Dec 17, 2013

LastPass & Changes to Google Chrome

The LastPass extension for Google Chrome has been updated today to address significant changes that Chrome is rolling out.

Starting in early January, Chrome is shutting off all extension updates that occur outside of the Chrome web store, in an effort to tighten security.

The update is now posted on the Google Chrome store, and we are automatically transferring over our users - most LastPass users will not need to take any action since the changes are happening behind-the-scenes.

However, some LastPass users may see a prompt for permissions to be granted to LastPass the next time they launch Chrome:


If you see this prompt, please press “Allow”. If you see this prompt, a download will start automatically - we start this download because we detect that functionality was lost in the transfer, and the download allows us to add back this functionality.

Again, most users will not need to take any further action, and the prompts for permission are not a cause for concern.

Our updates will allow LastPass users to continue running the extension without issues when Chrome is updated in January 2014, and we will update our community if any other changes will affect LastPass.

Best,
The LastPass Team.

Dec 11, 2013

Love LastPass? Show Your Support or Gift to Family & Friends!


As 2013 draws to a close, we want to say “Thanks” for using LastPass - and for being smart with your passwords. An unprecedented number of password breaches affected online services this year, so using LastPass is more important than ever.

There is no better time to show your appreciation for LastPass by going Premium. LastPass Premium has more features that make your life easier and safer.

Not to mention, you support the ongoing maintenance and development of our services, so we can keep adding and improving great features like the shared family folder, mobile apps for smartphones and tablets, security breach alerts, and more. You can also support LastPass by recommending it to everyone you know.

And don’t forget - you can also give the gift of easy password management!

Give friends and family the gift of an easy online life with LastPass Premium and help them start 2014 right with secure and convenient password management. With unlimited access to all LastPass features, Premium helps your friends and family get the most out of LastPass.

So if anyone is resolving to have better online security in 2014, make sure LastPass is top of their list!

And if you really want to strut your love for LastPass, you can now have your very own LastPass T-shirt! Check out our online store and order one today: http://484693.spreadshirt.com/

Again, a big thanks to our community. Best wishes for a happy holiday season - and a great new year.

The LastPass Team.

Nov 13, 2013

LastPass 3.0: Saving and Filling Logins

With LastPass 3.0, we’ve made some big improvements to how LastPass integrates with your browser experience. LastPass 3.0 is designed to be accessible, and simpler overall - offering what you need, where and when you need it.

Here are some tips on saving and filling your logins with LastPass 3.0:

Let’s say I’m signing up for a new Evernote account. I launch Evernote.com, and open the signup page.


On this form, LastPass has offered a “profile” icon. If I click this, I will see my form fill profiles. If I have an email address and username stored in a profile that I prefer, I can easily select that profile to fill in those details.


Or, I can manually enter an email address and username.

Now I can click the generate password icon, to generate a strong password. I click the “use password” button to enter it into the field.

Next I select “save password to vault”. The dialog expands to show me the data I’m about to save.


I can assign it to a group, then click “save site”. A moment later, a confirmation dialog will pop up on the top right of the browser.

I’m done! When I return to Evernote.com, the LastPass icon will have a “1”, meaning I have 1 entry stored for Evernote.com.


Now when I go to a site where I have an account, or multiple accounts, I’ll see the asterisk in the username and password fields.

Clicking the asterisk, I’ll see the list of my accounts, and I can easily select the one I need, then submit the login.


You can access all of the LastPass tools by selecting the red asterisk to expand the menu.


The "+" icon on the top left will let me expand the “save site” dialog.

If I go to a site, and the icons do not appear for any reason, I can click the LastPass icon, select the “show matching sites” menu, and select the login I need to autofill.


In this way, the new interface gives me quicker access to the tools I need, as I’m going about my daily online life.


If you’ve tried out LastPass 3.0 and still prefer the previous notification bars for the time being, please use our tool here: https://lastpass.com/change_ver.php to switch your settings back to “2.0 mode”.

Nov 6, 2013

Take Action Now: Check If You’re Affected by the Adobe Breach

Are you wanting to know if you've been affected by the recent Adobe breach?

We've built a tool to help you check if your email address was on the list of affected accounts: https://lastpass.com/adobe/

About a month ago, the software company Adobe had a big data breach said to have affected some 3 million users. News then circulated that 38 million users were affected - but wait, the problem gets worse. The data dump that was recently published online has been shown to contain 150 million breached records.

We’ve also learned that significantly more data was stolen than first thought, including emails, encrypted passwords, password hints, names, credit card numbers, and card expiration dates.

In addition to using our tool above to check your email, we are strongly encouraging our users to take additional action steps now to protect themselves from the breach:

1. Run the LastPass Security Check. In the LastPass Icon’s Tools menu, run the Security Check to see if you were using the Adobe password for any other accounts.

2. Change your Adobe password. Login to your Adobe account and update your password: https://www.adobe.com/go/passwordreset and use LastPass to generate a new one.

3. Update the passwords for any other accounts that used the same password.

4. Share the LastPass tool. Help friends, family, and coworkers check if their accounts were affected, and show them how they can follow these steps to better protect themselves.

Since credit cards were affected, you may also want to consider signing up for free credit monitoring alerts like the ones LastPass provides. If any unusual activity is detected, you can take action immediately and mitigate the damage.

