Dec 1, 2011

Your LastPass account is safe on Carrier IQ enabled mobile devices

When we read what Trevor Eckard found regarding logging being done by an application installed by default on a number of HTC and Samsung based Android phones, we were concerned about just how far this Carrier IQ keyboard logging went.

We had to know if any of our users were at risk, so we could alert them to any danger. We replicated Trevor's findings, which he explained in his post on AndroidSecurityTest.com (the site seems to be intermittently down):  http://androidsecuritytest.com/features/logs-and-services/loggers/carrieriq/

He also posted a YouTube video, now making it's way through the media, showing his tests:



We saw the same log entries Trevor saw when dialing phone numbers, and receiving SMS, so that is confirmed.

We did not see any log entires when using the general keyboard though, including when typing into our LastPass for Android app and our LastPass for Dolphin HD app.   The LastPass pin code entry does not utilize the phone keyboard so that is safe as well.

This is very good news as your LastPass account - and most importantly, your master password - is safe on your Android phone even if Carrier IQ installed.

Please note that utilizing a multi-factor authentication device like Google Authenticator with your LastPass account would protect you even if an application was logging keyboard events, so it's highly recommended.

We'll continue to monitor the situation and assess potential risks to LastPass users.

The LastPass Team

Nov 28, 2011

Three Great New Features Added to Windows Phone 7 App

Our recent Windows Phone 7 update includes three new features to help round out your LastPass mobile experience. We've added support for pin-code prompt on reactivation, grouping of sites in the vault, and fast-app switching. Here are the specifics:

Pin Code Prompt

You can enable the pin code prompt in your app settings so that when multitasking back to the LastPass app, you're prompted to enter your 4-digit code. This provides an extra layer of security that's more manageable on your Windows Phone 7, since you won't have to re-enter your master password each time you reopen the app.

To enable the pin code prompt, login to the LastPass app to view your LastPass vault. Tap the ellipses (three dots) at the bottom of the screen to expand the menu options. Tap the "set pin code" option, and enter a 4-digit pin code. The next time you multitask away from and back to the LastPass app, you'll enter this pin code to regain access.

Grouping of Sites in the Vault

Previously, the Windows Phone 7 app displayed all of your stored data as a list in alphabetical order. With the latest update, your sites will now be organized by groups, the same way they are organized in the vault via your desktop browser addon.

Grouping allows you to better organize your data and more quickly sort through your sites for the logins you need.

Fast App Switching

Support for Fast App Switching allows you to easily switch between LastPass and other apps, helping to improve your workflow. To use Fast App Switching, hold down the back button and you will see all apps that are currently running. You can tap another app's icon to quickly switch to that app.

Plus more!

We made several improvements and bug fixes. For example, if you've enabled Google Authentication and are using it to login to the LastPass mobile app, we've improved support for switching apps when entering the Google Auth login code. We're working hard to bring more updates and improvements to our mobile apps and browser addons - stay tuned!

The LastPass Team

Nov 22, 2011

Gearing Up for Seasonal Online Shopping: A User's Guide to LastPass Form Fill

If you're looking to do some serious online shopping this holiday season (Cyber Monday, anyone?), LastPass helps reduce the frenzy, so you can easily pay for the items in your cart and move on to other things on your TO-DO list. Our "Form Fill" feature simplifies the shopping process by filling registration, shipping, and billing forms with one click!

In this post we'll take you through setting up profiles for maximum efficiency, including how to use the mix & match option for simplified autofilling.

Set Up a Fill Form Profile

Let's get started by setting up a form fill profile, such as a profile for your shipping address. Click on your LastPass Icon, select "Fill Forms" from the menu, and choose "Add Profile".

A dialog will open, where we can enter our name, address, birth date, and other information we might be required to enter in a shipping form when checking out online. Name the profile something memorable so you know when to use it, like "Bob Home Shipping".

Create a profile for each combination of name and shipping or billing address, labeling them as you go. You may want a "Work Shipping", "Home Shipping", and more, depending on your needs. If some of the information overlaps, you can copy a Form Fill profile by selecting your LastPass Icon, then "Fill Forms", selecting a specific profile, and choosing "Copy". A new profile dialog will be opened with information from the profile already filled in - this reduces the amount of duplicate information you'll need to enter when creating your profiles.

