likely won't even know they happen.

    ReplyDelete
  3. There's somewhat of a problem with the challenge.
    Once you fill up all 10 history graphs, they no longer update..they keep showing only 1st 10 results, not last 10.

    ReplyDelete
  4. Thanks mxx, this should be fixed now.

    ReplyDelete
  5. I know, the extension should update by itself, but it doesn't. I still have 1.64.3

    ReplyDelete
  6. Yes i still have 1.64.3 as well

    ReplyDelete
  7. I have post this in forums, but I'll do here too:

    1.64.4 has broken Google Reader in safari (Snow Leopard)... among other heavy javascript sites.

    If I uninstall lastpass, everything goes well again.

    Am I the only one !?

    ReplyDelete
  8. The Chrome version on the LastPass website is still 1.64.3, but the plugin claims that 1.64.4 is available...

    ReplyDelete
  9. very strange ....
    can the developers comment on the chrome 1.64.4 update not working ?

    ReplyDelete
  10. We have not released 1.64.4 for Chrome yet (despite what our download page indicates). We'll be releasing it later today.

    Sorry for the confusion.
    LastPass

    ReplyDelete
  11. The last Lastpass plugin for Safari gives problem to the visualization of Google Reader!

    ReplyDelete
  12. After update to 1.64.4 I can't clear my history in LastPass Vault

    ReplyDelete
  13. History Clearing bug is fixed. Thank you

    ReplyDelete
  14. Where is the update

    ReplyDelete
  15. Thanks for this security challenge tool. It's shown how bad my passwords are but I can easilly fix it now, thanks a lot! Keep up the good work :)

    ReplyDelete
  16. Anonymous: if you use Firefox or IE you can download it here: https://lastpass.com/misc_download.php

    If you use Chrome... simply use it))

    ReplyDelete
  17. I use chrome but it has not updated

    ReplyDelete
  18. Anonymous: I also use Chrome. All works fine. Look at change log: https://lastpass.com/upgrade.php?ver=1.64.4&type=cr&upgrade=null

    ReplyDelete
  19. Wow... I thought I was faily good with passwords!!! Damn! got a few hours work I think!

    Love this Feature!

    ReplyDelete
  20. There is also an offer to check your master password, which I did, but now I'm a bit concerned. It didn't look like a proper check and just said my master password was 100% good without any explanation. Also I tried to enter some meaningless bits of data and it would just say the masterpassword was incorrect. Like they did something with it, or tried to decrypt something.

    Is it 100% safe or maybe someone hijacked the check page to include this obviously unnecessary master password check and should I change it without delay?

    ReplyDelete
  21. It runs your master password against our password strength API - it is a valid check. Since you got 100%, my guess is that your master password is complex. If you enter meaningless bits of data, then it turns red to inform you that you haven't entered your master password correctly...but we'll make this more obvious.

    So, yes it's safe assuming that the PC and network you are on are safe. Having said this, we encourage everyone to use one of LastPass' multifactor authentication products: Grid (free), Sesame (premium), YubiKey (premium).

    Thanks.

    ReplyDelete
  22. One further thing to point out is that LastPass NEVER knows what your master password is. EVERYTHING is done locally.

    ReplyDelete
  23. Thank you very much for getting the IE8 tool-bar button working. I love LastPass but as a minimalist, having that extra toolbar almost caused me not to give LastPass a chance. Since this upgrade, I'm now a premium member and loving it! Keep up the good work!!

    ReplyDelete
  24. I have just installed LastPass I seem to have the latest updates but cannot get the command button in compact mode, I have IE8, would love to get rid of this extra tool bar, any ideas, I seemed to have tried everything but no luck.

    ReplyDelete
  25. What problem are you having?
    LastPass Icon -> Preferences -> General -> Toolbar Mode : set to 'Use only command button'
    Then restart your IE browser.
    If you don't see it, then it's likely hidden off to the right - click on the chevron on the IE right bar (the '>>') and it will show up. To make it appear on the screen, right click and make sure 'Lock the Toolbar' is unchecked, then drag the toolbar band to make it bigger. Then you can recheck 'Lock the Toolbar'. We'll add this to our documentation. If you still have issues, then please use our helpcenter to contact us rather than asking for support in a 6 month old unrelated blog post.

    Thanks,
    LastPass

    ReplyDelete