For a full analysis of the Adobe data dump, check out Paul Ducklin’s article on the Sophos NakedSecurity blog. We’ll be keeping an eye on how this story continues to develop, but most importantly we want LastPass users to continue being proactive in protecting their sensitive information, and their identities online. If you're new to secure password management, get started today by downloading LastPass, creating a free account, and updating your passwords to secure, generated ones.

Nov 4, 2013

LastPass 3.0 Is Here: New Design, New Features!


Excited doesn’t begin to express how we feel about introducing LastPass 3.0. Our new release features an updated, clean design across the LastPass browser addons, the iOS and Android mobile apps, and our website itself. We’ve worked hard to make LastPass easier to use and less intrusive.

Highlights from LastPass 3.0 include:

  • Revamped user experience and user interface
  • Field icon menus for easy access to logins and LastPass tools
  • A Shared Family Folder for up to 5 users
  • Expanded Shared Folder features for LastPass Enterprise
  • A revamped LastPass for Applications
  • Secure Note history, to track changes to your notes
  • Windows 8.1 support
  • and more

New Design, New Experience


In LastPass 3.0, we’ve changed the way LastPass notifies and interacts with you. LastPass focuses more on the website's fields, so there are less steps to get what you need. We're also phasing out the notification bars at the top of the browser.


A clickable icon now appears on the website's fields. The LastPass field icon is dynamic, showing you options that match what you would want to do with that field. If it’s a login form, you’ll see your matching logins for that site.


If you don’t have any logins stored for that site, LastPass will ask if you want to save it:


If it’s a “create password” field, you’ll see the Password Generator:


If it’s a shopping form, you’ll see your Profiles:


The field icon menu expands so you can quickly access all the main LastPass features:


The LastPass browser addon menu has been simplified, and we've added immediate access to search, so you can quickly find the sites and notes you need:


The vault has also been updated to reflect the new look and feel:


Improved Mobile Experience


The Premium mobile apps for Android and iOS now have a "browser-forward experience", meaning the browser is integrated with the vault for easy site searching and launching. The vault on both platforms is easily searchable, where you can add, edit, and update your passwords at a moment’s notice.


The LastPass browser now has quicker access to your logins and Profiles. You can add sites easily, generate new passwords quickly, and enjoy a more seamless mobile experience overall.

 

LastPass Shared Family Folder

 

We've streamlined sharing for our users. LastPass Premium users can now use a Shared Family Folder with up to 5 family members to manage and access joint accounts. Each LastPass user can be added to the Shared Family Folder, and the logins or notes can then be dragged-and-dropped into the Shared Folder.


Updates are then kept in sync across all users sharing the folder. See our full article in the user manual for how to get started; only the user creating the folder needs to have LastPass Premium.

Updates for LastPass Enterprise


LastPass Enterprise administrators can now give Shared Folder access to non-Enterprise LastPass users. Up to 3, non-Enterprise users can be given access to any Enterprise Shared Folder. The new functionality is particularly useful for those who may need to give contractors or part-time employees temporary access to sites. LastPass for Applications has also received a number of improvements.

We're Thrilled to Reach Another Milestone!


We are so thrilled to share LastPass 3.0 with our community. We hope you enjoy the clean design and less intrusive experience. As always, we owe a big “thank you” to our community for your continued support. We're committed to the ongoing improvement of our service, and strive to  provide a great experience for our users. Let us know what you think in the comments below!

Thanks,
The LastPass Team

FAQs


How do I disable the "ticker" in the icon?
From the LastPass Icon > Preferences >  Notifications, uncheck the "Show Matching Sites Count in Toolbar" option.

How do I move my matching sites list back to the main icon menu?
In the LastPass Icon > Preferences > Advanced, select the Show matching sites in top level menu" option.

Can I go back to the old notification bars?
First, be sure that you're clicking the icons that now appear in your username and password fields to try to enter your data. If you've tested it and you don't like clicking the field icons, you can enable the old notification bars in the LastPass Icon >  Preferences > Notifications, and disable the field icons from there. We'd appreciate specific feedback so we can keep fine-tuning our new release.

Oct 23, 2013

LastPass Now Supports Transakt Multifactor Authentication

In an effort to continue bringing great new technology to our users, we've added support for Transakt to our family of multifactor authentication options.

Transakt is a mobile app developed by Entersekt that provides banking-grade multifactor authentication via your mobile device. Transakt adds a second authentication layer to your LastPass account, allowing you to approve your login by responding to a simple Accept or Reject prompt directly on your smartphone or tablet.

With the ever-increasing number of online and mobile accounts amongst today's consumers, attacks are at an all-time high as advanced technology capabilities are used to steal valuable information and personal data. Transakt protects you against threats such as phishing, man-in-the-middle, man-in the-browser, and replay attacks. It’s free to install and a snap to configure for use with LastPass.