Add a Credit Card Profile

You'll notice there's a credit card tab in the profile dialog as well, but unless you always use the same profile with the same credit card, consider adding a separate profile for each of your credit or debit cards that you use when online shopping.

Click on your LastPass Icon, select "Fill Forms", and choose "Add Credit Card".

Here you can enter your name, credit card number, start and expiration dates, and other data you may be required to enter when filling out a checkout form. You may have a profiles for a "Debit Card" or "Corporate Credit Card" - whatever will cover the range of your online shopping needs.

Fill a Form!

Ok so now that you're all set up, it's time to get down to business. Let's head to Amazon.com to purchase the items in our cart. When we get to the shipping page and click on one of the fields, LastPass gives me a notification for Form Fill. We can click "Fill Form" and choose the profile we want to use for our shipping address - then LastPass autofills the data!


With that data entered, I can proceed to the billing information, where I use my credit card profile to autofill the form:

Done! Now we're ready for to complete the transaction.

Note that if LastPass does not prompt you with your form fill profiles, you can click your LastPass Icon, choose "Fill Forms", and select a profile to autofill your data.

Mix & Match

If you're on a registration or checkout form where the shipping and billing information are shown all at once (as opposed to separate pages like Amazon), our Mix & Match option allows you to quickly pair up two profiles and autofill your data.

Click your LastPass Icon, choose "Fill Forms", and select "Choose Profile and Credit Card". In the dialog, you can choose a profile from the left-hand side, and a credit card from the right-hand side.

LastPass will then autopopulate the corresponding fields with the data stored in each profile.

More Tips for Online Shopping with LastPass

Here are a few other helpful tips from our team:
  • If you create new accounts as you shop, use LastPass to generate strong, unique passwords
  • Consider enabling a multifactor authentication (such as the newly-supported Google Authenticator) for increased security
  • Use the "Share" feature in LastPass instead of emailing, IM-ing, or texting passwords to friends & family who need access to shared accounts
  • Beware of phishing attempts. Use LastPass to launch your sites rather than clicking on links in untrusted emails to reduce the risk of compromised logins

Happy shopping, everyone!

And Happy Thanksgiving,

The LastPass Team

Nov 4, 2011

Introducing Support for Google Authenticator



We're happy to announce the inclusion of Google Authenticator as a new multifactor authentication option for LastPass. With the latest LastPass plugin and a supported mobile device, you can now use your phone in conjunction with your master password to generate a secure key that is needed to login to your account. Authenticator token support has been a hotly anticipated addition to LastPass, and we're happy to make good on that obligation to our users.

We strongly believe in multifactor as being an excellent way to protect your sensitive data, and so we are opening this feature up to all LastPass users, including free accounts. For further information on setting up your account with Google Authenticator, or running it on unsupported devices, please see our helpdesk article.

Oct 12, 2011

Moving to a New Email Address? Update LastPass, too!

There's no doubt moving is an intensive process. One time-consuming but important task is to send off your new address to all of your contacts and make a list of all the bills and services you'll need to update. Moving in the digital world is no different! If you're transferring over to a new email address, don't forget to update your LastPass account if the previous email address will no longer be valid or accessible.

A valid email address for your LastPass account is very important. Security notifications, records of changes to your sites, and updates from LastPasss will be sent to the email address associated with your account.

If you've also enabled a "security email address" for your LastPass account, double-check that it's up-to-date. Emails to enable or disable multifactor authentication devices and other security steps may be sent to your security email address.

You can update your LastPass email address at any time by clicking on your LastPass Icon, selecting 'My LastPass Vault', and clicking on the 'Account Settings' link at the top right of your vault. You'll see a field containing your current email address, which you can replace and then confirm by submitting your LastPass master password. To update your security email address, go through the same steps, but click on the 'Security' tab, where you'll see your current security email address. Again, replace the field with an updated email, then confirm by entering your LastPass master password.

LastPass also makes it easy to identify other sites that you'll need to update. By searching for your old email address in your LastPass vault, you'll see which entries have it registered as a username or account email address. As you go to each sites and update your email address, confirm the changes to the entries saved in LastPass when prompted by the LastPass notification bar.

Enjoy your new digital home!

The LastPass Team

Sep 20, 2011

Free 6 Months Premium for All University Students!


