Jun 6, 2014

Your LastPass Account Is Safe From the New OpenSSL Vulnerability

About 2 months after the discovery of Heartbleed, more OpenSSL vulnerabilities have now been announced. Though organizations should patch their servers, security experts have stated the latest flaws are not nearly as bad as Heartbleed.

The most critical of the new OpenSSL vulnerabilities is known as an “Injection Vulnerability”. If exploited, this flaw could result in a “man-in-the-middle attack”. Essentially, this means someone positioned on the network between your computer and a server could eavesdrop or alter encrypted data traffic. In theory, sensitive information such as email addresses, passwords, and credit card information could be at risk.

So does this impact LastPass?

In regards to LastPass, please note:

  • Your data stored in LastPass is not affected by this bug
  • Your master password is never shared with LastPass
  • Your vault is encrypted with AES 256-bit encryption before being sent to LastPass over SSL
  • Our servers’ SSL libraries have been updated with the latest fixes
  • You can use LastPass' tool to also identify affected sites: https://lastpass.com/opensslccs/

What should I do?

Although the threat is small, if you have used open or untrusted WiFi, we recommend updating the passwords for any online accounts you may have accessed at that time. LastPass will help you update the password to a new, generated one.

We recommend that users continue to exercise caution on untrusted networks, most notably on public WiFi, and remove WiFi networks from their devices that they no longer need or trust. Most other websites do not encrypt data before transmission like LastPass, and so there may be a risk of exposure to the OpenSSL flaws on other websites over public WiFi.

We will continue to update our community of any developments in the situation.

The LastPass Team

Jun 4, 2014

What Apple’s Announcements Could Mean For LastPass

Apple’s WWDC 2014 in San Francisco kicked off on June 2nd with a momentous keynote address that announced the arrival of iOS 8 and OS X 10.10 Yosemite. We’re very excited to see Apple taking a new direction, including increased consideration of the user experience regarding security and authentication. This new, more flexible direction allows services like ours to provide a better experience for our users.

Perhaps most relevant to LastPass are the changes on mobile with iOS 8. In the keynote, Apple indicated that they now support:
  • TouchID fingerprint authentication
  • Keyboard integration
  • Extension functionality implemented through interactive notifications
  • A more open ecosystem where apps can “talk” to one another
We want our community to know that, though it remains to be seen how flexible these new functionalities are, and to what extent we can utilize them for the LastPass app specifically, we are optimistic that we’ll be able to provide an improved LastPass experience on iOS. Overall, these changes seem to signal a move by Apple towards a more flexible platform that empowers developers.

At LastPass, we're committed to innovation and implementing the latest technologies to deliver the best possible user experience. We look forward to further exploring the possibilities of iOS 8.

Jun 3, 2014

LastPass for Android Gets In-App Payments

Our highly-rated LastPass Android app just got better. A new update hits the app store today, with two exciting new features:

In-App Purchasing

You can now upgrade and renew your Premium via the LastPass app itself, charged to your Google Play account:


Getting Started Wizard

New users of the Premium app will have more step-by-step help in learning how to use the app's features:

Note that with the in-app purchasing of Premium, autorenewal is not available, only a 1-year payment option at this time. We do plan to offer the ability to purchase subscriptions in a later update.

These usability improvements follow several other major additions to our Android app in the last few months alone, including the addition of biometric support for Samsung Galaxy S5 and automated app filling to streamline logging in to other apps on your Android device. We continue to work to improve the mobile experience, with the latest technology available.

The LastPass Android app is part of our Premium service for $12 per year, and the latest update is already available on the Google Play app store.