Sep 17, 2012

Introducing LastPass Sentry: Always on the Lookout for the Latest Breach

In response to a number of high-profile breaches (including LinkedIn, Last.fm, and the Apple UDIDs), we've provided LastPass users with tools to check if their data is on the leaked lists, and have notified users directly as we've discovered their compromised data. We wanted to take this a step further, and partnered with a company dedicated to finding and aggregating all leaks as they're occurring, to provide a much more comprehensive service.

Today we're excited to announce our partnership with PwnedList to offer LastPass Sentry, a new feature that will help LastPass users be more proactive about their online security.

With LastPass Sentry, we'll use PwnedLists's comprehensive (and growing) database of 24 million publicly leaked usernames and passwords to perform daily "checks" against LastPass account email addresses to look for positive matches.

How it works:
  1. Sentry performs daily checks, with the latest updates to the PwnedList database, to see if LastPass account email addresses are on the list.
  2. If a match is found, an email notification is sent to the LastPass user, notifying them of the domain that was breached and the potential risk. 
  3. Users can then run the LastPass Security Challenge to verify if the password for the breached site is used elsewhere.
  4. We then recommend updating the password for the affected account, and any other accounts using that password, using LastPass to generate a new, strong password.
The feature is available for all free and Premium users, as well as corporate Enterprise users, and is currently opt-out via the email notifications. In the case of Enterprise users, both the Enterprise administrator and the affected employee will receive notifications that a match has been found.

We're excited that the feature has already generated positive feedback. LastPass Enterprise customer Matthew Wittkin of MoreVisibility commented, "LastPass already helps us to better control and protect our digital assets. With this new feature, our administrators and employees know immediately if any company passwords have been compromised, allowing us to update them within seconds. We hope nothing like this will ever come to pass, but it gives me extra peace of mind knowing that, with LastPass, I'll be the first to know!"

We have plans to further integrate the service into the LastPass security challenge, so we can check not only the email address that you use for your LastPass account itself, but perform a local check of the entirety of your stored data. We also plan to increase the frequency of our database checks to work towards real-time notifications.

What do you think of LastPass Sentry? Leave your thoughts in the comments below!

63 comments:

  1. Awesome thanks!
    A great idea to provide direct personalised action.

    ReplyDelete
  2. Is this a new feature that can be enabled somewhere or is it just automatically on for all users? Not really clear in this blog posting. That said, I think it's a great addition to LP.

    ReplyDelete
    Replies
    1. It's currently opt-out, so it's enabled for all users starting today, but you can unsubscribe after receiving a notification.

      Delete
    2. Why do we have to opt-out using something insecure like e-mail ????

      Why are users not permitted to control this themselves in account settings ?

      I do not like Lastpass making decisions for me.

      Delete
    3. Indeed, use Tor Mail if you're that paranoid.

      Delete
  3. So how do I use this if the email address I use with Lastpass is different from the email address(es) I use for any other web service?

    ReplyDelete
    Replies
    1. Currently it only checks against the LastPass account email, but we plan to integrate it with the Security Challenge (https://lastpass.com/?securitychallenge) directly so that we can locally check against the data in your vault.

      Delete
    2. Excellent Amber. This will be great many of us use several email addresses to log in.

      Delete
    3. You can sign up for the pwnedlist yourself for free with any email address you want monitored (to complement the automatic Lastpass email address).

      Delete
    4. Will pwndlist allow me to wildcard any email address on my domain? I actually use unique email addresses for every website.

      Delete
    5. Tash - If you're not using it as a business (they already have a business domain monitoring offering), then yes you can sign up for an individual account and send a note to contactatpwnedlistdotcom requesting a wildcard.

      Delete
  4. It would be interesting if there were a way to list email addresses / usernames for lastpass to check for using sentry, so that more than just the account email address could be used for constant notification.

    It would also be interesting if LastPass could help facilitate in a secure manner checks for the leaked Apple UUIDs and other similar leaks.

