LastPass Will Warn You If Your Passwords Show Up On the Dark Web (engadget.com) 34
LastPass is updating its Security Dashboard with a feature that provides an overview of all your accounts, highlighting any passwords that could pose a security risk. The password manager is also introducing dark web monitoring, although it will require you to be a paid LastPass subscriber. Engadget reports: If you already use LastPass and the Security Dashboard sounds familiar, it's because it builds on the Security Challenge functionality LastPass developer LogMeIn added in 2010. As before, grading is a major aspect of the interface. When you first navigate to the Security Dashboard, you'll see a score of all your logins, followed by a breakdown of passwords that are either old, inactive, weak or reused. You can click or tap on a problematic password to change it, and LastPass will automatically take you to the webpage where you can update your login information. LogMeIn hasn't changed how the app calculates the overall score it gives to each user. But one significant improvement the Security Dashboard brings over the Security Challenge is that you don't need to manually run it each time you want to see the security of your online accounts. The score and steps you can take to improve your online security are there each time you visit that part of the software's interface.
With today's update, LogMeIn is also introducing dark web monitoring. When you enable the feature, LastPass will proactively check your online accounts against Enzoic's compromised credentials database. If it detects an issue, it will notify you through both email and the app. Dark web monitoring is available to LastPass Premium, Family and Business subscribers. The dashboard, by contrast, is available to all LastPass users.
With today's update, LogMeIn is also introducing dark web monitoring. When you enable the feature, LastPass will proactively check your online accounts against Enzoic's compromised credentials database. If it detects an issue, it will notify you through both email and the app. Dark web monitoring is available to LastPass Premium, Family and Business subscribers. The dashboard, by contrast, is available to all LastPass users.
1Password (Score:3)
Re: (Score:2)
If it was an ad they'd also point out you need to pay them to use something like a Yubikey. Something that use to be in free.
Re: 1Password (Score:2)
Interesting point. Who has the most comprehensive database? Haveibeenpwned or Enzoic?
Re: (Score:2)
Yeah, Dashlane has this too.
Lastpass? LastToTheParty more like :-(
Yawn (Score:4, Informative)
Like Chrome already does? Or Google auth in general?
I will like to try it (Score:1)
Re: (Score:2)
Yes I too have seen this post and will use Lastpass to see how it works
=====REMOVE THIS PART BEFORE POSTING====
Lastpass is web based, right? (Score:5, Interesting)
Re: (Score:1)
Re: (Score:2)
I use Keepass with sync to Google Drive. Thing is, if the Keepass file can be cracked you are screwed anyway because either AES or the hashing algo it uses is broken and half the internet is on fire.
The advantage of doing it that way is that it auto syncs between devices, including my phone. Update one and all the others update.
I get email notifications already (Score:3)
Re: (Score:3)
I had one of these once, and based on the supplied password I could trace down exactly which site I was at that had been compromised.
Re: (Score:2)
Re: (Score:2)
All tied to 2 linkedin accounts I used for playing with the site in the late 2000s before deciding not to use it.
So linkedin was hacked sometime between when I signed up with the original passwords, but before I changed both the first time. Because It was only the first passwords I used on the 2 accounts that are referenced in the threat email.
I give every site and company a unique email address at
Re: (Score:2)
Which implies... (Score:4, Insightful)
Re: (Score:2)
... that LastPass knows all your passwords. Are you feeling lucky today, punk?
They could download the comparison database and run it locally when you unlock the vault on your device. Do I believe that? Yeah, with a glass of scotch in one hand, I manage.
Re: (Score:2)
Which implies that LastPass knows all your passwords.
It doesn't imply that, no. Maybe LastPass's central database knows the result of a one-way mathematical operation on your password, but it's one-way so they have no way to get back to your actual password. They can apply the same one-way mathematical operation on the list of passwords on the dark web. If the results match, then they know your password was compromised and they know what your password was. But for all of your passwords that weren't compromised, they have no means of getting back your original
Re:Which implies... (Score:4, Informative)
Or...or...they could be piggybacking on the system that the 1Password guys developed together with the Haveibeenpwned guy to do that determination without handing over any passwords. As I recall, it involves locally producing hashes of your passwords, sending the last few digits of those hashes to Haveibeenpwned to check for matches, getting back the full hashes on any potential collisions, then doing the check locally to see if it’s a full match. That approach works fully locally, never sends passwords to Haveibeenpwned, and doesn’t give Haveibeenpwned enough to know if your password was compromised or not.
Mind you, I don’t know that this is what LastPass is doing here, and given their spotty track record I wouldn’t necessarily count on it, but there are ways to go about this without them knowing or handing over all of your passwords.
Optional feature (Score:3)
For an extra fee theyâ(TM)ll even not upload your passwords to the dark web.
How do they do this without leaking? (Score:3)
The list of dark compromised web passwords is massive to the point where it won't fit compressed on the newest large hard drives. That means they have to send the password off to a cloudy thing that can do the comparison. We all know about the risk of unseeded hashed passwords and I can't think of a way they can pull this off that doesn't have a similar weakness.
Re: (Score:2)
I'm getting old, you need to tell me how many libraries of congress that is.
Re: (Score:1)
LogMeIn only bought Lastpass in 2015 (Score:2)
LogMeIn didn't develop a damn thing for Lastpass in 2010 and definitely not the security challenge. Lastpass did their own development until LogMeIn bought them in 2015.
LogMeIn may have developed the dark web password loss check they are releasing now but Lastpass developed the security challenge.
Already lost (Score:3, Insightful)
If lastpass can see people's passwords to TELL you your passwords are on the darkweb, you've already been pwned. Cloud is not good. I don't want my stuff in the public cloud. If I want it accessible on the internet, I'll host my own platform under my control. If I use a public cloud, I'll pre-encrypt my data and store it in the public cloud with encryption above and beyond any offered by the application that is under their control.
Re: (Score:3)
I check every employee's password before it can be set to ensure it's not a known exposed password, yet I have never seen, stored, or known any of their passwords. I also do not give the entire hash to a service to do this.
unecessary bloat (Score:2)
Sounds like Facebook nude collection? (Score:1)
"Give us your nudes so we can tell you if they leak."
Yeah, I'm not sure the stated purpose is the actual purpose!
For what reason would a company want to collect all of your passwords?