With back-to-school season in full swing, we're giving away 6 months of LastPass Premium to all university students! For a limited time, students with a valid university email address can go to lastpass.com/edu to go through the quick steps to upgrade your LastPass account.

The Premium upgrade will allow students to take full advantage of LastPass' secure cross-browser, cross-platform syncing capabilities to access login data from anywhere, at any time. LastPass makes student life a bit easier by helping you get organized with your digital life and get on with your semester - no more forgotten passwords and no more re-using the same password everywhere. And if your computer happens to crash (fingers crossed it doesn't, especially right before finals, but if it does...) you'll be able to reinstall LastPass with no data lost and one less thing to sweat about.

Best of luck this year, students!

Thanks,
The LastPass Team

Aug 25, 2011

New LastPass Enterprise Feature: Link Your Personal Account to Your Company Account

We've added a new feature to LastPass Enterprise that allows you to link your personal LastPass account to your Enterprise LastPass account, making it even easier for you to maintain a workflow between the two!

Take the following scenario. You've been a LastPass user for a while, and are loving the convenience and security it adds to your digital life on a daily basis. You start thinking about how disorganized your office is when it comes to passwords - always tracking someone down to get that login, trying to find the Post-It that someone tacked to the community board with the pin to that program...And that's when you suggest LastPass Enterprise, the SMB solution to password problems!

But once you convince your company to give LastPass a go, you may run into the issue of keeping your current, personal account separate from your newly-created Enterprise account. However, you also don't like the idea of managing two different LastPass accounts. And that's where Linked Accounts comes in!

Our new option to "Link Personal Account" allows you to integrate your personal account with your Enterprise account, without mixing your personal data with your business data.

Getting set up with Linked Accounts is easy. Just login to lastpass.com with your Enterprise account. Once you're logged in, you can click on the "Link Personal Account" link on the left-hand Actions menu:

When prompted, you can then login with your personal account. And voila! Your personal LastPass account will now appear as a sub-folder in the vault of your Enterprise account, and you will be able to view, edit, and login to your personal sites as usual.

Whatever company policies have been created by your organization for LastPass Enterprise will be applied to that sub-folder when you are logged in via your Enterprise account. However, you can still login separately to your personal account, and those Enterprise policies will not be transferred over, nor will the login activity for the sub-folder or your personal account be reported to the Enterprise Admin. Any updates you make to the sub-folder will automatically be pushed back to your personal account.

More great LastPass Enterprise updates are on the way. Try adding your LastPass account to your Enterprise account today - and if this has held you back from starting a trial for your company, check out LastPass Enterprise to see if it meets your company's needs!

Thanks,
The LastPass Team

Jul 21, 2011

LastPass Gets a New Look for Mac Lion & Safari 5.1 Release

With the official announcement of OSX 10.7 Lion by Apple, we've released a new version of LastPass for Safari 5.1 - with a new look, too!

Apple has made some significant updates to Safari, some of which have affected how LastPass works. The native SIMBL extension is no longer compatible due to the changes to the browser, so we took advantage of some of the new features of their extension interface to make our Javascript extension much better.
For example, we have implemented a popover-style menu that significantly improves the usability and user interface of LastPass compared to previous versions. We have added a search input box on the main menu, which many users requested to improve searchability of logins. The password generator is also accessible from the main menu, giving easier access to new, secure passwords.
Once you've upgraded your system to Mac OSX Lion or your browser to Safari 5.1, you can install the new version of LastPass. First uninstall all traces of LastPass that you may have installed in your new Safari - copy-paste https://lastpass.com/lpsafari.dmg to Safari or another browser on your Mac, press "Enter" to start the download link and choose the "uninstall" package option.

Once complete, copy-paste https://lastpass.com/lastpass.safariextz to Safari and press "Enter" to run the installer. Ensure that extensions are enabled in the Safari Gear menu - Preferences - Extensions tab if the LastPass asterisk button doesn't appear after you complete installation.

Known compatibility issues with Safari 5.1:
  • Basic authentication logins are no longer supported - we are investigating possible workarounds.
  • The login state of the browser extension cannot be shared with the LastPass extension on other browsers.
  • Copy username and copy password do not work.
If you're running a 5.0.x version of Safari, you can continue to use the native SIMBL extension or you can upgrade to the new version but you will still see the previous menu bar rather than the new popover menu; this is only available once you upgrade to 5.1.

