Oct 15, 2012

LastPass Sentry Now Checks Your Entire Vault!

We recently introduced LastPass Sentry, a new feature to help LastPass users be more proactive about their online security by alerting them when their email address is included in the latest breaches of online sites and services (think LinkedIn).

We're excited to announce that LastPass Sentry is now also supported as part of the LastPass Security Challenge! The update means that a full check can be performed locally against your entire LastPass vault to look for accounts that may have been affected by a breach, in addition to the ongoing monitoring of your LastPass account email address.

How LastPass Sentry now works:
  1. Sentry still performs daily checks, with the latest updates to the PwnedList database, to see if LastPass account email addresses are on the list.
  2. If a match is found, an email notification is sent to the LastPass user, notifying them of the domain that was breached and the potential risk. 
  3. Users can also run the LastPass Security Challenge (from the LastPass Icon's Tools menu) and select the option to look for breaches of their stored accounts. 
  4. If any matches are found between the PwnedList database and the data in your vault, notifications are sent to the affected email addresses with information on the breach and a reminder to update your passwords.
  5. We then recommend updating the password for any affected accounts, and any other accounts using that password (which the Security Challenge will help you identify), using LastPass to generate a new, strong password.
As we mentioned previously, the feature is available for all free and Premium users, as well as corporate Enterprise users. In the case of Enterprise users, both the Enterprise administrator and the affected employee will receive notifications that a match has been found.

We plan to continue increasing the frequency of our database checks to work towards real-time notifications and further enhance the service to provide ongoing value to our users.

What do you think of the update to LastPass Sentry? Leave your thoughts in the comments below!

41 comments:

  1. The dialog message that comes up displays my several hundred email addresses and so the dialog box is chopped off at the bottom preventing choosing any yes / no buttons. 

    ReplyDelete
    Replies
    1. Interesting. I imagine you are an exception to the rule in that most people don't have several hundred email addressses.

      Delete
    2. We're looking at a fix to truncate the dialog so the buttons are visible, thanks for the report.

      Delete
    3. I am a premium member and I too get the dialog with a HUGE list and no way for me to say "yes/no". Is there a workaround in the meanwhile?

      Delete
    4. I have the same issue (lots of email addresses) and would like to check some but not the others. This might occur if an address that I used as an official of an organization was now passed on to someone else (example: treasurer, president, etc.) Although the email address may still be in my database, I no longer use it and the current user might not welcome getting an unsolicited email from LastPass. So the ability to selectively check some of the addresses would be nice.

      Delete
    5. Look at the extremes, the middle will take care of itself.

      Delete
  2. Love the features but I'm not clear on how Sentry actually works (aside from being integrated into the Security Challenge). Is this all done automatically and we're notified if our information has been compromised? Because I don't see any options to use it anywhere. I'm a Lastpass premium user.

    ReplyDelete
    Replies
    1. The checks for your LastPass account email address happen automatically, we do a secure check of the entire database pulling the latest updates from PwnedList.

      In the case of the vault check, though, you have to run the security challenge from the LastPass Icon > Tools menu > Security Check/Challenge, which will ask if you want to check for any breaches of your sites. You'll have to go through those steps every time you want to run the check locally against your entire vault.

      Hopefully that clarifies, happy to address further questions.

      Delete
    2. That does clarify, thank you Amber. Features are even better when I don't actually have to use them to take advantage of them! But I did run the Security Challenge and was notified of an old breach so I saw it in action.

      Delete
  3. This is the most amazing feature I've ever heard!

    Thank you for being on the bleeding edge!

    ReplyDelete
  4. Thanks for another great feature - LastPass is pure awesome!

    Just a couple thoughts:

    1) It's probably not necessary to check the address I use as my LastPass user name since that's already being checked.

    2) It'd be nice if the addresses to be checked were in a checklist so that some could be deselected. Alternatively, it would be nice if the report could be sent to my LastPass account's email address. As one example, I'm thinking of my comcast account that I never check and I'm not even sure how to check it. Another case is accounts that belong to family members -- they're not expecting the message and I either can't or don't want to peak at their mail. In that case, I'd rather get the notice and follow-up with them to make sure it gets addressed.

    ReplyDelete
    Replies
    1. I second this comment. The emails should go to the lastpass account's email address. I have email accounts that I use for username but I cannot check those email accounts. For example, some accounts related to my kid have her email address but if lastpass sent an alert email to her, she won't (care to) do anything.

      Delete
    2. Thanks for the feedback, we'll look at improvements!

      Delete
  5. Liking this addition, however if possible I'd like to be able to tell the Sentry check to send all details for the email addresses to a single account (the account master email address) rather than have it send individual mails. Is that possible?

    ReplyDelete
    Replies
    1. Not currently but we'll look at improving this option - thanks!

      Delete
  6. +1, for the reasons cited by Unknown in the comment above.

    ReplyDelete
  7. Hmm, one of my email accounts shows up in the database and says I'll get a detailed description emailed to me..But I get nothing. Yes i checked my spam folder.

    ReplyDelete
    Replies
    1. The email should only be sent if a match is found - if no email is sent, no match was found. If you do think a match was found with no follow-up email, please send a report directly to the team at https://lastpass.com/supportticket.php

      Delete
  8. "...notifications are sent to the affected email addresses..."

