Mar 25, 2013

LastPass Now Warns You When You're Using a Weak or Duplicate Password

The latest update to the LastPass Chrome extension now warns you when you are logging in to an account with a weak or duplicate password. The new feature will help you be more proactive in updating insecure passwords to strong, unique ones generated by LastPass!

When you're logging in to a site, LastPass will flag the password as "weak" if it detects that you received a score below 50% for that specific password in the LastPass Security Challenge. It will also flag the password as a "duplicate" if you are using the same password for another login stored in LastPass.

When a weak or duplicate password is detected, the LastPass icon turns yellow. Clicking the LastPass icon shows the warning, recommending that you update the password immediately.
Since you are now logged in to the account, you can navigate directly to the password change page for the site, and use LastPass to generate a new, strong password. If the "generate" notification doesn't appear, you can always use the "Generate Password" function from the LastPass icon menu.
Once you've submitted the changes to the site, LastPass will also ask you to confirm the changes, and you're done!

If for some reason you do not want to update the password for the site, you can choose to "disable" the alert so you are not prompted again. You can also disable alerts entirely if you do not wish to use this feature.

Remember, you can always re-run the LastPass Security Challenge to see a comprehensive analysis of your stored passwords - you can launch it from the new alerts directly, or you can open it from the Tools sub-menu in the LastPass icon.

The feature will soon be rolled out to other browsers, but is currently only available in Chrome. Most users should receive the update automatically when they restart their browser, but if a manual reinstall is needed you can do so from our download page.

What do you think of the new feature? Leave your feedback in the comments below!

60 comments:

  1. This is a neat addition.
    When you have passwords for nearly two hundred sites, it help you to stay abreast and more secure.
    Thank you.

    ReplyDelete
    Replies
    1. Thanks for the positive feedback!

      Delete
  2. Glade I paid the $12 :)

    ReplyDelete
    Replies
    1. Next purchase, spell checker? :p

      Delete
  3. Thank you, I have some 200 sites to manage and wouldn't even image that doing without a passwordmanager lige LastPass ;-)
    Glad I payd for it

    ReplyDelete
  4. Useful feature. Thanks!

    ReplyDelete
  5. Oh and fix the old Copyright on the bottom of the site, it says 2011

    ReplyDelete
    Replies
    1. Thanks for the report, we'll fix! Chrome is easier for us to roll out updates, and a few other updates were due for that browser in particular.

      Delete
  6. Sorry, but I turned it off. It repeatedly comes up on Google because the same password covers gmail and chrome's syncing, so I told it to ignore this site. It didn't. Then it told me I was duplicating tumblr with something else, which I wasn't, so I just switched it off completely.

    ReplyDelete
    Replies
    1. Thanks for the feedback, we'll take a look at this behavior. We also welcome direct reports to the support team: https://lastpass.com/supportticket.php

      Delete
    2. I have the same problem it keeps coming up. very annoying and can't turn it off. gmail.

      Delete
  7. It, and the security check function, need a way to understand when multiple sites are using the same login credentials, not because I'm being lazy, but because they're all linked to the same authentication back-end.

    ReplyDelete
    Replies
    1. Thanks, this is an improvements we do hope to implement soon.

      Delete
  8. You might try having just one "google" password but telling the system that gmail.com is the same domain (and anything else that SHOULD match). In the Vault, you go to Settings on the left and "Equivalent Domains" at the top. That also keeps them from going out of sync if you change one.

    ReplyDelete
  9. What version should this update be? Im at 2.0.21.

    ReplyDelete
    Replies
    1. Version 2.0.24+ will contain the updates. Let us know if you have any trouble reinstalling (https://lastpass.com/download).

      Delete
  10. This new duplicate warning sucks because you haven't done anything to handle the fact that some people have a single account stored in LDAP or something similar. I have seen people complaining about this on your forums since you launched the security check feature a while ago.

