Apr 9, 2014

LastPass Now Checks If Your Sites Are Affected by Heartbleed

Yesterday we informed our community of the Heartbleed OpenSSL bug. In our blog post, we explained how this security issue impacted our service and what our users should know about the situation. We also built a tool to help our users start checking to see if their sites and services had reissued their certificates, so that users would know if it was safe to start updating passwords for those sites: https://lastpass.com/heartbleed

To help our users take action and protect themselves in the wake of Heartbleed, we've added a feature to our Security Check tool. LastPass users can now run the LastPass Security Check to automatically see if any of their stored sites and services were 1) Affected by Heartbleed, and 2) Should update their passwords for those accounts at this time.

The LastPass Security Check can be run from the LastPass Icon menu. Click the LastPass icon in the browser toolbar, click the Tools menu, and select the Security Check.

In the Security Check results, we alert you to sites affected by Heartbleed:

We will continue to update the Security Check recommendations based on which sites we have seen take action and where it is safe to update your passwords. We'll monitor the situation in general and keep our community posted.

If you're not using LastPass yet, now is the time to get started with organizing and managing your passwords, and use our tools to generate new passwords for your online accounts.

Update: April 10th, 2:29PM ET

Many users are still concerned about what the Heartbleed situation means for their LastPass master passwords. To further clarify, we do not see a need at this time for existing LastPass users to update their master passwords. That said, if you would prefer to, there is no harm in doing so. We continue to update our LastPass Security Check tool to provide you the latest information regarding potentially-impacted sites. Thanks to our community for the feedback and input.

Apr 8, 2014

LastPass and the Heartbleed Bug

With news breaking on Monday, April 7th that the Heartbleed bug causes a vulnerability in the OpenSSL cryptographic library, which is used by roughly two-thirds of all websites on the Internet, we want to update our community on how this bug may have impacted LastPass and clarify the actions we’re taking to protect our customers.

In summary, LastPass customers do not need to be concerned about their LastPass accounts. Though LastPass employs OpenSSL, we have multiple layers of encryption to protect our users and never have access to those encryption keys.

What is the Heartbleed Bug?

The Heartbleed bug is a vulnerability in the OpenSSL cryptographic library that allows stealing of information normally protected by the SSL/TLS encryption used to secure the Internet. OpenSSL is open-source software that is widely used to encrypt web communications. SSL/TLS is what normally provides secure and private communication over the Internet via websites, email, IM, and VPNs. According to CNET, an attacker can exploit Heartbleed to essentially “get copies of a server's digital keys then use that to impersonate servers or to decrypt communications from the past or potentially the future, too.”

Heartbleed is being taken so seriously because OpenSSL is widely used, essentially no servers locally encrypt their data the way LastPass does, and it’s been exploitable for some time.

How does it affect LastPass?

LastPass utilizes OpenSSL for HTTPS/TLS/SSL encryption and we were therefore “vulnerable” to this bug. For anyone who was using this tool: http://filippo.io/Heartbleed/#lastpass.com to check whether LastPass was vulnerable, it would have shown that we were vulnerable until this morning, when we restarted our servers after the patched OpenSSL software update.

However, LastPass is unique in that your data is also encrypted with a key that LastPass servers don’t have access to. Your sensitive data is never transmitted over SSL unencrypted - it’s already encrypted when it is transmitted, with a key LastPass never receives. While this bug is still very serious, it could not expose LastPass customers’ encrypted data due to our extra layers of protection. On the majority of the web, user data is not encrypted before being transmitted over SSL, hence the widespread concern.

Also, LastPass has employed a feature called “perfect forward secrecy”. This ensures that when security keys are changed, past and future traffic also can’t be decrypted even when a particular security key is compromised.

Our next steps

This bug has been out there for a long time, so we have to assume our SSL keys could have been compromised. We requested a reissued certificate this morning, and plan to roll it out today, while we’ve already deployed the OpenSSL software update after restarting our servers this morning.