    ... wrong choice. The notifications should be sent to the Lastpass user at their e-mail, not to all the e-mail addresses in the Lastpass vault accounts.

    Please fix this. You have not through this through.

    ReplyDelete
  9. Totally awesome. I love LastPass. I could literally not live without it. Literally.

    ReplyDelete
  10. How about a feature to warn when you go to a site and have a weak password? I have a bunch of sites with the same pw, I don't want to sit down and crawl through a hundred blogs etc, but I would do it one at a time, when I go to the site in question, if the system prompted me (and I need to be able to tell Lastpass to ignore some sites, of course).

    ReplyDelete
    Replies
    1. A great request, Ronald - I'll pass it to the development team!

      Delete
    2. Nice idea indeed

      Delete
    3. Indeed! Great idea!

      Delete
  11. Let me 3rd the idea as a great one! Like doing the sites one at a time, because the time to fix them all can be huge!

    ReplyDelete
  12. Feature request:
    Let me select a list of passwords to update. Save the list. For each pwd
    1. Take me to the site
    2. Log me in
    3. Select acnt/settings/password
    4. Change the pasword to a generated one and update the list of pwds



    ReplyDelete
    Replies
    1. I second this auto password update. Also, I should be able to choose sites or a group of sites to just update the password in Lastpass (no need to go to site) all with the same passwordThis would be good for me what I change my active directory password and want to change all sites associated with that account.

      Delete
  13. Two main concerns I have with changing all passwords that are duplicates or weak:

    1) I have dozens (even hundreds) of sites using the same password. Do you expect us to go through each site individually and through all the log-in processes and subsequent menus to get to the "change password" screen for each site?? That would take all day (or all week if you did not work around the clock nonstop) and who has the time or patience for that?!

    2) Secondly, since there are hundreds of sites you say should all have different passwords, I'm assuming you mean to have them computer-generated automatically by Last Pass right? No one is going to personally sit and try to think of hundreds of different secure yet memorable passwords. However, if auto-generated they won't be memorable and then one is relying on Last Pass to never fail and to always have it available even when on a public or guest computer. How can you put all your trust in Last Pass in those cases and risk being shut out of all your accounts??

    If there is a simple solution to all this that I may be overlooking please let me know, thanks.

    ReplyDelete
    Replies
    1. 1) You'll have to go through each site individually to change passwords. LastPass isn't in control of all the sites you use, and doesn't know how to change the password on each one (as every site would probably have a different "change password" page). I guess the solution is to be secure from the beginning, and never share passwords on any site. If the sites you're sharing your passwords on aren't very security-critical then it's probably okay for them to share passwords, as long as you keep the risks in mind (if one site gets compromised and hackers obtain your password from it, they could potentially log in to every other site that shares that same password).

      2) The whole point of LastPass is to generate complex passwords for every site you use, and use your LastPass master password to retrieve the passwords when you need them (so you don't have to memorise them all). If you don't want to put your trust in LastPass, why are you using it? On a public or guest computer, you can log in at the website (https://lastpass.com/) and get your passwords that way. You could generate some One Time Passwords to use on public computers - These are passwords that only let you log in to your LastPass account once. I'd suggest doing this as using your master password on a public computer isn't a very good idea security-wise.

      Delete
    2. Reading would help. Be informed of what LastPass is all about as well as all its services. Keep reading!

      Delete
    3. It would delight you perhaps to know that our passwords can be accessed anytime using any browser even if we're offline! With this, whatever happens to the physical servers of LastPass, our passwords are all within our reach.

      Delete
  14. It's not about not "trusting" LastPass, just that any software or website is subject to issues and to put all your eggs in just one basket in general is not a good idea -- for anything. The idea of having no clue what any of my passwords are except my master password and my only access to all my account is via LastPass since only it knows them all is scary should there be any incident or failure. You'd be crippled in that case.

    So if you shouldn't use your master password on a public or guest computer, then how do you know how many "one-time" password create. If you're going away on a trip you'll need more than one time obviously. Something about having no clue about what any of my passwords are is just scary to me.

    ReplyDelete
  15. Download them from last pass on a CSV or to your smart phone.

    ReplyDelete
  16. I am so impressed with LastPass. I have a lot of p/words and being in the over 60's age group, sometimes the memory has big lapses - but all is fixed with Last Pass.
    Thank you to everyone involved.

    ReplyDelete
  17. This comment has been removed by the author.

    ReplyDelete
  18. I have been using LastPass for almost four to five years now with NO problem at all. While it is normal to worry sometimes but most of the time I feel safe with them. Btw, I keep a 24-character/key master password!

    ReplyDelete
  19. I'm really happy with the free app. The more I see how the premium users like it, the more I'm thinking about going premium. Also like the new Sentry feature...

    ReplyDelete
  20. Most sites you don't need a highly secure password. I use one that is easily remembered containing numbers, letters and symbols. For bank sites, email and other more important sites I use highly variable passwords that are long. Last pass helps with all of these, but I back them up on my desktop and laptop with another app - password safe - just in case of a catastrophic loss...

    ReplyDelete