Jan 6, 2010

The LastPass Security Challenge and 1.64.4 released

Make one of your New Years resolutions greater security; take the LastPass security challenge:

As you may already know there has been another high profile release of millions of plain text passwords, in this case RockYou had 32 million users passwords in plain text, downloaded with a simple SQL Injection attack.

It's clear millions of plain text passwords are going to keep being taken. If RockYou hadn't been publicly exposed they may not have even known! SQL Injection attacks often don't leave a lot of traces of what occurred.

With every password you use an employee at the site or hacker could obtain it if the site doesn't use a non-reversible hash to store your password. If they don't properly salt the hash you could still be quite vulnerable despite the site operators believing they implemented things the right way (see: http://en.wikipedia.org/wiki/Rainbow_table ). If you use the same passwords on multiple domains you're opening yourself up to your password being taken at one site and used at another.

The security challenge will download and decrypt your data (locally as always), then compare it to a number of known poor passwords, and show you which domains you use the same password on. It'll help you protect yourself from these attacks in the future. LastPass will give you a score so you know how well you're doing and keeps track of your score history so you can track your improvement.

We'd recommend using Firefox or IE to update your sites, as the 'Fill Current Password' + 'Generate' notification bar hasn't been added to Chrome or Safari yet.

1.64.4 adds the security challenge to the menus (under Tools), and includes some long requested features: IE can run in 'tool button' mode, IE and Firefox share login state, better updating process in IE better menus in Chrome and more.

If your IE asks you to download more than once, please reinstall via: https://lastpass.com/lastpass.exe