Nov 27, 2008

The worst form input field in the Top 100 Internet Retailers (by annualized sales)

LastPass just came out with beta version 1.38, where we spent the week improving our form fill to perfection on the top 100 Internet retailers (by annualized sales). Overall it was a good exercise and improved our form filling capability dramatically on some sites.

This also exposed us to some questionable decisions made by some of the retailers in their forms. For example, some sites like to combine the credit card expiration month/year into a single select box. Nice if your expiration date is in 3 months, but when it's in 2017, and you have to scroll through over 100 entries it's a lot less usable. This is not a big deal; LastPass handles it so you won't have to think about it or waste time with it.

There was one form entry that we refuse to support on the moral grounds that this just needs to die. It looks like this:

Wow. An email field that asks you to split your email up into parts. It doesn't work well period, but it really doesn't work well with my email address from school (, nor for people in the rest of the world with multi level top level domains, or for people with long domains (it's too smal to fit them too).

This is particular gem is on Dr Foster and Smith's pet supply site (which just made the top 100), and gets close to a million unique visitors a month. Perhaps a little exposure will encourage them to fix it.

Bonus points to anyone who can find a similarly bad input entry on such a prominent site. I'll accept any site with over 100k unique visitors as judged by with one point per 100k uniques. The Dr Foster and Smith example is currently a 8.1. Can it be broken?

Enjoy Thanksgiving, Black Friday and Cyber Monday!


Nov 9, 2008

New LastPass Features

New features are typically listed on our Upgrade Page when we release, but I want to highlight a few recent additions in case you missed them:

1) Identites: Allows you to create different views into your LastPass account. This is most commonly used to hide some of your sites when you log into LastPass from a particular location. A common example might be that you create a 'home' and a 'work' Identity.

2) New Language Support: Thanks to our many volunteer translators, LastPass has been translated into French, Swedish, Hebrew, German, and Dutch. Many more languages will be available soon.

3) LastPass Home: We created a super fast page that allows you to see all of your sites, organized as you like them, immediately. It allows for quick searching, editing and autologin.

4) Better support for iPhone: iPhone users can now launch site logins from our mobile site,

5) Form Fill Improvements: We continue to improve our algorithms and feel we have one of the most accurate form fill products available.

Keep an eye on our Upgrade page for new features. We have come a long way these past few months and plan on continuing that trend moving forward.

Sep 19, 2008

After Yahoo Email Debacle, Sarah Palin Needs Lastpass

"Rather than some automated tool or complex virus, Google and Wikipedia searches appear to have been the weapons used to knock down the walls guarding [Sarah Palin's] e-mail," according to this eWeek item.

Most people are vulnerable to the type of attack that compromised Palin's email account, as Markus Jakobsson wrote recently in IT World, "...almost all of us reuse what we may think of as “meta passwords” – the information used to reset passwords..."

Every three months about 1.5% of Yahoo's 250 million email account holders forget or lose their email login or password. This creates tens of millions of password email reset/recovery requests per year, according to this research report. This translates into a lot of wasted time in password recovery purgatory (at best) or opportunities for privacy problems and online fraud (at worst).

The password security and password recovery process is vulnerable to several different types of attacks:

1) Phishing attacks - where someone mimics a trusted website usually by sending an email directing you to a "fake site." There they get you to enter in personal information/ data like passwords/credit card information or social security numbers or "meta password data" like birthdays or mother's maiden name, name of your first pet. The phisher captures this information and uses it be assume your identity and either access your sensitive accounts or creates new accounts in your name.

Lastpass protection: They protect against phishing attacks by verifying that every site you log into is the actual website you're trying to enter. When you attempt to log-in to a website using Lastpass, the password manager will highlight login/form fill fields and offer auto login only to confirmed, legitimate website where you have an account. You’ll see the Lastpass icon and highlighted fields and know it is safe to proceed.

2) Brute force attacks - where someone methodically applies password combinations in an attempt to guess your password. One popular variation of this theme is a dictionary attack where weak passwords are uncovered by simply probing your password by testing it against the words in a dictionary.

Lastpass protection: They make creating, using and remembering strong passwords simple. Most people, myself included, make it too easy for brute force attacks to be successful because we use weak passwords (that are easier to remember than strong, complex ones) and reuse these weak passwords across different sites (meaning if one password is stolen/compromised, many of my sites are vulnerable). Lastpass makes it easy to use strong and unique passwords for every website. I use Lastpass to auto generate strong passwords for me and remember these passwords for me so I don’t have to.

3) "Meta password" attacks (a.k.a. mother's maiden name and other common password retrieval challenges). Under this increasingly common scenario, someone collects your personal information via Facebook, public record searches, ect. They use that information to figure out what they need to reset my account password and access my information.

Lastpass help: The password manager enables me to change the way I answer these “meta password” questions. Basically, I can offer less personal information. Gone are the days where I enter in simple answers, now I auto generate strong password-like answers to questions like mother’s maiden name and my elementary school? I use the password generator to make up “junk” answers and save these answers in the “edit site information” notes section with each new account. Because Lastpass auto logs me in to websites I no longer have to use the meta password data to reset passwords. If I were to need to access the meta question answers, that info is securely saved and accessed from my Lastpass portal page.

Because Lastpass does password management differently, they sync all my information across platforms and machines and I can still access all my account information, log-into my websites without uploading any sensitive information to their servers.

So, unlike many password managers, Lastpass doesn’t require too much “trust “from me. It saves all my sensitive information and encrypts it locally on my machine. They don’t have access to any of my information, it doesn’t get saved onto their servers, it remains secure, encrypted and on my computer.

It’s probably time for all of us including Sarah Palin to rethink our online information management and make life easier and safer with a password manager like Lastpass.

