Aug 1, 2012

Increase the Security of Your LastPass Account with Two New Options

At LastPass, we're always thinking of ways to better protect users and offer security options that allow users more fine-grained control over the protection of their stored data. That's why we've added two new security options now available to LastPass users in the account settings dialog, which can be opened from the LastPass vault: the ability to restrict logins to selected countries and to disable access from TOR.

Restrict Login to Select Countries


This option is pretty straightforward - you can check one or more countries from which you wish to allow access to your LastPass account. When selected, you can only login to your account from an IP address that originates from the countries you permitted.

The setting is not checked by default, but we do recommend using it as another layer of protection. You can later adjust it if you'll be traveling and need to access LastPass abroad.

Disallow Logins from TOR


If you're not familiar with TOR, it was originally developed for protecting US government communications but is now used for a variety of purposes, by normal people, the military, activists, and others for secure, anonymous use of the web.

Because TOR has been associated with hackers who employ it to stay anonymous, and since the majority of LastPass users don't have a reason to use TOR, you can now disallow logins from TOR. We recommend checking this option if you never use TOR. The setting is not selected by default, but if you haven't logged in to LastPass via TOR over the last 30 days, you'll see the option will then be checked in the settings dialog.

Enabling and Disabling the New Settings


All LastPass users will now see the new security options in the settings dialog, accessible from the LastPass vault when you're logged in.

If you're in a pinch and need to disable either setting, you will see an error message when logging in that points you to a URL where you can follow the steps to disable the setting(s) by using email. Remember, if you've enabled a security email address for your LastPass account, the disable emails will be sent there instead of your account email address.

Multifactor Authentication Is Still Highly Recommended for Added Security


Using multifactor authentication with your LastPass account? You're already well-protected from potential threats that these settings are meant to protect you from, but it's worth enabling the settings for the added protection.

If you're not using multifactor authentication, we highly recommend looking into the available options. There are both free and Premium multifactor authentication options that help you better protect your stored data by requiring that a second piece of data be submitted when logging in to your account.

We continue to look for ways to better protect LastPass users. As always, your security and privacy are our number one priorities.

The LastPass Team

58 comments:

  1. I don't know anything about the usefulness of TOR, but restricting the logins to a particular country (or countries) is a novel idea!

    ReplyDelete
    Replies
    1. I imagine by now you have at least heard of TOR network aka the onion. And I must say I am a new user to the dark web and you have to create so many anonamous accounts to initially get things implemented. I am very pleased that when I just googled lastpass for tor and found out it will work. Lastpass rocks

      Delete
  2. LASS PASS IS NOT THE NEXT BEST THING TO WHITE BREAD BUT IS THE BEST. ONE ITEM I HAVE A SLIGHT PROBLEM ON IS WHERE THE ID IS ON ONE PAGE AND THE PASSWORD IS ON THE SECOND PAGE. CAN GET THE FIRST PAGE BUT NOT THE PASSWORD ON SECOND PAGE.../????

    ReplyDelete
    Replies
    1. 1) Turn-off caps-lock

      2) That's a valid complaint, but I blame the website; that's a stupid system, my bank uses it too.

      Delete
    2. I just use "Save all entered Data" on each page.

      Delete
    3. My bank uses it too, but I just created two Lastpass entries. Works fine.

      Delete
    4. my ay around this is to right click the blank username box and goto Lastpass/autofill and it has my bank website there, click it and it populates the username, then next page lastpass auto populates the password.

      Delete
    5. HEY LANCE. LEAVE THE GUY ALONE. OLD FOLKS DON'T SEE WELL OR TYPE WORTH A DARN. ALL CAPS ARE AN EYE SAVER.

      Delete
    6. Sure, and while he's at it, maybe it's ok he should drive with his hi-beams on all the time. As long as his solution doesn't bother him.

      Delete
  3. The country-restricted login is good!I like that idea. Of course I imagine a proxy would overcome that, right? I mean, that's how I am watching the Olympic games via the BBC website - by proxying into England with a paid VPN.

    On the reporting rather than control front - is there a way to see a list of logins? Not just computers, but something like:

    Jul 12 8:36 AM, Android Phone, France
    Jul 15 5:00 PM, Computer, USA

    By the way - Lastpass is awesome.

