LastPass Will Warn You If Your Passwords Show Up On the Dark Web

LastPass is updating its Security Dashboard with a feature that provides an overview of all your accounts, highlighting any passwords that could pose a security risk. The password manager is also introducing dark web monitoring, although it will require you to be a paid LastPass subscriber. Engadget reports: If you already use LastPass and the Security Dashboard sounds familiar, it's because it builds on the Security Challenge functionality LastPass developer LogMeIn added in 2010. As before, grading is a major aspect of the interface. When you first navigate to the Security Dashboard, you'll see a score of all your logins, followed by a breakdown of passwords that are either old, inactive, weak or reused. You can click or tap on a problematic password to change it, and LastPass will automatically take you to the webpage where you can update your login information. LogMeIn hasn't changed how the app calculates the overall score it gives to each user. But one significant improvement the Security Dashboard brings over the Security Challenge is that you don't need to manually run it each time you want to see the security of your online accounts. The score and steps you can take to improve your online security are there each time you visit that part of the software's interface.

With today's update, LogMeIn is also introducing dark web monitoring. When you enable the feature, LastPass will proactively check your online accounts against Enzoic's compromised credentials database. If it detects an issue, it will notify you through both email and the app. Dark web monitoring is available to LastPass Premium, Family and Business subscribers. The dashboard, by contrast, is available to all LastPass users.

1Password

[WankerWeasel]

You mean, like 1Password has for a year or two now with Have I Been Pwned integration? This post seems like an advertisement for LastPass.

Re:

[Ostracus]

If it was an ad they'd also point out you need to pay them to use something like a Yubikey. Something that use to be in free.

Re: 1Password

[kaptink]

Interesting point. Who has the most comprehensive database? Haveibeenpwned or Enzoic?

Re:

[coofercat]

Yeah, Dashlane has this too.

Lastpass? LastToTheParty more like :-(

Yawn

[reanjr]

Like Chrome already does? Or Google auth in general?

I will like to try it

[Leechi]

I have read your post I will try to use lastpass to see how it works

Re:

[LenKagetsu]

Yes I too have seen this post and will use Lastpass to see how it works

=====REMOVE THIS PART BEFORE POSTING====

Lastpass is web based, right?

[Snotnose]

I use Keepass, where I can make a local file. It's currently on my laptop, my phone, a USB stick, and my NAS. If I somehow lose 1 of those four I'm guessing the USB stick I have in my car stereo will be my ultimate clean copy.

Re:

[Rockoon]

So I am one car window away from your bank accounts? Awesome.

Re:

[AmiMoJo]

I use Keepass with sync to Google Drive. Thing is, if the Keepass file can be cracked you are screwed anyway because either AES or the hashing algo it uses is broken and half the internet is on fire.

The advantage of doing it that way is that it auto syncs between devices, including my phone. Update one and all the others update.

I get email notifications already

[DogDude]

I get email notifications about my passwords on the "dark web". Fairly regularly, I get an email from somebody with a password that I used that claims that they have taken control of my camera on my computer, and have recorded me jerking off to porn sites, and if I don't send them bitcoins, they'll send it to my friends and family. So far, it's been pretty accurate. They've all been real passwords that I've used before. I have yet to see any password show up for a site at which I'm a paying subscriber. So far, only passwords used on data harvesting web sites have been collected.

Re:

[Darinbob]

I had one of these once, and based on the supplied password I could trace down exactly which site I was at that had been compromised.

Re:

[Randseed]

I've gotten that email scam. In my case, they used a password that hasn't been used in over almost ten years, had a capitalization error in it, was pretty incompetently written to the point of being laughable, was sent to a defunct email address I haven't typed since probably 2008, and I've had my laptop cameras disabled in some way or another since at least 2010.

Re:

[oldgraybeard]

Same here bunches of emails over the last few years. I still get 1-2 a month with different updated threats.
All tied to 2 linkedin accounts I used for playing with the site in the late 2000s before deciding not to use it.