We believe our new Safari extension is a big step forward in our browser integration with Safari, and with the LastPass user experience as a whole. Our intent is not only to give LastPass a makeover, but to simplify access to your data and reduce the number of clicks you need to make to get the job done.

We know it's a big change for our users, and we welcome your reactions or suggestions via comments below or in an email to support@lastpass.com.

Thanks,
The LastPass Team

Jun 29, 2011

LastPass for iPhone Gets an Update!

It's arrived - an update to our iPhone app!

We've added a few new features and resolved a number of previous issues, amongst them:
  • "Force offline login" support added - this new option on the app's login screen can be used to speed up the login process if you're in an area with marginal cell phone coverage
  • Shared folders support added - our latest addition to LastPass for Enterprise is now available on the iPhone app as well
  • Secure note templates sometimes only showed the first line of data, which we've resolved
  • A few issues with password re-prompt required are now resolved
  • A number of crash fixes for improvement of general functionality
Thank you for your continued feedback on our iPhone app, and LastPass in general - we'll continue to roll out updates!

The LastPass Team

Jun 9, 2011

Windows Phone 7 Update

The latest version of the LastPass app for Windows 7 has now been published!

Amongst the improvements are:
  • Multiple bug fixes, such as improved support for multitasking
  • Copy + paste support, now that Microsoft has built this into the platform
As mentioned in our previous post, you can launch the app and login to your LastPass account to view a full list of your stored sites. A small menu appears at the bottom of the screen, allowing you to select "launch mode" symbolized by a lightning bolt, in which tapping a site launches it in the embedded browser, or "details mode" symbolized by lines of text, in which tapping a site allows you to view the data saved in the site entry.

The new copy-paste functionality improves the ability to use LastPass to login to other apps and transfer data to other locations. To use the new feature, simply login to your account to launch your vault. Once in "details mode" in the vault, you can tap on a site entry to bring up the "edit" view of the site. If you tap on the little bar with the ellipsis (three dots) at the bottom of the screen, you can select the "show password" option, which allows you to see the password instead of the encrypted dots. You can then double-tap on the password field, and once the text is highlighted you can select the "copy" image that appears right above.

This automatically copies the password to the clipboard. You can now navigate to another app, for example, by tapping the "Windows" button on your phone to then paste the password information to an app's login.

We'll continue to roll out improvements to the app and incorporate new features, such as grouping of sites.

Update your app today to check out these updates!

May 4, 2011

LastPass Security Notification

Update 10, May 16th, 3:20pm EST - Final update to this post, we'll make new posts going forward

Actions we've taken:
  • Multiple security experts and firms were brought in to help us, we've engaged one firm to do a further source code based review.
  • We're committed to doing several reviews per year and sharing the results of these reviews.
  • We've had some useful suggestions from the community -- we appreciate your input: https://lastpass.com/support_security.php
  • One example: to reduce the chance of phishing Iastpass.com was registered -- that's a capital i instead of an L. We've also purchased 1astpass.com
  • All non-core services have been completely removed from the LastPass network; LastPass now runs the web application and DNS servers only.
  • Forums, Helpdesk, etc are run offsite on 3rd party servers.
  • We're looking into moving our support tickets off our network too.
  • Amazon was utilized to send out the email notification; we're better able to send large amounts of email quickly in the future, and thank Amazon for working to spin us up quickly.
  • We've commissioned a write only off-site aggregated log server which can only be accessed via the console. This will allow us a guarantee that any logging is intact.

The good:
  • We were prepared to both disable accounts and force people through password changes, which was something we had planned for.
  • The steps we took protected all users, even those who used weak master passwords.
  • Having a live backup system proved invaluable for people who ran into issues, or forgot their new master password after changing it.

We made a number of tactical errors including:
  • Out of the gate, we inconvenienced a large number of people who knew their password were strong and therefore never could have been at any risk.
  • Massively underestimating the amount of media attention we'd receive. This had 2 effects: 1. Greatly increased the number of users attempting to change their passwords -- our plan was for people coming from new computers which is a small percentage of the overall user base per day that we could have handled; 2. Drove a big increase in new users as people interested in LastPass attempted to check us out.
  • We didn't have any previous IP tracking data on previously used computers for people without login tracking. This caused nearly all these people to face password change immediately.
  • We moved too slowly to shut down password changing once the system was under stress.
  • We weren't prepared to send large amounts of email quickly, especially after turning off a server. (Resolved going forward w/ Amazon)
  • Some of our customers were unfamiliar with logging into LastPass in offline mode, panicing a number of them.
  • Blogger (who we use for blog.lastpass.com) had some downtime through the event.