Getting Started with Transakt


After you have completed the LastPass installation, do the following:
  1. On your mobile phone or tablet, go to gettransakt.com.
  2. Install the Transakt app.
  3. On your computer, go to My LastPass Vault and log in using your email address and your LastPass master password.
  4. From the Actions menu, click Settings.
  5. Click the Multifactor Options tab and select Transakt.
  6. From the Transakt Authentication list, select Enabled. A popup screen displays a unique sign-up code:
  7. Open the Transakt app.
  8. In the Introduction screen, click Let’s begin. In the Transakt Signup screen, do either of the following:
    Click Scan code and scan the code displayed on your computer screen.
    Click Enter code and type in the eight-digit code.
  9. On your computer, click OK when you receive the message that Transakt authentication has been successfully set up.
  10. On the Multifactor Options page, click Update.
  11. When prompted, enter your LastPass master password.
  12. Log out of LastPass. The next time that you log in to LastPass, an authentication request will be sent to your Transakt app and you can simply click Accept.
Let us know in the comments below if you give Transakt a try!

Oct 16, 2013

3 Tips for Creating Security-Savvy Teams

For the 3rd week of National Cyber Security Awareness month, we’re thinking about cyber security education, and how to help our workforce be more security-savvy. There’s certainly a need to educate more cyber security professionals who can lead these efforts, but we should also need to be sharing our knowledge with those around us now. We can help our colleagues by giving tips for better protecting their personal information online, and provide them with suggestions for tools to do so successfully.

If you’re reading this post, we’re guessing you have a pretty good understanding of how to protect yourself online. That knowledge could also go a long way in educating your colleagues (or your family) in how to better protect themselves.

Here’s 3 tips to get you started helping your coworkers and others, which in turn helps us create a more informed workforce when it comes to online security:
  1. Test their knowledge. The STOP.THINK.CONNECT initiative has created a great presentation to quiz your knowledge on online safety, security, and ethics. Have an informal presentation of the quiz over a lunch hour, or have a “security huddle” with family (even virtually) to walk through the quiz and the answers.
  2. Post actionable tips where people will see them. Staysafeonline.org has dozens of posters, handouts, and tip sheets for you to share with others and hang up on your walls. Post them on community boards or near communal workstations. Even better, schedule a few minutes each week to walk through each bullet point of their Tips & Advice sheet, so you all can get up to speed and be prepared moving forward. 
  3. Get them started with a password manager. National Cyber Security Awareness Month touches on the importance of strong, unique passwords that are securely stored, and this is best accomplished with a password manager like LastPass. Do your colleagues and family know that with LastPass you only have to worry about creating and remembering one strong master password, and that LastPass does the rest of the hard work of typing, remembering, and creating passwords? Refer others to LastPass for Premium credit today: https://lastpass.com/friendemail.php
How have you been helping to spread your knowledge of online safety for Cyber Security Awareness Month? What great resources have you found for helping colleagues and family?

Oct 14, 2013

Social Media Managers: Are You Following These Security Tips?

Many businesses and industries now recognize the benefits of social media. If you’re a Social Media Manager or a Marketing professional tasked with that role, you understand the gains for your company in customer service and brand perception by regularly participating in social communities. You also understand that building up brand awareness, leadership, and trust can take years, forged through carefully crafted messages and consistent engagement.

Unfortunately, all of that can be jeopardized with the compromise of just one password. Remember what happened when the Associated Press’ Twitter account was hacked? The posts uploaded by hackers caused a national scare and managed to affect the stock market.

Although not all social media account hacks have that outcome, a compromise could still cause a huge headache for your team, damage your reputation with your online communities, and even put critical company assets at risk. With digital theft now surpassing physical theft for businesses, there’s more at stake in protecting your online accounts and communities.

If you’re a Social Media Manager or oversee your company’s social media communities, here’s your security action list today:

1. Scan your computers: Do you have the latest, up-to-date security software running on your computer? Perform scans, check all browsers for updates, and reboot your computer if you haven’t in ages. This is the best defense against viruses and malware.

2. Implement password security basics: If you don’t have a company password policy, consider implementing one with LastPass Enterprise. You can then require strong, unique passwords, without the usual hassle it creates for employees. If your whole team isn’t quite ready to get on board, you should definitely get yourself started with a password manager. Eliminating password reuse and weak passwords is an easy way to prevent hacked accounts.

3. Protect your smartphone: Your mobile device likely contains access to company accounts or networks. Protect your devices with a passcode or PIN, especially if you use social media apps on your phone to access company accounts.

4. Revoke access by unknown apps: When was the last time you reviewed the 3rd party apps that have access to your LinkedIn, Twitter, Facebook, and other social accounts? Only allow access to apps that are trusted, and regularly review your settings to remove unneeded apps. In Twitter, for example, go to your account’s Application page and click “revoke access” for each app.

5. Avoid clicking suspicious links: As you actively monitor conversations about your brand and industry on social media communities, be careful with what you choose to open. If a follower has DM-ed you a link with no context, or if someone you follow posts about some weird diet trick, do not click the link. If you’re unsure, respond to them and ask for more details - it can’t hurt, and they may not know that their account has been sending spam.

These are just a few simple action items to get you started with better protecting the accounts you manage.

If you manage any social media accounts for your company, what are your tips for locking them down? Please share in the comments below.

Oct 7, 2013

October is National CyberSecurity Awareness Month

This month marks the 10th annual National CyberSecurity Awareness campaign! The campaign endeavors to spread awareness about online threats and provide helpful tips on what consumers can do to protect themselves.

As official supporters of National CyberSecurity Awareness Month, we’re sharing their recommendations for better online security across all of your devices.