    I have a single account for work, which is in an LDAP directory (AD). That account is used within Google apps, our 3rd party hosted helpdesk, our Intranet, and so on. In my case there are 16 separate FQDN that I use that set of credentials at. Of course just for variety, while the password is the same, the username comes in many varieties depending on the context. It could be `username`, `example\username`, `example.org\username`, `username@example.org`, or `username@example.com`.

    The oft repeated suggestion on your forums/support about the equivalent domains feature breaks more then it fixes.

    Google.com is obviously not equivalent to my organizations intranet/extranet sites, and neither is many of the other 3rd party sites. I don't want my personal Google accounts showing up in the list when I am logging into to my work Intranet.

    ReplyDelete
  11. When I turn it off, how is the setting stored?

    I'm having to turn it off every day. I have the "Keep local data only until I quit my browser checked and am wondering if that's why it keeps nagging me over and over. I know some of my passwords are weak, but they're for sites where security is unimportant to me so I have no desire to change them.

    ReplyDelete
  12. How do I turn it off? Am fed up getting spurious warnings, due I suspect to sites shared the same log-on mechanism.

    ReplyDelete
    Replies
    1. Yeah how do I turn this shit off.

      Delete
  13. This feature is fantastic!! I had a large backlog of duplicate passwords for accounts that existed before I started using LastPass and I was paralyzed at the thought of changing them all. This update helps me remember to change my passwords as I come across duplicates and gives me tremendous peace. :)

    ReplyDelete
    Replies
    1. Thanks for the positive feedback!

      Delete
  14. I know that I have a double password and I'm not going to change passwords on a safe 1000. The product SAFETY useful for geeks. I did not want to keep the notification of weak passwords. Every new launch Chrome and LastPass makes church have weak passwords. It can not be off. Bad Option!

    ReplyDelete
  15. Yes, the setting to ignore the warning does not seem to persist. Please fix

    ReplyDelete
    Replies
    1. Thanks for the report, we'll test in-house and look at any needed fixes.

      Delete
  16. Not a fan. How do I disable this?

    ReplyDelete
  17. Not a fan. How do I disable this?

    ReplyDelete
    Replies
    1. The next time you see the alert, you can choose the "disable" option for all alerts.

      Delete
    2. doesn't work. asks for it EVERY SINGLE TIME!! no matter how much I 'disable' it. Chrome. Windows 7.

      Delete
  18. Hi guys,

    I'm using your plugin on google-chrome in Linux. It works great for me. Thanks for a great app.

    As for the yellow button, I would really like to turn it off. That's because I'm using tens of testing accounts for websites we develop and yes I use insecure passwords for them. When I login into one, the button gets yellow. Then I gotta click it to try to see the message. But the message box sticks half open and there is no way seeing the message and disabling the feature.

    As a temporarily workaround I'm clicking the app icon 3 times so that to skip that damn message that I can't see and get straight to my passwords. This is very annoying and I'm dreaming about turning this off.

    Please listen to us and add a way to turn this feature on and off in the next revision. That would be a great relief.

    Thanks again for a great app.

    Anatol

    ReplyDelete
    Replies
    1. Completely agree.
      LP, please add ability to switch it off!

      Delete
  19. Nice feature in my opinion, but I wonder if it is possible to run a scan or report that identifies all sites where I have used the same password. I have quite a few logins and there are probably several old ones that are the same. The new feature points them out as I navigate to those sites but I'd like to see them all and spend the time to correct them all.
    Thank you.

    Jim

    ReplyDelete
    Replies
    1. Hi Jim,

      The "security check" is the best way to do this - from your LastPass Icon menu click "Tools" then "Security Check". Run the security check and then look at your results to see how many weak and duplicate passwords you are using.

      Delete
  20. Would be great if the option to disable all such alerts actually worked. It keeps harassing me despite repeatedly selecting the option to disable it.

    ReplyDelete
    Replies
    1. Agree with brossow, this alert keeps showing up whether I disable or not...

      Delete
  21. Can i DISABLE this alert? its freakin killin me.