Additional changes coming:
  • Our next release will make it clear how to login offline from the login dialog.
  • We've purchased a large amount of additional server capacity so we can handle extreme load events better in the future.
  • We'll be utilizing the 'from a new location' capability in a few new security features.

Update 9, ~11am 05/09 EST:

Many users are changing their password and then determining they can't remember it, a number have also run into issues with password changes and want to go back, you can now do this yourself without contacting us: https://lastpass.com/revert


Update 8, ~9am 05/07 EST:

We enabled password change to greater percentages overnight and now to all users. Again please note that there is no need to panic, all accounts were put into a locked down mode of only allowing previous login locations or verify via email, until password change.

We're asking any users that have current issues with a password change to use https://lastpass.com/revert to restore you from backups. Many have been people forgetting what password they changed to so make sure you practice that new password a number of times after you change it.

We appreciate your patience, we'll continue to update with any changes.

Update 7, ~6pm 05/06 EST:

Everyone should be able to login (after verifying your email if you are coming from a new IP). We've begun allowing all premium users and a percentage of users to go through password change.

Please note that there is no risk in waiting if you can deal with verifying by email when you use a computer at a new place (IP).

If you experienced an issue with a password change and want to be restored from backups we can do that too and will provide a URL to do it shortly.

Update 6, ~10:30am 05/06 EST:

If you have been experiencing an error contacting the server, please try logging in both via the plugin and the website - you should now gain online access. If you still see an error, please open a support ticket or email support@lastpass.com, if you haven't already done so.

Currently we're not allowing users to change master passwords until our databases are completely caught up and we have resolved outstanding issues. We will update our users via the blog when it is possible to do so.

Thank you for your continued patience.

Update 5, ~1:30am 05/06 EST:

We've added the option for you to say that you know your master password is strong and to avoid password change, we apologize for not having that available when we announced.

We've identified an issue with roughly .5% of users that impacted their master password change, and will be contacting you tomorrow rolling you back to before the change.

Our focus right now is on ensuring we can resolve users with issues, we'll continue to provide updates here.

Update 4, ~10pm EST:

Joe's interview with PCWorld covers more details on what happened, what our thought process has been, and what this means for our users: http://www.pcworld.com/article/227268/exclusive_lastpass_ceo_explains_possible_hack.html.

We continue to work as quickly as possible to address user support.

Update 3, ~4:30pm EST:


Logging in offline should be working everywhere if you have logged in using that client before, if you're having problems with this please attempt to login via the website: https://lastpass.com/?ac=1 that should now take you through an email process to enable your current IP.

If you're having problems getting your data with pocket, make sure you're selecting to login to the local file, not logging in at LastPass.com.

If you changed your password and are now having problems we'll help with that too, please email us if that's the case and include your LastPass email address.

For those who haven't been prompted, and have continued to use LastPass without issue -- we've judged the risk to be low if you're using the same IP -- we're only raising the issue once that changes.

Finally if you have issues with password changes please email us at support@lastpass.com, we can revert you, or we can pull data from backups, but please try LastPass Icon -> Clear local cache first.

Update 2, 2:15pm EST:

Record traffic, plus a rush of people to make password changes is more than we can currently handle.

We're switching tactics -- if you've made the password change already we'll handle you normally.
If you haven't the vast majority of you will be logged in using 'offline' mode so you can still use LastPass like normal and get back to your day, only syncing of new password should suffer (and you'll see the bar).

As load lowers we'll increase the percentage of people being sent through email validation / password changing.

For people experience problems please email us at support@lastpass.com -- we have seen a few reports of bogus data post change, we think this is due to you downloading a stale copy and if you go to LastPass Icon -> Clear Local Cache and try again it should work.

You can access your data via LastPass in offline mode or by downloading LastPass Pocket : https://lastpass.com/misc_download.php (choose your OS).

---

We noticed an issue yesterday and wanted to alert you to it. As a precaution, we're also forcing you to change your master password.