Sep 10, 2008

Sharing accounts and the future of how you deal with passwords

When we explain account sharing to people, it's not uncommon that they ask why would I want to share an account?

Usually this objection is grounded in the fact that most people use the same username and password everywhere today, and by sharing, they'd be giving access to all their accounts. We're hoping you'll start changing your habits with LastPass -- let the program do the hard work of remembering usernames and passwords so that you can feel free to pick good passwords everywhere you have an account (using the LastPass Password Generator to do it).

There's lots of reasons you'd want to share an account with someone else -- if you share a bank account with your spouse, isn't it better that you both can use your 'LastPass' password rather than be forced to keep the same password? If you have a special login for work, isn't receiving that password in LastPass a lot easier than having someone email it to you, where you'll have to go searching through your email at a later date?

All of this is predicated on your use of unique passwords for each account, so if there's a reason you're not doing that, we'd love to know.

Aug 27, 2008

Have you seen what passwords a virus could pull from your PC?

One of the reasons we created LastPass was to remove a threat that we were worried about -- if you somehow got a virus on your PC, could it immediately grab passwords and then uninstalls itself leaving you none the wiser? This would be a particularly insidious attack as you'd be unlikely to notice, and unlikely to change your passwords as a result of the attack.

If you're on a Windows PC, I'd encourage you to try
this is the LastPass installer, and as one of the installation steps allows you to optionally see what passwords LastPass can find, and optionally choose which (if any) you'd like to encrypt and then potentially remove from your PC.

It may be a big eye opener about what passwords are sitting out there in an unencrypted form on your PC, and even if you don't choose LastPass to be your Password Manager, you'll at least know what you're risking, and be able to clean up.

Recently a virus called Gammima.AG. made it onto the space shuttle, and it's goal was to gather passwords (albeit not in the exact same way I describe above), but it shows that attacks of this nature aren't far fetched and can happen to the best and brightest of us.

How LastPass protects against phishing attacks

Hopefully you have started using LastPass and are now hooked because of the added convenience, security and organization it brings to you life. One facet of LastPass security that we haven't really mentioned is how we protect you from phishing attacks.

Phishers setup rogue websites with domains that are close in name to their target, so they can catch people who mistype the URL. They make the page look identical, so it is easy to enter your login information without a second thought.

LastPass protects against this if you use the LastPass website to login or the Sites drop-down in the plug-in. There is no URL to type, LastPass navigates to the page for you. It is both convenient and safe.

The second way phishers often trick people is by sending emails that look legitimate, but have links that point to their website instead of who they are impersonating. LastPass protects against this by only form filling and putting our icon in the form fields if you have an account with this site.

So if you do not see the LastPass icons in the form fields on one of your sites, do not simply enter your information! First make sure you are logged into LastPass and review the address.

Lastpass Saved Me While Traveling Abroad - No Stress Bill Pay From a CyberCafe

Victory was mine this morning, Visa won't being getting a late fee from me! Even though I was traveling abroad - on the road - without a secure internet access point this morning in Berlin, Lastpass's virtual keyboard and universal access saved the day.

About six million north americans live abroad with 20 million more working/traveling outside the country every year. As a member of this traveling horde, I sometimes find myself stuck in a foreign country, without secure Internet access needing to pay an online bill or transfer funds between bank accounts. In the past - I had to choose between logging on from a public PC and hoping for the best - vis-a-vis keystroke loggers and other bad online things or paying late fees or overdraft penalties.

Not today. I was able to log-on to my credit card account using the Lastpass virtual keyboard ( feature in the upper right on the log-in page) and pay a credit card bill. I know the guys behind Lastpass from our days at eStara so I'm not terribly surprised they've made Lastpass easy to use , portable and secure, but I am pleased that they did. Thanks guys!

Aug 20, 2008

Protecting your privacy by using base64 encoded inline images + table images for IE

While creating LastPass we wanted to show an overlay on the page when you autologin to a site. We ran into an issue though: if we used a image on that overlay, the image would leak the referring URL -- a privacy leak that we wanted to avoid.

In Firefox, there is a relatively straight forward and elegant solution: use an inline base64 encoded image. This method is covered here:

This was great, but Internet Explorer doesn't support inline images unfortunately; we found inspiration for the solution here: and adapted it to create pure HTML not javascript. Using a table to create an image will probably make you squirm, but it works.

The overlay we are creating is in HTML, and IE can render tables quickly, so we gave it a shot and it worked great, much faster than the javascript version (because it skips all the reading and it ultimately creates a table itself).

Granted this is a very small image (our logo), and we probably wouldn't do it if we needed a very large image, but it accomplishes the goal while protecting your privacy which makes us happy.

Aug 19, 2008

How people deal with password overload today

Working on for the last few months has given me the chance to question quite a few people about their current password habits. It's been eye opening to hear just how many people use the same exact password for any application they're faced with, completely not recognizing or not caring about the risk they're facing.

The people that do recognize the risk, typically 'tier' their passwords, making a strong one for the sites they care about the most, and a lower level one for ones they care about less.

Both of these are pretty flawed approaches because some companies are radically better at authenticating users than others; the most secure companies (like LastPass) use https (encrypted data passing), create a one way hash of your password client side (so your password never leaves your computer), and salt that hash against that for what they store.

Unfortuantely almost no companies are that careful, many allow you to send your password over a non-encrypted channel to them, then store your exact password unencrypted in their databases and will even send that password to you over email (which is also insecure), meaning that there's at least 6 distinct ways your password could fall into a nefarious person's hands for just that one site (sniffed over the network, taken by an employee at the company, sniffed over the network between the company and your email provider, sniffed over the network between the email provider and you, taken by an employee at your email provider, and stored unencrypted in your email client) .

Handling passwords the right way isn't hard if you have software that will create and remember strong passwords for you.