    ReplyDelete
  22. I use LastPass to remember my logins, but don't actually use it to store most passwords -- usually those are blank, and as a result pretty much all of my "passwords" are considered "weak."

    Thus far I have been unable to disable this very annoying alert.

    ReplyDelete
    Replies
    1. Yes, it gives you the impression that you can disable this. it's false. you can only fix it by making the password better. I think this may should qualify as malware.

      Delete
  23. Anyway to disable this yet? Great feature but very unnecessary for me as I use Last Pass for work and our dev environments are all local and all share the same pass. Due to internal security there is no need for use to have what Last Pass considers "secure" local passwords.

    ReplyDelete
  24. When will this feature finally be available in the Firefox add-on? :)

    Also one suggestion: It would be nice to be able to manually adjust the level at which LastPass gives me this warning. So for example all passwords with a score of less than 80%.

    ReplyDelete
    Replies
    1. It will be available with our next release :) Unfortunately there's no official ETA, but it will be in the near future. Thanks for the suggestion!

      Delete
  25. major flipping annoyance. holy cow

    ReplyDelete
  26. How do I turn this annoyance off?

    Bad programming if you don't give users the ability to turn things off.

    ReplyDelete
  27. This feature has been irritating me ever since it was introduced.

    How do I turn it off?

    ReplyDelete
  28. I would appreciate an actual "Last Pass" employee addressing this issue for us here :( There is NO WAY to permanently disable this new feature. It acts as malware when it forces itself upon us like this, very annoying!

    ReplyDelete
  29. jeez everyone, chill out. Get some perspective. They just need some time to fix it so the function can be turned off.

    ReplyDelete
  30. Please fix the disable feature. Just give me a checkbox in the plugin settings or something. So annoying!

    ReplyDelete
  31. It's been over 5 months now...

    ReplyDelete
  32. I hate this feature and would like to disable it. Please provide the option to do so!

    ReplyDelete
  33. LastPass - you are ONLY responding to the positive comments! Why don't you respond to these people who are having issues??? This is no way to treat people who are PAYING customers.

    This duplicate password feature is driving me nuts. Every single time I open my browser I have to tell it again. How do I turn it off?

    Please answer us. It's not that hard and you haven't posted a single response to this complaint.

    ReplyDelete
  34. This points to a serious lack of testing on lastpass. This problem could have been caught if *any* testing was done with this feature.

    ReplyDelete
  35. Agree with others. Even when selecting to disable entirely, it keeps coming back. Quite annoying.

    ReplyDelete
  36. Getting the same thing in IE now, to the point where I can't use my LP toolbar because all it does is repeatedly display the Weak Password popup and BLOCKS me from using my own LP toolbar commands.

    And as you all said, disabling it doesn't work at all. Malware is right.

    ReplyDelete
  37. I'm glad to see that others are bothered by this. I don't mind LastPass's telling me about weak/duplicate passwords, as long as the ability to turn off this warning works. Alas, it does not work. For months, people have been calling this to LastPass's attention, and many have also offered compelling reasons for their using duplicative passwords, but the problem continues. Why doesn't LastPass at least FIX the turn-off-warning option?

    ReplyDelete
  38. This problem is long over due for a fix. Please allow the user to disable this.

    ReplyDelete
  39. Thanks for the reports, we are investigating and hope to have improvements for the next release.

    We encourage users to report any persisting issues here: https://lastpass.com/supportticket.php for investigation with the support team, we're happy to be of help.

    ReplyDelete
  40. When you're developing a website on 10-15 servers on your network, and continuously rebuilding databases/user accounts, using the same password on all of them is so much faster than keeping LastPass's records up-to-date.

    Unfortunately, the "ignore the duplicate warning for this site" option is broken and will not STFU. Very irritating.

    ReplyDelete
    Replies
    1. Thanks for the feedback, apologies for the annoyance - this should be fixed with the next release. We're happy to address further questions or reports (https://lastpass.com/supportticket.php).

      Delete