We take a close look at our logs and try to explain every anomaly we see. Tuesday morning we saw a network traffic anomaly for a few minutes from one of our non-critical machines. These happen occasionally, and we typically identify them as an employee or an automated script.

In this case, we couldn't find that root cause. After delving into the anomaly we found a similar but smaller matching traffic anomaly from one of our databases in the opposite direction (more traffic was sent from the database compared to what was received on the server). Because we can't account for this anomaly either, we're going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed. We know roughly the amount of data transfered and that it's big enough to have transfered people's email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn't remotely enough to have pulled many users encrypted data blobs.

If you have a strong, non-dictionary based password or pass phrase, this shouldn't impact you - the potential threat here is brute forcing your master password using dictionary words, then going to LastPass with that password to get your data. Unfortunately not everyone picks a master password that's immune to brute forcing.

To counter that potential threat, we're going to force everyone to change their master passwords. Additionally, we're going to want an indication that you're you, by either ensuring that you're coming from an IP block you've used before or by validating your email address. The reason is that if an attacker had your master password through a brute force method, LastPass still wouldn't give access to this theoretical attacker because they wouldn't have access to your email account or your IP.

We realize this may be an overreaction and we apologize for the disruption this will cause, but we'd rather be paranoid and slightly inconvenience you than to be even more sorry later.

We're also taking this as an opportunity to roll out something we've been planning for a while: PBKDF2 using SHA-256 on the server with a 256-bit salt utilizing 100,000 rounds. We'll be rolling out a second implementation of it with the client too. In more basic terms, this further mitigates the risk if we ever see something suspicious like this in the future. As we continue to grow we'll continue to find ways to reduce how large a target we are.

For those of you who are curious: we don't have very much data indicating what potentially happened and what attack vector could have been used and are continuing to investigate it. We had our asterisk phone server more open to UDP than it needed to be which was an issue our auditing found but we couldn't find any indications on the box itself of tampering, the database didn't show any changes escalating anyone to premium or administrators, and none of the log files give us much to go on.

We don't have a lot that indicates an issue occurred but it's prudent to assume where there's smoke there could be fire. We're rebuilding the boxes in question and have shut down and moved services from them in the meantime. The source code running the website and plugins has been verified against our source code repositories, and we have further determined from offline snapshots and cryptographic hashes in the repository that there was no tampering with the repository itself.

Again, we apologize for the inconvenience caused and will continue to take every precaution in protecting user data.

The LastPass Team.


Update 1:

We're overloaded handling support and the sheer load of password changes is slowing us down. We've implemented a way for you to verify your email and then not be immediately forced to change your password for that IP, access from any other IP would bring you back to email verification. You can now wait a few days if you know you'll be on the same IP without loss of security, and due to this overloading we think that's prudent to wait.

We're asking if you're not being asked to change your password then hold off -- we're protecting everyone.

Mar 1, 2011

Content Security Policy (CSP) implemented on LastPass.com -- the beginning of the end of bookmarklets?

If you're using Firefox 4, you now gain the additional protection afforded by CSP (Content Security Policy) on LastPass.com.

This is a big step forward in terms of protection from any Cross Site Scripting attack - and potentially other browser based attacks - ensuring that even if one occurred, each page could control exactly what pages it can talk to so that there is no possibility of data leakage resulting from the attack.

This has been eye-opening as we've implemented it. It has a reporting infrastructure built in so you can see exactly what requests are being blocked. We've already seen over a dozen unique bookmarklets caught in our CSP blocking net.

Does this mean the end of bookmarklets? Any site with sensitive data will ultimately implement CSP, making even our own bookmarlet for logging in obsolete. Now is the time to start requesting browsers support overrides to the CSP to keep your favorite bookmarklets working everywhere.

Today, CSP is only deployed on Firefox 4, but the LastPass extension should support it on a number of other browsers in our next release.

We haven't fully locked down our CSP yet; today we're allowing every page from LastPass.com to talk to LastPass.com, but soon we'll lock this down further so that https://LastPass.com/?securitychallenge=1 can ONLY talk to https://LastPass.com/?securitychallenge=1, which will be another big step forward.