Online security doesn’t apply to just your work computer anymore, or even just your personal computer or laptop. It also applies to all of the smartphones, tablets, and other portable devices we’re using on a daily basis to shop online, do our banking, download services, telework, connect with friends and family, and more. That means that the threats are more diversified than ever, and cyber criminals are constantly trying to take advantage of insecure wireless networks, third party applications, and even texting to try to acquire personal information.

According to the U.S. Computer Emergency Readiness Team (US-CERT), many of the safety practices that are used to guard home and work computers apply to your portable devices as well. They include:
  • Restricting access to your wireless network, by only allowing authorized users access to your network.
  • Changing any pre-configured default passwords to ones that would be difficult for an outsider to guess.
  • Keeping your anti-virus software updated.
  • Using caution when downloading or clicking on any unknown links.
So if you haven’t already, run the LastPass Security Challenge, from the LastPass browser icon, under the “Tools” menu. Once you’ve identified all of your weak and duplicate passwords, set aside time to visit each site and go through the password update process.

Also check if you have any insecure passwords lingering on your computer. If you’re not sure if your browser password managers have been disabled, or if you still have data stored there, run the LastPass installer again and choose the option to import insecure data items (though you can skip the step about setting up an account, since you already have one).

What else are you doing this month to support National CyberSecurity Awareness Month and help your family or community?

Oct 4, 2013

Local to DC? We’re Hiring!


Hey LastPass-ers,

Are you local to the Washington DC-metro area? Do you love LastPass? Are you a customer support rock star? We’re hiring for our Support Team and we want to hear from you!

At LastPass, we're passionate about technology, about our product and brand, and about how we can help improve people's online lives in a meaningful way. We're a committed, driven team, and we love what we do. Our Support Team works hard to solve problems, help our customers, and make our product better.

The job includes:
  • Supporting our customers (via email, web tickets, phone, IM)
  • Supporting our Enterprise clients
  • Software testing (Windows, Mac, Linux, and smart phones)
  • Compiling product recommendation reports

This position requires a strong technical aptitude and the ability to listen, respond, and see through customer-facing technical support inquiries. Your degree doesn’t matter - we’re looking for people who are smart, driven, likable, and willing to contribute and learn. The position is one that will let you grow and take on new responsibilities over time.

We’re looking for someone who:
  • Spends their waking hours on the Internet and loves tinkering with browsers, operating systems, and smart phones
  • Has excellent written and verbal communication skills
  • Is familiar with cloud applications and software technologies
  • Has a strong work ethic
  • Demonstrates a commitment to our community and brand
  • Is in the Fairfax, VA-area (DMV region)

LastPass headquarters are based in Fairfax, Virginia, centrally located near the nation's capital and easily accessible by public transport. Employees enjoy flexible work hours, flexible holidays, and a great benefits package. A weekly company-sponsored lunch and regular ping pong tourneys keeps things relaxed.

Interested? Be sure to try LastPass and Xmarks, then send your cover letter and resume to jobs@lastpass.com.

Even if you’re not looking for a job, please post this, tweet it, share it, forward it, send it to any friends and family who may be interested!

Oct 3, 2013

We’re Opening a Europe Office!

We’re excited to announce that we’ve opened a European Office, based in Paris, France. The new European office will be led by Thibaut Behaghel, named General Manager. Join us in welcoming him aboard the LastPass Team!

With 60% of our user base today being international, the new European office is key in meeting the needs of our customers and keeping a pulse on international security trends. Thibaut’s wealth of experience, with a proven track record of expanding US technology products overseas, makes him a superb choice for heading up this new operation.

Thibaut Behaghel has experience within the European tech industry, most recently having co-founded WannaSpeak, focusing on online communications tools such as call tracking. Previously, Thibaut worked with Joe Siegrist and team at eStara after their acquisition of ITXC's eCommerce division, where he was manager of the European office.

From Thibaut himself:
“I’m excited to join a team whose founders have a track record of success, who’ve built great products with mass appeal. As a tech-savvy entrepreneur with grown children spread across multiple continents, I can attest first-hand to the power and value of the cloud. Globalization and emerging markets mean more to me than generic terms in the news; I’m thrilled to help LastPass strengthen its customer relations and develop new partnerships in Europe.”
We’re thrilled for the good things to come!

Sep 27, 2013

iCab Mobile Browser Now Supports LastPass

We’re excited to announce that iCab, a leading mobile browser for iOS, has been updated with LastPass support!

With iCab’s update to 7.2, available for $1.99 from the App Store, LastPass Premium users can now enjoy direct integration with the browser, with the ability to save new sites, fill logins stored in LastPass, and fill forms with LastPass profiles.

When you launch the browser, you can login and out of your LastPass account from iCab’s settings (the gear icon). The LastPass icon will then show in the iCab URL bar, which is actually a clickable menu. From the menu, you can save a new site, fill a form with an existing profile, fill a login saved in LastPass, or launch the LastPass.com site.

Highlights


iCab is a robust browser, with features that include:
  • File uploads: Upload photos and other files from web pages like Flickr and Facebook
  • Searching: Set a default search engine
  • Filter: Built-in, customizable, URL-based filter to help block banners
  • Tabs: Open multiple web pages at once, and can be saved so they’re reopened on browser launch
  • Bookmarks: Organize bookmarks in folder, and import/export from or to your PC/Mac
  • Downloads: Built-in download manager so you can download most files from the Internet
  • and More: With a unique “Scrollpad” for instant scrolling, a password lock option, Dropbox support, and more, iCab is a full-featured browser that’s worth checking out!
And now with LastPass, you’ll be able to enjoy easy access to your stored data while taking advantage of iCab’s unique features.