    ReplyDelete
    Replies
    1. We do have a check for the leaked Apple UDIDs: https://lastpass.com/udid and hope to implement the Sentry feature locally with the security challenge so we can check more than the LastPass account email address in the future.

      Delete
  5. I love this idea but I use a unique email address for my lastpass account. Would be nice if we could add a wildcard domain (That we can verify ownership on) to the list of email addresses scanned for. I use google apps and create a new email address for every site I visit.

    ReplyDelete
    Replies
    1. Wow, do you just set them all to forward to one central account?

      Delete
    2. That's what I do (unique email addresses, dumped to one inbox). For the ones that are more that receive only I will setup "send-as" for them. If the email address ends up on a spam list I just blackhole it.

      Works great.

      Delete
    3. Same here. Wildcard domain.

      Why couldn't LastPass also check if the site compromised is one of the sites in your LastPass vault and notify you accordingly?

      Delete
    4. Because LastPass can't decrypt your vault, which is a VERY good thing. They can only perform this check with your LastPass email address that you use to log in, since they have that on file.

      Delete
  6. Indeed the typical lastpass user probably uses a number of email addresses or better still a catch-all domain. It should check each site's credentials for the email address to check against - for the majority of sites it's the email address stored as username.

    ReplyDelete
  7. Great addition to a already excellent method of reducing exposure to Internet risk.

    ReplyDelete
  8. So this just compares your login email address with the database?

    ReplyDelete
  9. How are you doing this? LastPass is advertised as encrypting user data before it leaves the user's machine. The idea being that LastPass cannot get at the information any more than a remote user could without the key in the form of the master password. If you are able to verify the existence of usernames and passwords in my vault and send me an e-mail to that effect, then clearly you have access to the very information you've said was unavailable to you. Which is it? Part of the allure of the LastPass system is that I don't have to "trust" LastPass' staff to keep my information secure, but rather that the obfuscatory power behind the encryption will ensure that security. If you can find out usernames and passwords remotely, this puts all that into question. Please explain how you can do this without compromising security.

    ReplyDelete
    Replies
    1. I have been wondering the same thing...

      Delete
    2. Ditto on that... and also, wouldn't it be better to use a LastPass random login name of 12 meaningless characters? Doesn't that DOUBLE my security. If you try that on most sites, you'll get an error message, invalid email format or it needs that Login/Email Address to confirm your subscription. We are always adding convenience in lieu of security!

      Delete
    3. Quoting Amber from LP:
      "so that we can locally check against the data in your vault."

      As I understand it the keyword here is "LOCALLY". All the work is done on your side, not LP servers.

      Delete
    4. If you read the full article it states that initially you'll only be notified if the same email you registered with and use to login is part of any leaked list. No logins within your vault are accessed.

      They're working on integrating this discovery method with the LastPass Security Check, all of which is initiated by you locally and without sending any data to LastPass. This would include all your logins and other email addresses you use.

      Delete
  10. Heck yes. Nice addition LastPass. Thank you guys.

    ReplyDelete
  11. Another pointless feature. I'm starting to worry about the focus of LP development team.

    ReplyDelete
    Replies
    1. I tend to agree. Every single one of these additions, and the increasingly "social" flavour pervading everything, has its own security implications to worry about.
      When LP gets around to doing a "local" check for compromised user names and e-mail addresses in our vaults, will this mean that some service somewhere is being sent all our login ID and all our e-mail addresses, opening the risk of that service harvesting all this stuff ?
      I am really getting concerned. Lastpass is now so complex with so many security implications to think about that I am getting worried it is all too much. And too much centralisation.

      Delete
    2. We'd never send your email to a 3rd party, we're downloading all the leaks and comparing them against our database internally. This really is only about helping protect you in the safest way possible.

      Delete
    3. Even if LastPass did a check on their end on request from the client, it would be completely trivial to do it with zero risk to the security of the accounts in your vault. Their client would just send a hashed version of a given address and compare that against a hashed list of compromised accounts. Only in the case of a match (in which case, by definition, your account is *already* compromised, or it wouldn't have been on the list) would LastPass be able to determine which address was in your vault.

