Today we're excited to announce our partnership with PwnedList to offer LastPass Sentry, a new feature that will help LastPass users be more proactive about their online security.
With LastPass Sentry, we'll use PwnedLists's comprehensive (and growing) database of 24 million publicly leaked usernames and passwords to perform daily "checks" against LastPass account email addresses to look for positive matches.
How it works:
- Sentry performs daily checks, with the latest updates to the PwnedList database, to see if LastPass account email addresses are on the list.
- If a match is found, an email notification is sent to the LastPass user, notifying them of the domain that was breached and the potential risk.
- Users can then run the LastPass Security Challenge to verify if the password for the breached site is used elsewhere.
- We then recommend updating the password for the affected account, and any other accounts using that password, using LastPass to generate a new, strong password.
We're excited that the feature has already generated positive feedback. LastPass Enterprise customer Matthew Wittkin of MoreVisibility commented, "LastPass already helps us to better control and protect our digital assets. With this new feature, our administrators and employees know immediately if any company passwords have been compromised, allowing us to update them within seconds. We hope nothing like this will ever come to pass, but it gives me extra peace of mind knowing that, with LastPass, I'll be the first to know!"
We have plans to further integrate the service into the LastPass security challenge, so we can check not only the email address that you use for your LastPass account itself, but perform a local check of the entirety of your stored data. We also plan to increase the frequency of our database checks to work towards real-time notifications.
What do you think of LastPass Sentry? Leave your thoughts in the comments below!
Awesome thanks!
ReplyDeleteA great idea to provide direct personalised action.
Is this a new feature that can be enabled somewhere or is it just automatically on for all users? Not really clear in this blog posting. That said, I think it's a great addition to LP.
ReplyDelete+1
DeleteIt's currently opt-out, so it's enabled for all users starting today, but you can unsubscribe after receiving a notification.
DeleteYes, very unclear.
DeleteWhy do we have to opt-out using something insecure like e-mail ????
DeleteWhy are users not permitted to control this themselves in account settings ?
I do not like Lastpass making decisions for me.
^^ idiot.
DeleteIndeed, use Tor Mail if you're that paranoid.
DeleteSo how do I use this if the email address I use with Lastpass is different from the email address(es) I use for any other web service?
ReplyDelete+1
DeleteCurrently it only checks against the LastPass account email, but we plan to integrate it with the Security Challenge (https://lastpass.com/?securitychallenge) directly so that we can locally check against the data in your vault.
DeleteExcellent Amber. This will be great many of us use several email addresses to log in.
DeleteYou can sign up for the pwnedlist yourself for free with any email address you want monitored (to complement the automatic Lastpass email address).
DeleteWill pwndlist allow me to wildcard any email address on my domain? I actually use unique email addresses for every website.
DeleteTash - If you're not using it as a business (they already have a business domain monitoring offering), then yes you can sign up for an individual account and send a note to contactatpwnedlistdotcom requesting a wildcard.
DeleteIt would be interesting if there were a way to list email addresses / usernames for lastpass to check for using sentry, so that more than just the account email address could be used for constant notification.
ReplyDeleteIt would also be interesting if LastPass could help facilitate in a secure manner checks for the leaked Apple UUIDs and other similar leaks.
We do have a check for the leaked Apple UDIDs: https://lastpass.com/udid and hope to implement the Sentry feature locally with the security challenge so we can check more than the LastPass account email address in the future.
DeleteI love this idea but I use a unique email address for my lastpass account. Would be nice if we could add a wildcard domain (That we can verify ownership on) to the list of email addresses scanned for. I use google apps and create a new email address for every site I visit.
ReplyDeleteWow, do you just set them all to forward to one central account?
DeleteThat's what I do (unique email addresses, dumped to one inbox). For the ones that are more that receive only I will setup "send-as" for them. If the email address ends up on a spam list I just blackhole it.
DeleteWorks great.
Same here. Wildcard domain.
DeleteWhy couldn't LastPass also check if the site compromised is one of the sites in your LastPass vault and notify you accordingly?
Because LastPass can't decrypt your vault, which is a VERY good thing. They can only perform this check with your LastPass email address that you use to log in, since they have that on file.
DeleteIndeed the typical lastpass user probably uses a number of email addresses or better still a catch-all domain. It should check each site's credentials for the email address to check against - for the majority of sites it's the email address stored as username.
ReplyDeleteGreat addition to a already excellent method of reducing exposure to Internet risk.
ReplyDeleteSo this just compares your login email address with the database?
ReplyDeleteYep, that's correct.
DeleteHow are you doing this? LastPass is advertised as encrypting user data before it leaves the user's machine. The idea being that LastPass cannot get at the information any more than a remote user could without the key in the form of the master password. If you are able to verify the existence of usernames and passwords in my vault and send me an e-mail to that effect, then clearly you have access to the very information you've said was unavailable to you. Which is it? Part of the allure of the LastPass system is that I don't have to "trust" LastPass' staff to keep my information secure, but rather that the obfuscatory power behind the encryption will ensure that security. If you can find out usernames and passwords remotely, this puts all that into question. Please explain how you can do this without compromising security.
ReplyDeleteI have been wondering the same thing...