From Jamie Q, who left a review on the App Store: 
“This is the greatest browser I've used on iOS at all. I love the tabs and the download/upload manager!!! Plus, the Lastpass integration is amazing!!”

Availability


iCab is available for $1.99 on the App Store for iPhone, iPod touch, and iPad with iOS 5.1 or later. Use of LastPass on iCab requires a LastPass Premium subscription. For $12 per year, LastPass Premium unlocks access to all mobile apps and features, plus added security and portability options. Premium also supports the ongoing maintenance and development of the service.

Note that multifactor authentication is not currently supported on iCab. If you have multifactor authentication enabled on your account, and have restricted mobile login, you’ll receive an error that the device is restricted.

Sep 23, 2013

Cybersecurity Tips for College Students

It’s that time of year again. When students start their college journeys, or return for another academic year. And the last thing any student wants to be worrying about is cyber security. Here’s our top tips, so you can check them off your list and get on to the good stuff this semester. And don’t forget to snag your free 6 months of LastPass Premium with our education promotion: https://lastpass.com/edu

Lock that computer - and your phone.

Have you secured your devices, both physically and digitally? Most devices come with an auto-lock feature, requiring that you re-enter your password or pin code (avoid birthdays or other personal information). Also physically lock down your computer by investing in a cable lock, which allows you to secure it to a desk, reducing the chances of theft.

Avoid sharing too much.

Keeping your friends updated and sharing memories via social media may seem like second nature these days. But what you share could tell someone too much - such as indicating when you’re not at home, making you a target for burglary. Be sure you’ve set the appropriate privacy settings on your accounts, and be mindful of the data points you share.

Secure your email.

Your email account will be the hub of your college experience. Think of all the sites and services you use that email address for, and the network you’ll build with it. Never share your email password with anyone - and we mean anyone, including close friends. Use a unique password, and if it’s available, enable multifactor authentication for your email account.

Generate & protect your passwords.

Speaking of passwords, ensure that all of your passwords are strong, unique, and known only to you, by using a password manager like LastPass. LastPass helps centralize the management of your passwords to one easy-to-use vault. It will also help you generate a mean-looking password when signing up for a new account. It’s free - and you’ll be surprised how many accounts you’ll accumulate over the years, so start now.

Keep software up to date.

Shutting down your browsers, and your computer itself, will initiate most automatic updates for your computer. But those annoying pop ups and messages from your task bar? We recommend responding to them when they appear. The updates include important fixes and improvements - sometimes addressing serious security issues, so don’t put off responding to them.

Limit your activities on open WiFi.

Free WiFi is your lifeblood in college. Even if your campus’ network itself may be password-protected, you never know who’s on the network with you. Limit your access to sensitive accounts (such as banking) when you’re on these networks. Consider using a VPN when you’re using open WiFi as well, which will allow you to surf anonymously and lock down your connection.

Prepare for loss.

Although we’re all about being proactive and managing risk, sometimes bad things happen. The best thing you can do is prepare for that loss - of your computer, your smartphone, any of your gadgets. Backup your documents and photos on a regular basis. Look into installing software that lets you remotely access your computer or phone, so you can wipe it if needed. Also look into software that lets you track your lost device, so you have a greater chance of recovering it.

To recap what we’ve covered, here’s your full checklist:

  • Set your computer to auto-lock.
  • Set your smartphone’s pin code.
  • Invest in a cable lock.
  • Err on the side of caution when sharing online.
  • Set appropriate privacy options, so you’re only sharing with friends.
  • Use a strong password for your email account.
  • Don’t share your email login with anyone.
  • Look into security features available for your email account.
  • Use a password manager like LastPass to manage your accounts.
  • Generate unique passwords to avoid password reuse.
  • Respond to all prompts to update your software.
  • Restart your computer occasionally to ensure updates are completed.
  • Use a VPN if you need to access personal accounts on open WiFi.
  • Be mindful of the connection you’re using and what you’re doing on that connection.
  • Install tracking software on your computer and smartphone.
  • Enable remote wiping of your device, if possible.
  • Back up everything to an external hard drive, regularly.
And last but not least, redeem your free Premium credit here: https://lastpass.com/edu once you’ve signed up for LastPass. LastPass Premium gives you full access to our mobile apps for smartphones and tablets, as well as additional security and productivity features.

Sep 10, 2013

LastPass and the NSA Controversy

With news that the United States National Security Agency has deliberately inserted weaknesses into security products and attempted to modify NIST standards, questions have been raised about how these actions affect LastPass and our customers. We want to directly address whether LastPass has been or could be weakened, and whether our users’ data remains secure.

In short, we have not weakened our product or introduced a backdoor, and haven’t been asked to do so. If we were forced by law to take these actions, we’d fight it. If we were unable to successfully fight it, we would consider shutting down the service. We will not break our commitment to our customers.

Although we are not currently in the position of having to consider closing the service, it is important to note that if LastPass had to be shut down, our users would be able to export their data or continue using LastPass in “offline” mode, although online login and syncing would no longer be possible.

