Feb 7, 2013

LastPass 2.0.20 Released for All Browsers, Featuring an Automated Security Score

We're excited to announce a LastPass addon update for all browsers! The release comes with several changes, big and small, as we continue to improve the core functionality of our password manager and bring more features to help you better manage your online life.

The latest update includes:
  • An automated security check that displays your score in your vault
  • Easy access to the password generator in the main LastPass addon menu
  • Automatic clearing of data filled by LastPass on logout
  • Performing hashing in binary component to speed up login, with the recommendation to increase password iterations to 5000
Included in the latest release are also a number of bug fixes and incremental updates as we continue to make LastPass even more robust, more effective, and more awesome for our users.

Feature Spotlights


In this release, we're making password management a more active process, so you know when to make changes that will improve your online security. Good security is about being proactive and mitigating risk, and our newest features will help you accomplish both.

Automated Security Check Score

One of our best loved features, the Security Check analyzes all of your stored passwords and gives you a score from 0-100 based on the strength of your passwords, the frequency of duplicated passwords, and the use of other LastPass security features. It also makes recommendations on how to up your score and improve your overall security with LastPass.
Now, your current score will be displayed on the left of your vault at all times in the "Security Check" menu option, a daily reminder of how far you've come and how far you may have to go in improving your online security.

An Accessible Password Generator

The LastPass password generator helps you create strong, unique passwords as you register for new accounts and update old passwords. We've made this feature even more accessible by including it in the main addon menu.
Now, even if you're not on a site registration form and you still need to generate a password, you'll have a super-secure, unique password in just a few clicks.

Automatic Clearing of Fields Filled by LastPass

A frequently-requested feature, LastPass now offers the option to have all fields filled by LastPass cleared when you're logged out of LastPass. Previously, if your LastPass session was still active in the browser and a login page was open, any stored logins would be filled in automatically, and the data that LastPass filled would stay filled regardless of whether LastPass timed out.
If you enable this new preferences (in the LastPass Icon menu, in the Preferences menu under the "Advanced" tab), if LastPass times out or is logged out, any data filled will be cleared at that time.

Password Iterations Can Be Increased Due to Increased Login Speed

This all gets a bit technical, but what's important is that we've updated LastPass to speed up the login process by performing hashing in the binary component.

Because login is now faster, we also recommend increasing your password iteration (PBKDF2) count to 5000. PBKDF2 is, essentially, a "password-strengthening algorithm" that makes it difficult for a computer to check that any one password is the correct master password during a brute-force attack. More iterations make it even more difficult for a computer to attempt to brute-force the password.

All new LastPass accounts will have a default of 5000 password iterations, while all current users can increase their count by logging in to their LastPass addon, opening their vault, select the "Settings" menu, and using the "Increase Iterations" option.

And More:

Other notable fixes in the latest update include:
  • Maxthon browser support (in beta)
  • Perform hashing in binary components to speed up login, with password iterations recommended to be set at 5000
  • Auto-clearing of data filled by LastPass on logout
  • A fix for NTLM authentication in IE
  • There were also a number of updates for LastPass Enterprise, which we'll spotlight in a follow-up post.

We're Moving Right Along!


Over the last several months we've pushed out a number of releases and updates that help us continue to offer valuable features and improve the overall LastPass user experience. Here's a recap of some of the notable changes:
  • Windows 8 App: We fully support Microsoft's new OS, in both desktop and "metro" mode. LastPass can be downloaded just as before in desktop mode, while our LastPass Windows app is now available in the Windows Store for use in "metro" mode.
  • Windows Phone 8 App: Our Windows Phone app recently got an overhaul, with support for Windows Phone 8. We've reset everyone's trial, if you want to try out the new app!
  • LastPass Sentry: We've partnered with PwnedList to offer Sentry, which performs daily searches of PwnedLists's database of leaked accounts for matches to LastPass accounts. The feature alerts users to potential risks and indicates which passwords need to be updated.
As always, we owe a big "Thank you!" to all the users who continue to use LastPass and help spread the word. More exciting features and improvements are on their way, so as always, stay tuned!

- The LastPass Team

62 comments:

  1. When increasing the iterations to >5000 a warning is shown. It says, that it's not recommended use more than 5000 iterations because it might slowdown the login. You might want to increase that now too. ;-)

    ReplyDelete
  2. Was this an update for all browsers? I checked Firefox and doesn't look like there is an update available...

    ReplyDelete
    Replies
    1. Unfortunately AMO hasn't published the latest update yet, but if you use the download options at https://lastpass.com/download - or our direct download link https://lastpass.com/dl - you'll have the latest update.

      Delete
    2. when will Chrome update the Lastpass Extension? Still shows up as 2.0.14.