      They could also do an initial check purely on the client side against, say, a Bloom filter several megabytes wide, and only send the hash value if that initial check indicated a potential match.

      Done right, this is no privacy risk.

      Delete
  12. Very welcome addition, thanks!

    ReplyDelete
  13. LastPass with extra awesomeness! Me likey!

    ReplyDelete
  14. Does it only check for the lastpass account email? Or does it somehow extract usernames/email addys for all my accounts stored in lastpass? (I'm guessing the former, with work going on to integrate into the security challenge so it *can* do the latter, but just checking to make sure :)

    ReplyDelete
    Replies
    1. You're correct that it's the former, and we're working so that it can locally check the latter.

      Delete
  15. That is an excellent service! Thank you for that extra security, that is so much neede nowadays!

    ReplyDelete
  16. Wow, excellent! I am one of the premium user, will be helped with this feature.

    ReplyDelete
  17. This is an enhancement of services offered by LastPass. In the recent past, it was possible for me to find that one of accounts was among those millions of passwords cracked.

    ReplyDelete
  18. Thanks guys,you rock.

    ReplyDelete
  19. That's awesome, you guys are top notch. Introducing extra things like this is what i love about LastPass.

    ReplyDelete
  20. It's great you're making this available for everyone, but I couldn't be happier to support LP with a premium sub. Keep up the amazing work!

    ReplyDelete
  21. This is an awesome feature. So glad to see you guys constantly working on improving the service and enhancing our online safety... that's why I pay for your service ;-)

    ReplyDelete
  22. Great feature, and will be even better once other email addresses can be checked locally!

    Am I correct in assuming that the actual emails are not being submitted to PwnedList, but rather their SHA-512 hashes? Keep up the good work!, and I am a new Premium user :)

    ReplyDelete
    Replies
    1. Could Lastpass please confirm this important point as to whether e-mail addresses are being sent for verification ?

      Delete
    2. Email addresses are not being sent for verification, and no other information is shared with them, all checks are performed on our end as we receive the updates to PwnedList's database. Happy to clarify further if needed!

      Delete
    3. That's great, thank you Amber! How will the additional emails be sent to LastPass? Hopefully using a locally computed, one-way hash.

      Delete
  23. Thanks Guys, Great feature....Unfortunately until it can interogate my database, its not any use to me....Most of my stored accounts use a different email address to the my Lastpass one.

    Great Idea Though

    ReplyDelete
  24. So cool. I love lastpass. Seriously really good job with the service

    ReplyDelete
  25. pwnedlist: Principles Without Principals?

    I find it surprising that pwnedlist.com doesn't give the names and backgrounds of their key personnel. I understand that they need to be somewhat secretive to get information from hackers.

    I'm practically blind, so perhaps I missed it...

    ReplyDelete
  26. pwnedlist database synced to my PC?

    Can LastPass let me check the information in my vault against the pwnedlist database locally if I don't have a local copy of said database?

    How is this supposed to work?

    ReplyDelete
    Replies
    1. Currently we only check account email addresses for matches in the database information that we receive from PwnedList. If we were to check the vault, we'd have to sync the data to your machine where the check can be performed locally.

      Delete
  27. Lastpass is my favorite Internet service, and the price rocks!

    ReplyDelete
  28. Excellent Job as always Lastpass! As a premium subscriber for over a year AND a subscriber to the pw3dlist it is a fantastic addition! Keep up the good work!

    ReplyDelete
  29. This comment has been removed by the author.

    ReplyDelete
  30. This is the first time in internet history where making something opt-out was the CORRECT decision! <3 LastPass!

    ReplyDelete
  31. Will that slow down the browser, at least initially?

    ReplyDelete
    Replies
    1. No, it may delay the results of the security check by a few seconds but there will be no affect on the browser speed.

      Delete