LastPass customers should not be affected by the certificate transition, we expect it to be seamless with no interruptions to service. 

Because other websites may not be encrypting data the way LastPass does, we recommend that LastPass users generate new passwords for their most critical sites (such as email, banking, and social networks) if those sites utilize Apache, Nginx or show as vulnerable to the Heartbleed bug. However, users should wait until their sites have replaced their certificates, with a start date after today (April 8th, 2014). For more information on replacing passwords with newly-generated ones, please see this article.

Thank you to our community for your vigilance, and we’ll provide further updates if there are any changes to the situation.

Update: April 8th, 4:46PM ET

We have built a tool to help LastPass users check whether other sites and services they use may have been affected by Heartbleed, you can check it out at: https://lastpass.com/heartbleed

The new SSL certificates for LastPass and Xmarks have been reissued as well.

Update: April 9th

LastPass now alerts you if the sites stored in your vault may be impacted by Heartbleed. See our new blog post for more details: http://blog.lastpass.com/2014/04/lastpass-now-checks-if-your-sites-are.html 

Update: April 10th, 2:29PM ET

Many users are still concerned about what the Heartbleed situation means for their LastPass master passwords. To further clarify, we do not see a need at this time for LastPass users to update their master passwords. That said, if you would prefer to, there is no harm in doing so. We continue to update our LastPass Security Check tool to provide you the latest information regarding impacted sites. Thanks to our community for the feedback and input.

Apr 7, 2014

How to Spring Clean Your Digital Life with LastPass

It’s finally (finally!) that time of year again, where we dust off the remnants of Winter and welcome the warmer weather and sense of possibility of Spring. Spring is a perfect time to pause and make those much-needed changes you’ve been procrastinating on, especially when it comes to your online security. If you’re like us and you spend a fair bit of time sitting at your desk at work, it’s a great time to clean up your workspace and take stock of your online security efforts. Here’s how to do that with LastPass.

1. Collect & store random bits of personal information. 

In the chaos of the workweek, it’s easy to accumulate little notes scattered all over - in Google Docs, in your Sticky Notes, in your calendar, scribbled wherever was convenient at the time. Find all those abandoned pieces of paper or digital clutter, get rid of what you no longer need, and enter any passwords into LastPass. If you have important PINs, codes, software keys, or other one-off pieces of data to store, create secure notes in LastPass to safely store and remember them.

2. Back up important documents, now.

It’s so easy to say “I’ll do it tomorrow”. Make a commitment to do it today. That way, if a hard drive crash, a stolen laptop, or a bad case of malware happens to you, you’ll be able to breathe a little easier knowing you still have what’s critical for you to recover and start over. In LastPass, use attachments in secure notes to back up scanned documents of your passport or driver’s license (especially before a trip!), to keep digital copies of important legal documents, and pretty much any other image, PDF, document, or Excel file you just couldn’t afford to lose.

3. Get rid of old accounts. 

If it’s been a while since you’ve actually looked at what’s in your LastPass account, you might be surprised to see just how much you've accumulated over the years. When you run the LastPass Security Challenge, located in the Tools menu of the LastPass icon menu, it’s easy to see just how many accounts you’ve racked up. Take a stroll through your vault, and start shutting down accounts that you just don’t use anymore - for example, forgotten forum registrations or sign-ups from one-off purchases. You’ll likely reduce your incoming mail, too! Once you unsubscribe or delete an account, you can delete it in your LastPass vault, too.

4. Keep making progress on those weak passwords.

If you ran the Security Challenge, you may also have seen LastPass flag any weak and duplicate passwords stored in your vault. Use this knowledge to change those passwords. Log in to the accounts that have bad passwords, find where you can manage your settings, and update your password to one generated by LastPass. For more information, check out our article on replacing old passwords with generated ones.

What steps are you taking this Spring to improve your online security habits?