      Delete
    3. An automatic update from Chrome may take some time - otherwise, you can "force" an update from our download page directly, apologies for the inconvenience.

      Delete
    4. I just removed and then reinstalled the extension.

      Delete
  3. Same here... Firefox 18 under ArchLinux 2013 shows no update. Tried downloading the add-on from the LastPass site - still the same 2.0.0...

    Regards.

    Andrzej

    ReplyDelete
    Replies
    1. Hi Andrzej: The version on LastPass.com/download should be the updated build, as should our direct download link (https://lastpass.com/dl) - if you see any further issues, please let us know (https://lastpass.com/supportticket.php), thanks!

      Delete
    2. Hi Amber.

      Now this is super weird.

      I checked few hours ago. The link on https://lastpass.com download site was showing 2.0.0 version. I even downloaded it and installed it just to make sure it's not just a numeration typo. I had Lastpass 2.0.0 installed after that. Now I see Your reply and checked the site - 2.0.20 - it's all good. I guess it was a temporary delay in uploading the addon or something.

      Regards.

      Andrzej

      Delete
  4. I found the download at https://lastpass.com/misc_download.php, as already noted. It installed LastPass on all browsers.

    ReplyDelete
  5. all up and running in my google chrome :)

    ReplyDelete
  6. I can't thank you enough for supporting Windows Phone 8

    ReplyDelete
  7. When will Lastpass integrate in my iOS Chrome? :)

    ReplyDelete
    Replies
    1. We hope Chrome supports 3rd party addons soon :)

      Delete
  8. Any progress on allowing Yubikey on desktop and Google Authentication on mobile devices?

    ReplyDelete
    Replies
    1. No update, but dev is aware of the request, thanks!

      Delete
  9. I increased my password iterations to 5000 as recommmended, and now all my logins and passwords are blank or with weird characters!

    ReplyDelete
    Replies
    1. Try logging out and back in, all data should then decrypt properly. If you see ongoing errors, please open a report with the team: https://lastpass.com/supportticket.php

      Delete
    2. Logging out did not work. Even at lastpass.com my passwords are blank. Even the names and urls are blanks!

      Something very wrong happened when I asked to change the iterations.

      I do not recommend anybody to do that until you are absolute sure this issue is resolved.

      I have opened a ticket. I hope you guys have a backup of my data.

      Delete
    3. Have the same problem.
      All my data is blank...
      Logout/login not helped :(

      Delete
    4. P.S. I use Chrome 24.0.1312.57 m

      Delete
    5. Same problem here, contacted support via ticket

      Delete
    6. For anyone seeing this behavior, please contact support via a ticket (https://lastpass.com/supportticket.php) we are working to resolve the error that has affected a small portion of users. Thank you for your help and patience.

      Delete
    7. Just FYI, I opened a ticket with support but not much help there. I decided to follow the process at https://lastpass.com/revert.php to restore my account from a backup and that got me back to the way I was before changing the password iterations to 5000 (after the restore completed my account is working fine again but my password iterations are back to my original value of 500).

      Delete
    8. How did you change the iterations? When I had this problem, I tried changing from my Chrome plugin Vault, ie click the plugin -> My LastPass Vault. After support reverted the change, I again updated the iterations to 5000 from the LastPass website Vault. This time it worked properly and here I sit. I suspect a problem with the plugin specifically caused the error.

      Delete
    9. "How did you change the iterations? When I had this problem, I tried changing from my Chrome plugin Vault, ie click the plugin -> My LastPass Vault. After support reverted the change, I again updated the iterations to 5000 from the LastPass website Vault. This time it worked properly and here I sit. I suspect a problem with the plugin specifically caused the error."

      This is true! I updated the iterations through the website Vault and had no issue. The bug is in the plugin.

      I am using Firefox 18.0.2.

      Delete
    10. Has this issue been resolved? I've avoid adjusting my password iterations after seeing so many people have issues.

      Delete
    11. Brent: To the best of our knowledge the issues have been resolved, if you make changes with any issues we of course will look into it ASAP - https://lastpass.com/supportticket.php

      Delete
  10. I just checked: LastPass version on my PC is 2.0.17. I check for updates… the message is: “No updates available”. I’ve always had this problem: Faulty update checking in LastPass.

    Another problem: I use LastPass in three browsers. At one point, I succeeded to have LastPass login automatically at the beginning of every browser session (because I trust security on my PC). That setting is not reliable, however. Sometimes, LastPass logs off automatically after I close the browser.

    Ion Saliu

    ReplyDelete
    Replies
    1. I just updated successfully by downloading the full installer. I am confident LastPass will make ‘updating automatically’ function properly at all times.