DeleteDitto on that... and also, wouldn't it be better to use a LastPass random login name of 12 meaningless characters? Doesn't that DOUBLE my security. If you try that on most sites, you'll get an error message, invalid email format or it needs that Login/Email Address to confirm your subscription. We are always adding convenience in lieu of security!
DeleteQuoting Amber from LP:
Delete"so that we can locally check against the data in your vault."
As I understand it the keyword here is "LOCALLY". All the work is done on your side, not LP servers.
If you read the full article it states that initially you'll only be notified if the same email you registered with and use to login is part of any leaked list. No logins within your vault are accessed.
DeleteThey're working on integrating this discovery method with the LastPass Security Check, all of which is initiated by you locally and without sending any data to LastPass. This would include all your logins and other email addresses you use.
Heck yes. Nice addition LastPass. Thank you guys.
ReplyDeleteAnother pointless feature. I'm starting to worry about the focus of LP development team.
ReplyDeleteI tend to agree. Every single one of these additions, and the increasingly "social" flavour pervading everything, has its own security implications to worry about.
DeleteWhen LP gets around to doing a "local" check for compromised user names and e-mail addresses in our vaults, will this mean that some service somewhere is being sent all our login ID and all our e-mail addresses, opening the risk of that service harvesting all this stuff ?
I am really getting concerned. Lastpass is now so complex with so many security implications to think about that I am getting worried it is all too much. And too much centralisation.
We'd never send your email to a 3rd party, we're downloading all the leaks and comparing them against our database internally. This really is only about helping protect you in the safest way possible.
DeleteEven if LastPass did a check on their end on request from the client, it would be completely trivial to do it with zero risk to the security of the accounts in your vault. Their client would just send a hashed version of a given address and compare that against a hashed list of compromised accounts. Only in the case of a match (in which case, by definition, your account is *already* compromised, or it wouldn't have been on the list) would LastPass be able to determine which address was in your vault.
DeleteThey could also do an initial check purely on the client side against, say, a Bloom filter several megabytes wide, and only send the hash value if that initial check indicated a potential match.
Done right, this is no privacy risk.
Very welcome addition, thanks!
ReplyDeleteLastPass with extra awesomeness! Me likey!
ReplyDeleteDoes it only check for the lastpass account email? Or does it somehow extract usernames/email addys for all my accounts stored in lastpass? (I'm guessing the former, with work going on to integrate into the security challenge so it *can* do the latter, but just checking to make sure :)
ReplyDeleteYou're correct that it's the former, and we're working so that it can locally check the latter.
DeleteThat is an excellent service! Thank you for that extra security, that is so much neede nowadays!
ReplyDeleteWow, excellent! I am one of the premium user, will be helped with this feature.
ReplyDeleteThis is an enhancement of services offered by LastPass. In the recent past, it was possible for me to find that one of accounts was among those millions of passwords cracked.
ReplyDeleteThanks guys,you rock.
ReplyDeleteThat's awesome, you guys are top notch. Introducing extra things like this is what i love about LastPass.
ReplyDeleteIt's great you're making this available for everyone, but I couldn't be happier to support LP with a premium sub. Keep up the amazing work!
ReplyDeleteThis is an awesome feature. So glad to see you guys constantly working on improving the service and enhancing our online safety... that's why I pay for your service ;-)
ReplyDeleteGreat feature, and will be even better once other email addresses can be checked locally!
ReplyDeleteAm I correct in assuming that the actual emails are not being submitted to PwnedList, but rather their SHA-512 hashes? Keep up the good work!, and I am a new Premium user :)
Could Lastpass please confirm this important point as to whether e-mail addresses are being sent for verification ?
DeleteEmail addresses are not being sent for verification, and no other information is shared with them, all checks are performed on our end as we receive the updates to PwnedList's database. Happy to clarify further if needed!
DeleteThat's great, thank you Amber! How will the additional emails be sent to LastPass? Hopefully using a locally computed, one-way hash.
DeleteThank you!
ReplyDeleteThanks Guys, Great feature....Unfortunately until it can interogate my database, its not any use to me....Most of my stored accounts use a different email address to the my Lastpass one.
ReplyDeleteGreat Idea Though
So cool. I love lastpass. Seriously really good job with the service
ReplyDeletepwnedlist: Principles Without Principals?
ReplyDeleteI find it surprising that pwnedlist.com doesn't give the names and backgrounds of their key personnel. I understand that they need to be somewhat secretive to get information from hackers.
I'm practically blind, so perhaps I missed it...
pwnedlist database synced to my PC?
ReplyDeleteCan LastPass let me check the information in my vault against the pwnedlist database locally if I don't have a local copy of said database?
How is this supposed to work?
Currently we only check account email addresses for matches in the database information that we receive from PwnedList. If we were to check the vault, we'd have to sync the data to your machine where the check can be performed locally.
DeleteLastpass is my favorite Internet service, and the price rocks!
ReplyDeleteExcellent Job as always Lastpass! As a premium subscriber for over a year AND a subscriber to the pw3dlist it is a fantastic addition! Keep up the good work!
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteThis is the first time in internet history where making something opt-out was the CORRECT decision! <3 LastPass!
ReplyDeleteWill that slow down the browser, at least initially?
ReplyDeleteNo, it may delay the results of the security check by a few seconds but there will be no affect on the browser speed.
Delete