Feb 27, 2011

Cross Site Scripting vulnerability reported, fixed

While no client data was impacted, we were notified at ~3pm Eastern time yesterday of a non-persistent cross site scripting vulnerability on the LastPass.com website. By 5:30pm it was fixed, tested and deployed; closing the hole. It's important to note that this was not a flaw with the extensions, and could only be potentially exploited if you visited a malicious site that was setup to exploit this flaw while you were logged into LastPass.

The cause of this issue was with our testing procedure for this particular case, which has been rectified. Our logs indicate that there's no sign of this being successfully utilized (beyond the person who found it). We've made a number of changes to improve security on the LastPass.com website and help reduce the chance of a recurrence of this kind of issue:

1) Implemented HSTS: http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security This will ensure browsers that support it (Chrome and Firefox 4) will be forced to stay on secure SSL web requests for the lastpass.com domain.

2) Increased our input filtering and stateful inspection.

3) We've implemented X-Frame-Options https://developer.mozilla.org/en/the_x-frame-options_response_header which would make an attack like this more difficult to exploit as it makes it impossible for our pages to be embedded in another page via an iframe/frame.

4) We've begun implementing something very similar to Content Security Policy (CSP) https://wiki.mozilla.org/Security/CSP/Specification LastPass is a browser extension so we can implement this today and we can roll it out far more quickly than the browsers themselves will support it.

We believe this issue to be resolved but are continuing to audit and implement ways to further mitigate risk. If you would like to take extra precautions in the interim a good security practice would be to avoid keeping yourself logged into LastPass if you're visiting websites of ill repute.

CSP is a big step forward in risk reduction from this kind of attack. While we're disappointed we missed this case up-front we're pleased that will lead to an even stronger product in the near term.

For those wanting to learn more about non-persistent Cross Site Scripting (XSS) you can read about it here: http://en.wikipedia.org/wiki/Cross-site_scripting

Our thanks to Mike Cardwell for responsibly reporting this issue.

LastPass

Feb 8, 2011

PC Mag Says LastPass Is "Still the Best"!


Neil Rubenking, Lead Analyst for Security at PCMag, recently published an in-depth review of LastPass and selected us as PC Mag's Editors' Choice for password management!

Rubenking evaluated both our free and Premium products, citing our portability and comprehensive security amongst our greatest features.

When comparing free and Premium, Rubenking comments, "You don't have to pay a penny to get extremely comprehensive and flexible password management from LastPass. The free edition does just about everything you could ask. By spending a dollar a month for the Premium edition, you extend the product's security and scope. Specifically, you gain multi-factor authentication, additional platforms, and useful ancillary programs. Choose either one; both merit recognition as PCMag's Editors' Choice."

We're proud of the five stars we received for both versions of LastPass! We hope to continue providing quality products for our one million users and counting.

Jan 31, 2011

LastPass One Million User Giveaway: An Apple iPad and Two $100 Amazon Gift Cards

Want to enter? "LIKE" our Facebook page:


You can also retweet our #LoveLastPass hashtag, or send us a postcard using registered mail.

The giveaway starts now and ends at 5:00pm EST, Monday, February 28th, 2011. For more information, see our Giveaway Terms and Conditions.

To the one million LastPass-ers and counting: We "LIKE" you, too!

The LastPass Team


UPDATE

We've now received the iPad 2 we'll be giving away to the winner of our LastPass 1 million user giveaway, an upgrade from the iPad!

The reason this hasn't be delivered yet is that LastPass users were able to submit an entry to the giveaway by liking us on Facebook, sending us a post card or tweeting some LastPass love. All 3 winners fell under Facebook's random range, but unfortunately, we ran into a bug in Facebook that has prevented us from identifying the giveaway winners chosen at random from the total pool of submissions.

We filed a bug report with Facebook in February and have been attempting to convince them to resolve it for over a month. Sadly, this Facebook bug still hasn't been fixed. Perhaps if more people submit that they can't go past page 100 on fan listing pages at this bug report page:

http://www.facebook.com/help/contact.php?show_form=pages_bug

we might convince Facebook to fix it sooner. We didn't see this before the contest started because we had less than 10,000 fans at that time.

We're very sorry that this delay has occurred, and we have tried our best to avoid disappointing our users. We hope that with your continued support, we can more quickly win over Facebook and send our lucky winners their treats!