      Also, it appears that the login is automatic, unless:
      1) I disable it;
      2) I clean up my PC with some utilities that remove cookies.

      Ion Saliu
      SALIU.COM


      Delete
    2. Thanks Ion, we're glad to hear you were able to update with our full installer - automatic updates may be delayed for a bit. Yes, LastPass will autologin on browser startup unless you use the autologoff settings or if you have the browser set to clear browsing data / don't allow 3rd party cookies from LastPass.com.

      Delete
  11. Correction: Automatic login does NOT work in Firefox; it has never worked (up to current version 18.0.2). I have to login to LastPass every time I start Firefox. I don’t use FF much, anyway (it loads very slowly my 3 home pages: MSN, iGoogle and MyYahoo — all 3 are graphics-intensive).

    More correcting: After I closed Firefox, I opened Internet Explorer (v9). LastPass did not login automatically.

    Only Google Chrome abides by the setting ‘login automatically’.

    I like the convenience, instead of typing my (complicated) LastPass master password!

    I have the following installations:

    LastPass Chrome Toolbar
    Version: 2.0.21
    Built: 2013-02-07 15:58:17
    Binary Component: true (NPAPI)

    LastPass Firefox Toolbar
    Version: 2.0.20
    Built: 2013-02-07 15:51:24
    Fast Encryption: true (ctypes)

    Internet Explorer 9 (32-bit under 64-bit Windows 7):
    Plugin Version: 2.0.20
    Plugin Built: 2013-02-07 21:19:21
    Toolbar Built: 2013-02-07 21:19:21
    Build Type PRODUCTION-BUILD

    ReplyDelete
    Replies
    1. Please check your session ID: https://lastpass.com/debug.php between browser restarts in Firefox. If any errors persist, our support team: https://lastpass.com/supportticket.php would be happy to take a look.

      Delete
    2. Thanks, Amber, for your prompt response.

      I do not understand, however, why the whole process has to be that complicated. I do NOT recommend to anyone tampering with the LastPass debugger at the command prompt in Windows. Besides, iexplorer.exe is deeply buried to run it as the administrator!

      LastPass will fix this issue, I’m sure (but not today!)

      It is a lot more convenient to log in automatically, instead of typing a long, complicated master password any time I start a browser. It did work all right in IE9 up until 2012. Some products other than LastPass don’t work correctly in IE9 anymore. I’m happy that Chrome works correctly, though. It’s the browser I use most because it is fast and less error-prone that Firefox or IE9.

      Delete
    3. By the way –
      From LastPass debug page for Firefox:

      “Options > Options > Privacy tab, and for 3rd party cookies click "exceptions" and set an "always" exception for lastpass.com”

      There is NO “3rd party cookies” on the Privacy tab, or anywhere else in Firefox Options.

      I only found something regarding the installation of add-ons on the Security tab. In Exceptions, I added LastPass to allow installation of add-ons…

      Delete
    4. Right now, it appears that ‘automatic login’ works in all three browsers. I have the same session ID in the same browser (but different from browser to browser). I wonder what will happen tomorrow, or today AFTER I turn my PC off, then turn it on… There was this consistency problem with the ‘automatic login’.

      Delete
    5. Just an fyi it's standard protocol for windows to login as standard user and not administrator. Also command prompt does not run in administrator command prompt mode by default, especially even in windows 8 where you can see the obvious difference with one saying Administrator: Command Prompt and the other saying Command Prompt. Also, by default, windows is set to request permission for escalated admin privilege. So just to mention, it's easy to change these features as administrator but you need to know how to do it or else these are defaults. Also anyone capable of knowing how to run Administator command prompt should be aware of what it does and how it works since it's not default to run in admin mode for that in the first place nor admin to begin with even if you are the only and first person to install windows. So... I recommend none of that to my clientele because I don't need to since they call me in the first place obviously wouldnt know how to format their hard drive by accident

      Delete
  12. Can someone explain to me the security implications of the the "Security Check" being permanent and automatic? I've only run it a few times manually, but every time I did run it, it always came up with this big warning, asking me if I'm OK with my passwords being scanned as plain-text to judge just how good they are.

    If that's still the case, how the heck can I disable this automatic checker? That would mean it would ALWAYS scan my passwords as plain text and that completely defeats the purpose of using such a secured password manager.

    ReplyDelete
    Replies
    1. For both the online security challenge and this automatic test, all of the decryption continues to occur locally (with a key we do not know). Your usernames and passwords never leave your computer in either case.

      For the online security challenge, we allow you to send hashes of usernames to pwnlist (not the actual usernames, just hashes) to see if they have been previously compromised. That remains opt-in and does not occur for this automatic test.

      So in both cases, your private data remains local and safe. The intent is to increase internet security by making users aware of bad practices.