We have consistently reiterated that LastPass cannot share what we cannot access. Sensitive user data is encrypted and decrypted locally with a key that is never shared with LastPass. As always, we encourage our users to create a strong master password to better protect themselves from brute-force attacks. Given our technology and lack of access to stored user data, it is more efficient for the NSA or others to try to circumnavigate LastPass and find other ways to obtain user information.

Ultimately, when you use an online service you’re trusting the people behind that service to have your best interests at heart and to fight on your behalf. We have built a tradition of being open and honest with our community, and continue to put the security and privacy of our customers first. We will continue to monitor the situation and change course as needed, with updates to our community when necessary.

Thank you to our community for your ongoing use and support of LastPass.

Sep 4, 2013

Using Google Authenticator on iOS? Avoid Lockout with These Steps

An update for Google Authenticator was released today that wiped stored tokens tied to online accounts. Google Authenticator users then ran into issues logging in to their sites and services since the token was no longer recognized.

Google pulled the app from the Apple app store, and to the best of our knowledge it only affected the iOS app. Google has indicated they are working on another update with a fix for the bug.

In the meantime, LastPass users who did update may run into authentication with their LastPass account.

If you updated the app and are still logged into LastPass on one of your desktop browsers, go to the LastPass Icon and launch your LastPass Vault. Then open the Settings menu on the left, select the Multifactor Options tab, and toggle to Google Authenticator. Click the option to display the QR code, and scan the QR code again, then click 'update' to save your changes.

If you updated the app and are not currently logged into LastPass on your desktop browsers, you'll need to initiate the disabling process when you next login. On the Google Authenticator prompt select the "disable" option, and an email will be sent to either your LastPass account email address or to the security email address you set up with your account. From the email you can click the "disable" link and you will not see the Google Authenticator prompt when you return to LastPass to login. You can then launch your Vault, click the Settings menu, go to the Multifactor Options tab and toggle to Google Authenticator, then scan the QR code and re-enable Google Authenticator.

For any LastPass users who run into trouble, please reach out to our support team directly here: https://lastpass.com/supportticket.php and we will investigate with you.

Aug 29, 2013

Introducing Toopher and Duo Support for LastPass

We’re excited to announce that two new options join the family of multifactor authentication methods we support with LastPass! LastPass now supports Toopher and Duo, both of which can be run from your Android or iOS smartphone and are free for consumers.

We’ve talked up multifactor authentication over the last few years and especially in the last several months as it marks a growing trend in personal security. Multifactor authentication refers to the use of a second piece of information or a device that generates that information before allowing access to an account. By adding a second step, you’re requiring that two pieces of data be entered by a user - typically a username and password that the user knows, then a code or generated key that the user provides with a device or app. Adding multifactor authentication creates another barrier to entry, so that even a compromised password does not translate to a compromised account. By enabling multifactor authentication with your LastPass account, you’re significantly increasing the security surrounding the “hub” of your online life.

Toopher



To get started with Toopher:
  • Download the Toopher app from the app store on your device.
  • Start the app on your device.
  • Login to LastPass and launch your “settings” menu in the LastPass vault.
  • Click the “multifactor options” tab and select “Toopher”.
  • Switch Toopher to “enabled”, and enter the pairing phrase generated by the Toopher app on your mobile device. Select the “=” button on the Toopher app to generate this phrase.
  • Look for the “push notification” on your phone, and select “allow”.
Toopher is now enabled for your LastPass account. You can automate authentication by telling your mobile device to automatically log you in next time, by sliding the “automate when near here” slider. Toopher will automatically enable authentication for you when you’re in the same location logging in to the same computer.

Duo


To get started with Duo:
  • Download the Duo app from the app store on your device.
  • Start the app on your device.
  • Login to LastPass and launch the “settings” menu in the LastPass vault.
  • Click the “multifactor options” tab and select “Duo Security”.
  • Switch the status to “enabled” and select the link to enroll in Duo.
  • Enter your telephone number, and send yourself the text message.
  • Follow the steps to complete enrollment.
  • Once complete, ensure that you’ve also “updated” your LastPass settings.The next time you login to LastPass, Duo will send a “push notification” to your phone, and allow you to “approve” login.

We offer a range of other multifactor options, both free and Premium, so be sure to pick one that best suits your work flow. For more details on available options, see our list here: https://helpdesk.lastpass.com/security-options/multifactor-authentication-options/

Have you tried multifactor authentication? What do you think? Will you try Toopher or Duo?

Aug 19, 2013

LastPass Updated for All Browsers, Featuring Immediate Sync

An update to the LastPass addon for all browsers is now available on our download page! The update will happen automatically behind the scenes the next time you relaunch your browser, or you can manually download from LastPass.com. The new release comes with several new features and performance improvements. Of note in the latest version are:

Immediate Sync


We are gradually rolling out automatic, immediate sync in all browsers for all users. Previously, updates were polled every 15 minutes, but now changes and updates will go through instantly! This is enabled by default, but if you uncheck the automatic polling option in the “Advanced” section of the Preferences menu, the immediate sync connection is also disabled. A portion of the userbase will see this to start with, and we’ll be ramping up as we roll out to all users and to mobile.