    ReplyDelete
    Replies
    1. Yes proxying is an issue -- one we've been looking into resolving as well. Will look into improving history.

      Delete
    2. Of course it's just another layer, not every cracker is sophisticated. I have very, very, rarely left the states in my life. It makes me feel slightly more secure to know that russian hackers not trying very hard have no chance. I personally was hoping to be able to restrict logins to my ISP's network, or my region within the US. Which would help defeat proxies by the fact that many of them within another region. Which would almost certainly mean that at that point it would have to be a targeted attack against me (or an untargeted, not login based attack against lastpass )

      Delete
  4. I really hope these two features didn't take long to develop.. I very much doubt a single person's security will ever be protected from either of these useless features.

    Please focus your development efforts on practical features.

    Thank you

    ReplyDelete
    Replies
    1. Agreed. It's just paranoia and overkill for the vast majority of users.

      As well as making everyone's life that bit more complicated: going travelling? Make sure you make a note somewhere to change your LastPass settings before you go, or forget about using the Internet.

      Of course you'd better make sure the note has a unique 42-character password on it.

      Delete
    2. Real positive Jon & David. LastPass beefs up security, and the two of you complain about it. You actually contradict each other. Jon says it is a useless feature, and David says it's overkill, which implies that it is extremely effective.

      I'll bet neither of you actually pay for LastPass, eh?

      Thank you LastPass engineers--the majority of us appreciate the new features.

      Delete
    3. I guess these replies are made by US citizens without a passport. From where I live it takes me 20 min's to get into Belgium and 1 hour to get into Germany. Last summer holiday brought me in 12 countries, one of them being Romania, famous for the number of hackers that live there.
      Thanks LastPass for this much needed feature.
      Don't get distracted by people that think the world ends beyond the borders of the USA.

      Delete
  5. Replies
    1. http://lmgtfy.com/?q=tor

      Delete
  6. Nice new security features you added on, thank you!

    ReplyDelete
  7. I have one doubt..plz help anybody....If we use these all including multifactor authentication....all is centered @ master email. Anybody who hacked into my email can reset the password,right?

    ReplyDelete
    Replies
    1. No. If you're using multifactor auth, one of the only few ways to recover your acct is using one-time passwords (which you can download by logging in at any time), using your password hint, or delete your acct and start over. Lastpass WON'T email your PW to your email address.

      Delete
    2. Just having access to your email won't allow a reset -- but it will allow disabling of your multi-factor authentication -- so setup the Security Email which is more secure.

      Delete
    3. Security Email? What's that?

      Delete
  8. If you're concerned about privacy, you really *should* learn about TOR. Frankly if LastPass is going to offer TOR options, one of the options should be "ONLY accept logins from withing a TOR network."

    ReplyDelete
    Replies
    1. TOR isn't completely secure. If you're really concerned about your privacy, you'd know the US gubment has been all over TOR for a few years now.

      Delete
    2. We don't have anything against TOR per se -- but it is frequently used by hackers to avoid detection (and look like they're coming from another country) -- so when we added country support allowing you the option to block TOR makes sense

      Delete
  9. Since I'm visiting the UK next week I wanted to add it to my accepted countries, but there are two identical "United Kingdom" listed.

    ReplyDelete
    Replies
    1. Also, for a scenario like this where it's temporary due to a vacation, it'd be nice to have a way to set certain countries to expire on a specific date. Not a deal breaker, but a little more user friendly.

      Delete
    2. Having 2 "United Kingdom" entries is a very bad idea. People will lock themselves out of their accounts. I did!

      Delete
    3. Thank you for the report, we're looking at fixing this bug - until then, both UK options should be selected.

      Delete
  10. Simply using a proxy can defeat the country-restriction option... right?

    ReplyDelete
    Replies
    1. Ya, you're right. Make an extra security option sound stupid. More security options the better if you ask me. YES, it's easy to circumvent, but it might be that little annoying feature that will make a "hacker" skip of yours & onto someone else's.

      Delete
  11. I've noticed an issue with Multi Factor Authentication using Google Authenticator. I give my Username / Password, if successful I then input my code. I only have to input my code if username / password is successful. Which means any hacker would now know that is correct. I think that all 3 should have to be entered at the same time (and if you don't have it set up don't enter it).