So linkedin was hacked sometime between when I signed up with the original passwords, but before I changed both the first time. Because It was only the first passwords I used on the 2 accounts that are referenced in the threat email.
I give every site and company a unique email address at

Re:

[DogDude]

I've never used Linkedin, so it wasn't that. Unfortunately, I use the same junk password at every junk site, so I don't know which site(s) were compromised.

Which implies...

[OneHundredAndTen]

... that LastPass knows all your passwords. Are you feeling lucky today, punk?

Re:

[Randseed]

... that LastPass knows all your passwords. Are you feeling lucky today, punk?

They could download the comparison database and run it locally when you unlock the vault on your device. Do I believe that? Yeah, with a glass of scotch in one hand, I manage.

Re:

[ljw1004]

Which implies that LastPass knows all your passwords.

It doesn't imply that, no. Maybe LastPass's central database knows the result of a one-way mathematical operation on your password, but it's one-way so they have no way to get back to your actual password. They can apply the same one-way mathematical operation on the list of passwords on the dark web. If the results match, then they know your password was compromised and they know what your password was. But for all of your passwords that weren't compromised, they have no means of getting back your original

Re:Which implies...

[Anubis IV]

Or...or...they could be piggybacking on the system that the 1Password guys developed together with the Haveibeenpwned guy to do that determination without handing over any passwords. As I recall, it involves locally producing hashes of your passwords, sending the last few digits of those hashes to Haveibeenpwned to check for matches, getting back the full hashes on any potential collisions, then doing the check locally to see if it’s a full match. That approach works fully locally, never sends passwords to Haveibeenpwned, and doesn’t give Haveibeenpwned enough to know if your password was compromised or not.

Mind you, I don’t know that this is what LastPass is doing here, and given their spotty track record I wouldn’t necessarily count on it, but there are ways to go about this without them knowing or handing over all of your passwords.

Optional feature

[backslashdot]

For an extra fee theyâ(TM)ll even not upload your passwords to the dark web.

How do they do this without leaking?

[thogard]

The list of dark compromised web passwords is massive to the point where it won't fit compressed on the newest large hard drives. That means they have to send the password off to a cloudy thing that can do the comparison. We all know about the risk of unseeded hashed passwords and I can't think of a way they can pull this off that doesn't have a similar weakness.

Re:

[Mashiki]

I'm getting old, you need to tell me how many libraries of congress that is.

Re:

[Chozabu]

because clouds don't need hard drives? No reason why they can't do whatever the "cloudy thing" does in-house

LogMeIn only bought Lastpass in 2015

[nicolaiplum]

LogMeIn didn't develop a damn thing for Lastpass in 2010 and definitely not the security challenge. Lastpass did their own development until LogMeIn bought them in 2015.

LogMeIn may have developed the dark web password loss check they are releasing now but Lastpass developed the security challenge.

Already lost

[rtkluttz]

If lastpass can see people's passwords to TELL you your passwords are on the darkweb, you've already been pwned. Cloud is not good. I don't want my stuff in the public cloud. If I want it accessible on the internet, I'll host my own platform under my control. If I use a public cloud, I'll pre-encrypt my data and store it in the public cloud with encryption above and beyond any offered by the application that is under their control.

Re:

[FictionPimp]

I check every employee's password before it can be set to ensure it's not a known exposed password, yet I have never seen, stored, or known any of their passwords. I also do not give the entire hash to a service to do this.

unecessary bloat

[spire3661]

This is why i dont use apps other than stock built-ins. They inevitably and without fail get bloated with unecessary features. I dont need my password manager 'talking' (providing external third-party data) to me, ever.

Sounds like Facebook nude collection?

[Thing 1]

"Give us your nudes so we can tell you if they leak."

Yeah, I'm not sure the stated purpose is the actual purpose!

For what reason would a company want to collect all of your passwords?