The LastPass Team

Jan 11, 2011

A User's Guide to Setting Up LastPass on Your USB Thumb Drive


Many of our users have asked how they should access LastPass when away from their home computer, and how to stay safe on the road when using riskier public terminals at libraries or Internet cafes. Here are some tips, tricks, and general overviews on how to get LastPass set up on your USB drive so you can take your favorite password manager everywhere.

Install a Portable Browser

LastPass Portable is an ideal way to access your LastPass account while on the go. After installing a portable browser, which is essentially a fully-featured browser formatted for a thumb drive, you can install the LastPass plugin to give you the same password management experience you're accustomed to on your desktop or laptop.

With Portable Firefox and Chrome versions for Windows, Mac, and Linux, LastPass Portable gives you the ability to browse with LastPass on nearly every operating system. Firefox Portable and Chrome Portable for Windows and Linux can be downloaded from PortableApps.com, while other sites offer downloads for Mac. Once the portable browser has been installed on your computer, you can launch it and navigate to the LastPass download page, where you can locate the corresponding LastPass Portable app.

You can then install the LastPass addon as you would in any of your desktop browsers. Once installed, you can drag and drop the portable browser file onto your USB thumb drive and launch it from there when on a new computer.

Another plus side of using the portable browser is that you won't be leaving behind any record of accessing your LastPass account - no browsing history, cookies, or other locally-stored files to be concerned about.

Now you can literally browse on the go with LastPass!

Hook into the Desktop Browser

If you commonly use Windows with LastPass, another option you may consider is IE Anywhere, which allows you to hook into Internet Explorer from the USB thumb drive. It's essentially a standalone plugin that, when launched with IE, displays a little icon in the browser window and allows you the same functionality as the desktop plugin.


For users who aren't able to download plugins to their computer - common in the workplace - IE Anywhere lets you access and use your LastPass account, with the added benefit of leaving no files behind. IE Anywhere also gives you the ability to run LastPass on unsupported browsers like IE Tab in Firefox, Sliepnir, and Maxthon.

After downloading IE Anywhere, the file can be dragged and dropped to the USB thumb drive. When you plug your thumb drive into your computer's USB port and double-click to launch the file, the LastPass icon will appear in your system taskbar.

Clicking on the icon allows you to login, and from there you can launch IE to access all regular features of the LastPass addon.

When you're done browsing, simply click the taskbar icon, select "Logoff", and eject your USB drive. No data left on the computer, no files created, nothing in the registry, and no plugin left behind!

Carry a Backup of Your Vault

If you simply want a backup of your LastPass data or basic access to your usernames and passwords, LastPass Pocket is a stand-alone application providing storage capability and offline access of your LastPass vault. Pocket is intended to be used when you don't have an Internet connection, which is why we recommend LastPass Portable and IE Anywhere for a richer browser experience.

Pocket can be installed from the download page for Windows, Mac, or Linux and then dragged and dropped onto your USB drive. You can double-click the file to launch it from the USB drive, prompting you to login to your account. After logging in, Pocket decrypts your data and displays all of your sites and Secure Notes in a searchable interface.

Pocket comes with limitations, though. Although you can copy/paste all login elements of your saved sites or Secure Notes, you can't edit or delete any data that has been synced to Pocket, which makes it less functional for maintaining your vault.

Double Up on Security

If you want to up the security of your LastPass account, consider using a second-factor authentication like Sesame, which can be run from your USB drive. Sesame protects your account by requiring the generation of One Time Passwords (OTPs) before you can complete login to your vault. The basic idea is that, even if someone were to grab your master password via keylogging or some other malware, they still won't have access to your LastPass data because they won't have the Sesame OTPs.

Sesame for Windows, Mac, and Linux can all be run from the same USB stick, so you'll never be locked out of an operating system where you need to access your data on the go. Sesame can be downloaded from the main download page, then dragged and dropped onto your thumb drive. You need to activate Sesame the first time it's launched. Once enabled, Sesame will create secure OTPs that are subsequently required to login to your account. You have the choice to copy the OTP to the clipboard or launch your browser of choice and pass the value automatically.

If you prefer to use Grid, another option is to save the CSV file of your Grid set on your USB thumb drive so you can easily login to your account while on public computers.

Get Up and Go!

With so many options for taking LastPass on the go (we didn't even cover the mobile apps), you can rest assured that you'll have secure access to your data from nearly anywhere. Head on over to the download page today to get started with any or all of the above features, and begin prepping your USB thumb drive for your next trip!