Secure Note History


Expanding on our “History” feature, which allows you to review password and username changes within a site entry in your vault, we’ve now added “secure note history”, so you can review activity specifically with secure notes. Currently, this feature can be accessed via the online vault at www.LastPass.com, once you login you can “edit” a secure note and choose the “history” option to review a record of edits to the note.

Weak and Duplicate Password Notifications in IE


After rolling out weak and duplicate password notifications in Chrome and Firefox, these alerts are now available in all browsers. As you login to your sites, LastPass will let you know if you’re using a weak password, or if you logged in with a password that you’re also using for another account stored in your vault. This will help you be proactive about generating strong passwords, and eliminating password re-use. Even better, you’re notified when you’re already on the site, so a new password is just a few clicks away.

Support for IE11


The latest update will support Microsoft’s upcoming release of Internet Explorer 11 for Windows 8.1. Our addon will be fully compatible with Enhanced Protected Mode in IE, and will fully support the new browser.

The updated build also contains a fix for an issue in the LastPass addon in IE, whereby if you were logged into the LastPass IE extension version 2.0.20 site passwords were potentially accessible in a memory dump. The above issue only affected the IE addon, and as soon as the browser session ended, the data would have been cleared from memory. The scope of the issue is minimal, but privacy and security of our users’ data is paramount. Malware is essentially the only way this could be exploited and we continue to encourage you to utilize anti-malware to protect your data.

Other notable additions include:

  • New Secure Note templates for Health Insurance and SSH Keys
  • Manage Your Email subscription preferences on the account page https://lastpass.com/my.php

This release also includes updates for LastPass Enterprise, including:

  • Secure note logging for better tracking of team changes to secure notes
  • Security score history so you can track your team’s progress in improving their passwords over time
  • Notification Dashboard so you can automatically alert employees who need to take steps to comply with company password policies
  • Linking of your personal account to your Enterprise account in both the local and online vaults
We recommend that all users update to our latest version available on www.LastPass.com/download or utilize our direct download link for the full Windows installer: https://lastpass.com/installer

More exciting updates are in the works, so stay tuned!

The LastPass Team.

Update July 7, 2014: As an addendum to the above, LastPass is unfortunately no longer compatible with Internet Explorer's Enhanced Protected Mode and we are not continuing with development at this time. We will keep our community posted if this changes.

Aug 8, 2013

Storing Passwords In Your Browser? Time to Stop.

The latest controversy to make the rounds on tech news outlets and social networks surrounds the lack of security features built into Google’s Chrome browser, leaving user passwords and form fill data at risk.

Web developer Elliot Kember questioned Google’s security practices after showing that anyone with physical access to the computer will have immediate access to the passwords, which can easily be toggled to plain text. Someone can simply go to the URL chrome://settings/passwords or visit a user’s password page in the browser Settings menu to easily view the data. There is no master password or even a generic prompt - essentially, there is no added security for the passwords.

The main concern that Kember raises is the fact that the mass market doesn’t expect it to be that easy for others to get to their data. In his blog post, he calls for Google to either clarify the security policy so users can make a more informed decision, or to add a master password option (as Mozilla Firefox has done).

This “flaw” in Google Chrome is old news to many. However, the fact that Chrome is now one of the three most widely-used browsers in the world means that more and more of the general population is utilizing Chrome and saving their data to the browser, with little information regarding how that data is protected.

Ultimately, the most secure way to store your data is to not store it in a browser at all, where there are minimal security options and a host of possible threats. By storing your data in a password manager, you’re adding at least one authentication layer with your master password, not to mention the encryption technology built into the software itself.

There is also the added benefit of utilizing multifactor authentication and other features to control where and how your data can be accessed. These features include the ability to restrict logins to specific countries or to enable master password reprompts on more sensitive logins. It also ensures that should one computer or browser crash, or be lost or stolen, your data remains securely accessible on your other devices.

While we agree it would be wonderful if Chrome would increase their security options or offer better warnings for users, Chrome users can be proactive today by downloading a password manager like LastPass and migrating their data out of their browsers. LastPass will even help you with that process by automatically importing your passwords for you as you get started - so don't wait until it's too late.

Were you aware of this shortcoming in Google Chrome? What other steps are you taking to protect your data?

Jul 16, 2013

Have You Backed Up Your Wallet For Your Next Trip?

With vacation season in full swing, you may find yourself preparing to travel out of town, or even out of the country. One of the most important components of getting ready is ensuring you have the right data on hand - credit cards, driver's licenses, passports, emergency contact information, and more. Even with physical copies of these documents, and perhaps photocopies of the originals, digitally backing up your data is an important step in being prepared for loss, theft, or a difficult situation.

There are several ways LastPass helps you "back up" your wallet:

Create Secure Notes for Important Documents

With templates for credit cards, driver's licenses, passports, and more, the secure note is a safe way to backup your sensitive information. To get started:
  1. Log into LastPass, and open your vault
  2. Click the "add note" option on the left-hand menu
  3. Select a note type, and name the note, eg "Mary's Passport", "Company Credit Card"
  4. Enter all relevant data points, including the customer service contact information, theft report numbers, and any security questions or pin codes attached to the account.
Now, when you're on the road, if you lose a card or your whole wallet, you can easily reference this information to make the necessary calls, provide the needed details, and issue a replacement if possible.