    ReplyDelete
    Replies
    1. it's possible that wouldn't work with all multifactor options, in theory simply requiring that the multifactor method be sent before attempting to validate the password would also work. This way it is impossible to tell if the multifactor failed or the password.

      Delete
  12. Brilliant new features!

    ReplyDelete
  13. So excited to see you guys continue adding options like this! Sure you can get around it(duh), but the more the better in my opinion! Thank you LastPass.

    ReplyDelete
  14. Thanks for the continuous improvements LastPass!

    ReplyDelete
  15. Kudos LastPass team!
    Keep this greatness and you will remain the ONLY secure solution out there forever!

    Your solutions are always well thought. You know that a restriction like this could lock-out someone traveling to an unselected country and in need to access LastPass. The override solution rocks without lessening security!

    ReplyDelete
  16. I found these new options the other day, great! One obviously dumb question but I'm going to ask it anyway: if I enable "EU", I don't have to enable the separate countries as well, do I?

    ReplyDelete
    Replies
    1. Yes, LastPass will then recognize access from any countries that are part of the EU.

      Delete
    2. That is not the behaviour I would have expected!
      .EU is a separate top level domain (TLD) separate from the TLDs of individual countries within the EU. I do not know whether it has its own block of IP addresses, but (if so) I would expect checking (ticking) "European Union" to permit access from IP addresses on the .EU domain, but NOT permit access from IP addresses allocated to individual EU countries, e.g. UK, FR, DE, NL, BE, etc..

      I would appreciate your comments on that point.

      P.S. I don't understand the purpose or effect of the 'Reply as:' drop-down options immediately below this text extry field. I know what, say, a 'Google Account' or 'OpenID' is, but I don't understand what is the reason or effect of choosing one here. For that reason, I'm choosing 'Anonymous'.

      Delete
  17. Id like restrict to reverse host name block so if you logging in from a host not previously used on your account it could act differently.

    Maybe not block it but it force 2 factor authentication even from trusted devices.

    I know cell provider make use of nat and WiFi is every where but it would be a nice option for those that want it.

    ReplyDelete
  18. Hi All! Very nice new options, however I can not find Ireland on the list to choose from or it's me.

    In addition as somebody pointed out already there are UK listed twice.

    ReplyDelete
  19. Are we screwed if we activate this feature then travel to another country and forget to activate that country?

    ReplyDelete
    Replies
    1. No, you will see an error dialog with a prompt to disable the feature, and you must then follow the verification steps sent to your account email address (or security email address) to unlock your account.

      Delete
  20. This is a great feature. What would make it even better is if you could create events so that LastPass would automatically set the country on certain dates. This would then enable users to specify when and where they are going on holiday, and then they wouldn't have to worry about this feature.

    A feature like this is found on my banks website, and it would be very useful on your site too!

    ReplyDelete
  21. Gmail offers address variations as an extra security layer. Any thoughts if this is useful? see:

    http://dannseca.blogspot.com/2012/09/add-simple-extra-security-layer-to-most_22.html

    ReplyDelete
  22. Keep up the good work, LastPass team!

    ReplyDelete
  23. It would be helpful to enable Verisign/Symantec VIP as a Two Factor authentication method(paypal & ebay allow this), YubiKey is not an option for me because my company does not enable usb ports

    ReplyDelete
  24. Just got re-interested with all things security after the recent NSA news but also after reading articles on the ease of hacking most passwords and even phrases. I went back into LP (I've been a premium member for a couple years) and am amazed at how much I have not taken advantage of within this application. I am systematically going through my many accounts and correcting the deficiencies now, thanks to the Security Check info.

    LastPass is an absolute screaming bargain in security, IMHO. I am floored by how much protection is available at $1 a month...if we take the time to learn it and implement it.

    10,000 thanks for all the work!

    ReplyDelete
  25. Have not many comment forms, just 4glte I want single at top speed.

    ReplyDelete
  26. +1 for Symantec VIP Security Card support. Paypal will ship them out to users for free to replace dead Paypal football shaped secure keyfob so I gather there is a large existing user base.

    ReplyDelete
  27. Cross country moving which is also known as interstate
    moving is quite common in many states of USA.
    You can assume from this that they take themselves seriously and you can probably do the
    same too. Contact companies you do business with approximately four weeks before you move.


    Have a look at my homepage; storage companies in northern va

    ReplyDelete