Introducing LastPass Sentry: Always on the Lookout for the Latest Breach

By September 17, 2012 Product Updates 62 Comments

In response to a number of high-profile breaches (including LinkedIn, Last.fm, and the Apple UDIDs), we’ve provided LastPass users with tools to check if their data is on the leaked lists, and have notified users directly as we’ve discovered their compromised data. We wanted to take this a step further, and partnered with a company dedicated to finding and aggregating all leaks as they’re occurring, to provide a much more comprehensive service.

Today we’re excited to announce our partnership with PwnedList to offer LastPass Sentry, a new feature that will help LastPass users be more proactive about their online security.

With LastPass Sentry, we’ll use PwnedLists’s comprehensive (and growing) database of 24 million publicly leaked usernames and passwords to perform daily “checks” against LastPass account email addresses to look for positive matches.

How it works:

  1. Sentry performs daily checks, with the latest updates to the PwnedList database, to see if LastPass account email addresses are on the list.
  2. If a match is found, an email notification is sent to the LastPass user, notifying them of the domain that was breached and the potential risk.
  3. Users can then run the LastPass Security Challenge to verify if the password for the breached site is used elsewhere.
  4. We then recommend updating the password for the affected account, and any other accounts using that password, using LastPass to generate a new, strong password.

The feature is available for all free and Premium users, as well as corporate Enterprise users, and is currently opt-out via the email notifications. In the case of Enterprise users, both the Enterprise administrator and the affected employee will receive notifications that a match has been found.

We’re excited that the feature has already generated positive feedback. LastPass Enterprise customer Matthew Wittkin of MoreVisibility commented, “LastPass already helps us to better control and protect our digital assets. With this new feature, our administrators and employees know immediately if any company passwords have been compromised, allowing us to update them within seconds. We hope nothing like this will ever come to pass, but it gives me extra peace of mind knowing that, with LastPass, I’ll be the first to know!”

We have plans to further integrate the service into the LastPass security challenge, so we can check not only the email address that you use for your LastPass account itself, but perform a local check of the entirety of your stored data. We also plan to increase the frequency of our database checks to work towards real-time notifications.

What do you think of LastPass Sentry? Leave your thoughts in the comments below!

62 Comments

  • Anonymous says:

    Very welcome addition, thanks!

  • Anonymous says:

    Another pointless feature. I’m starting to worry about the focus of LP development team.

    • Anonymous says:

      I tend to agree. Every single one of these additions, and the increasingly “social” flavour pervading everything, has its own security implications to worry about.
      When LP gets around to doing a “local” check for compromised user names and e-mail addresses in our vaults, will this mean that some service somewhere is being sent all our login ID and all our e-mail addresses, opening the risk of that service harvesting all this stuff ?
      I am really getting concerned. Lastpass is now so complex with so many security implications to think about that I am getting worried it is all too much. And too much centralisation.

    • Joe Siegrist says:

      We’d never send your email to a 3rd party, we’re downloading all the leaks and comparing them against our database internally. This really is only about helping protect you in the safest way possible.

    • Steven Grimm says:

      Even if LastPass did a check on their end on request from the client, it would be completely trivial to do it with zero risk to the security of the accounts in your vault. Their client would just send a hashed version of a given address and compare that against a hashed list of compromised accounts. Only in the case of a match (in which case, by definition, your account is *already* compromised, or it wouldn’t have been on the list) would LastPass be able to determine which address was in your vault.

      They could also do an initial check purely on the client side against, say, a Bloom filter several megabytes wide, and only send the hash value if that initial check indicated a potential match.

      Done right, this is no privacy risk.

  • Doe John says:

    Heck yes. Nice addition LastPass. Thank you guys.

  • Anonymous says:

    How are you doing this? LastPass is advertised as encrypting user data before it leaves the user’s machine. The idea being that LastPass cannot get at the information any more than a remote user could without the key in the form of the master password. If you are able to verify the existence of usernames and passwords in my vault and send me an e-mail to that effect, then clearly you have access to the very information you’ve said was unavailable to you. Which is it? Part of the allure of the LastPass system is that I don’t have to “trust” LastPass’ staff to keep my information secure, but rather that the obfuscatory power behind the encryption will ensure that security. If you can find out usernames and passwords remotely, this puts all that into question. Please explain how you can do this without compromising security.

    • Anonymous says:

      I have been wondering the same thing…

    • Anonymous says:

      Ditto on that… and also, wouldn’t it be better to use a LastPass random login name of 12 meaningless characters? Doesn’t that DOUBLE my security. If you try that on most sites, you’ll get an error message, invalid email format or it needs that Login/Email Address to confirm your subscription. We are always adding convenience in lieu of security!

    • Anonymous says:

      Quoting Amber from LP:
      “so that we can locally check against the data in your vault.”

      As I understand it the keyword here is “LOCALLY”. All the work is done on your side, not LP servers.

    • Anonymous says:

      If you read the full article it states that initially you’ll only be notified if the same email you registered with and use to login is part of any leaked list. No logins within your vault are accessed.

      They’re working on integrating this discovery method with the LastPass Security Check, all of which is initiated by you locally and without sending any data to LastPass. This would include all your logins and other email addresses you use.

  • Anonymous says:

    So this just compares your login email address with the database?

  • RichC says:

    Great addition to a already excellent method of reducing exposure to Internet risk.