      Delete
  13. I love your service! I hope all my DATA will be secure in the future :)

    ReplyDelete
  14. Thank you so much for Maxthon support

    ReplyDelete
  15. After the update the fingerprint reader login doesn't work anymore.

    ReplyDelete
    Replies
    1. Have you tried disabling and re-enabling the fingerprint authentication with any further trouble? If so, please submit a report directly to the team: https://lastpass.com/supportticket.php so we can investigate further with you.

      Delete
  16. I can't seem to get Lastpass to work with IE 10 on Windows 8. I don't see the Lastpass toolbar, and when I go to enable it, a notice pops up that says, "do you want to disable this add-on" which is NOT what I'm trying to do.

    ReplyDelete
    Replies
    1. Please try re-running the installer: https://lastpass.com/installer - please report any ongoing issues directly to the team: https://lastpass.com/supportticket.php so we can troubleshoot with you.

      Delete
  17. Another thing you should add to your update post is that for Chrome, after the plugin updates, the security check will not give you a percentage until after you restart Chrome.

    ReplyDelete
  18. I'm a brand-new user, just downloaded last night. I run iOS on a Mac, Chrome is my browser. After installation, I can't get LastPass to work right. I can log in, but I can't generate new passords; all I get is a box that gives me the option to generate, copy and close. I can't save the new password. Also, when I'm in my vault, I can't change passwords within there. Tried it with Firefox, same issues. Seems to work with Safari. Please help! I would like to use LastPass, but I'm thinking it may not be a good fit for a Mac user.

    ReplyDelete
    Replies
    1. We're sorry to hear of the trouble, this is best addressed by the support team, if you haven't already please submit a report there: https://lastpass.com/supportticket.php so we can work with you directly - thanks!

      Delete
  19. Can you package sesame and pocket in a .deb and .rpm package? I believe this is the final step so I can use LastPass.

    ReplyDelete
  20. I don't agree with the change to the drop-down menu when choosing what profile to autofill with.

    This is the same type of change Microsoft made to the Windows 7 taskbar right click menu. It used to be right next to the button, now it's encased in a border and smaller, making it MUCH more difficult to quickly click on an entry.

    Is there a way to revert this change? If not, then I may be forced to rollback, as this severely affects my ability to easily and quickly select an account to login with. (This is also part of the reason why I use Vista instead of 7)

    ReplyDelete
    Replies
    1. Still waiting on a response if this is possible.

      Suppose I can be glad it auto-fills by itself now.. usually. Still fairly terrible on sites where I have a handful of accounts.

      Delete
    2. Unfortunately there is no way to revert this change at this time - we do apologize for the inconvenience, and hope you otherwise continue to find LastPass to be helpful.

      Delete
  21. Downloaded the Safari Extension, double-clicked it to install, then restarted Safari; it continues to show version is 2.0.1.

    ReplyDelete
  22. When are you going to add auto-updating? Or at least auto-notification of updates? As it stands, if you don;t follow your blogs, you will never know when an update is available.

    ReplyDelete
    Replies
    1. In my case, Firefox, the browser is regularly checking for new versions of my addons.

      Delete
    2. That's how I got my Version: 2.0.20 Built: 2013-02-08 09:25:38 for Firefox beta

      Delete
  23. Any idea why IE and Chrome pluings won't sync?
    I had the issue at my last job and same with a brand new setup.

    1) If I I log in on IE first then open Chrome, I'm logged in on both browsers
    2) If I log in on IE Chrome first then open IE, I'm not logged. Logging in on IE will first fail, work on 2nd attempt but will log me out of Chrome
    3) If I log in/out at any stage on Chrome while logged in on IE, it logs me out of IE, then issue 2) occurs again

    I'm using fingerprint loging if that has any impact.

    Thanks
    Laurent

    ReplyDelete
  24. A big Fuck You goes out to the automatic password check. Give us a setting to disable. Automatically doing anything is a fundamentally flawed idea. You guys are handling very paranoid peoples passwords. The absolute last thing we (I) want is software doing anything that I do not explicitly authorize. When it comes to UI, get out of the users way. If you impede a users flow in any way, it should only occur when they are performing a permanently destructive action that can not be reversed.

    ReplyDelete
  25. I agree with the folks who are asking about how to disable the password generate feature. It's made me actually turn off Lastpass and I'm tempted to just remove all together and go with something else. Here's the issue: I have a site that has a 4th field for RSA token PIN numbers. Every time I try to type in the PIN from my token, the stupid Password Generate box opens and it won't let me add anything. Even when I close the PG box, it doesn't allow the field to be filled out correctly so I ended locking myself out of this site. How do I turn that feature off?!!!

    ReplyDelete