Attach Photocopies to Notes


LastPass notes also have an attachments feature, so you can attach PDFs, .DOCs, and other documents to your notes.
When preparing for your trip, make photocopies of any driver's licenses, passports, credit cards, and other important cards - even prescription information if it's critical.

Then, before you leave, edit a secure note in your vault, click the "paperclip" icon, and attach these documents to the relevant notes. Now if you need to provide a physical photocopy, as in the case of replacing a lost passport, you can easily login to LastPass, download the photocopy, and print it.

Access Your Data Anywhere


Once you've stored your data in your notes, and attached any important photocopies, you can also rest easy knowing that should you need that information, you can simply login to www.LastPass.com to sync your data.

Or, if you're in a location where you have use of your smartphone, you can also login on one of our Premium mobile apps to view the data.

What are your tips and tricks for preparing your sensitive data for a trip? Share in the comments below!

Jul 1, 2013

What To Do If You Lose Your Mobile Device

There's no arguing that our smartphones are our lifelines - they're our Rolodex, our photo albums, our windows to the digital world. Losing your smartphone isn't just an inconvenience, it could put your personal information at risk. We've compiled some tips to protect your smartphone in general, and actions you can take as a LastPass user in particular.

Get Proactive


Before you're ever put in the position of losing your phone, we recommend taking the time to use good security practices, now:
  • Put in a password or pin code prompt. This is typically available in the settings for your smartphone. Remember, alphanumeric passwords are better - and ensure the time for reprompt is no more than a few minutes, if not immediate.
  • Keep your apps up to date. Updates to apps can contain important security updates - don't delay in approving them.
  • Know the apps you're downloading. If you're not sure about the maker of an app, do your research. Don't share your personal information with apps that you can't verify.
  • Enable a device recovery service. This will help you track your device should you lose it, and may help you catch the person responsible if a device is stolen. Lifehacker recommends Prey.
  • Set pin code reprompts and autologoff settings in your LastPass apps. These can be found in the Preferences menu of our mobile apps, and will ensure someone cannot easily access your stored LastPass data.
  • Use multifactor authentication. Even if you've set your mobile device as "trusted" in your LastPass settings, you can easily revoke access later if needed.
  • Back up your data. Ensure you've synced your contacts, photos, and other information so that you have copies of it should your device break or be lost.
  • Store sensitive data in LastPass secure notes, not in an unprotected notes app. If you need to record sensitive information on the go, just add a note to LastPass, where you can easily access it, but where the data is protected by a master password, and your pin codes prompts.

Recovering From the Lost Phone 


Time is critical when recovering from a lost or stolen device. The sooner you can take action, the better you can protect your data and perhaps even recover your device.
  • Activate your lost phone features. If you enabled Find My iPhone, Prey, or another similar service, follow their steps to active the lost device features.
  • Update passwords. Update the passwords for Gmail, Facebook, and other services whose accounts are syncing to apps on your mobile device. Once you update the password, they cannot be synced, or even used in some cases, without re-authenticating with the new password.
  • Kill active sessions. In LastPass, open the LastPass browser icon menu, and in the Tools sub-menu select the "other sessions" option. This page will show any active sessions for your account. Kill all sessions that are not in use.
  • Remotely wipe data. If you are using iCloud, Google Sync, or another service that allows you to remotely wipe data, you should do so after ensuring you've backed up all data possible.
What are tips or strategies that you've used, or that you recommend? Share with us in the comments below!

Have a question you'd like to see answered by the LastPass team in a blog post? Let us know in comments or send us a note at marketing[at]lastpass.com. If we choose your question, you'll get a Tshirt!

Jun 24, 2013

Your Answers to Security Questions Should Be Random, Too

At LastPass, we often reiterate the need for randomly generated passwords in order to increase your online security. A feature that often gets overlooked are the security questions that your sites and services may have you fill out as you register.

In theory, security questions are slightly more obscure, but still personalized questions that you create answers for, that will later be of help if you need to "prove" your identity when recovering access to an account or contacting a customer support team. However, the questions can create a security loophole. On top of the increased risk, if you're using a password manager to store your passwords, there's no reason you should have to go through the recovery process.

That's why we recommend "generating" your answers to your security questions, or creating falsified answers that you can then securely store in LastPass for reference. This ensures that security questions cannot be used against you should someone try to gain unauthorized access to one of your accounts - this is how Sarah Palin's email was hacked, and how other individuals have fallen victim to violations of their personal privacy.

It's easy to get started with random security answers when you're registering for a new site. When you're presented with a question, simply click the LastPass icon in your browser and select the "generate a secure password" option. You can click the "advanced options" box to customize the characters, and even make the password pronounceable:

You can then use the "copy" option to copy-paste the password into the answer field for the question, and submit the information on the site. Once you've saved that site to LastPass, ensure you've also pasted the generated password into the "notes" field in the edit menu for the site entry, indicating that it's the security answer for your account.
If you know you're using personal information for security answers, set aside some time to login to those accounts, generate a new "answer" with LastPass, and store the update in your site entry. Accounts for online banking, email, social media, and credit cards are all good places to start.


Have a question you'd like to see answered by the LastPass team in a blog post? Let us know in comments or send us a note at marketing[at]lastpass.com. If we choose your question, you'll get a Tshirt!