LastPass Sentry: automatic leak checks for leaks - gHacks Tech News

LastPass Sentry: automatic leak checks for leaks

The online password management service LastPass has a new security feature that aims to reduce the time it takes to inform users if some of their account information, that is username and password, have leaked on the Internet. The idea behind the service is simple but effective. Some hackers releases password databases and lists to the public after a successful hack. Those public information are managed and made available by various services on the Internet. LastPass has teamed up with pwnedlist to check all account emails against that list to make sure users of the LastPass service are not affected by the leak.

LastPass Sentry performs checks once a day using the latest version of the pwnedlist database. LastPass users are informed by email if their email address has been found in the database. This email contains information about the domain that the email address has been associated with so that users know where the leak occurred.

LastPass recommends to change the password on the affected website immediately, and run the Security Challenge on the LastPass website to check if the password has been used on other websites as well. If that is the case, it is highly recommended to change the passwords on those sites as well.

pwnedlist

The feature is available and enabled for all LastPass users. To opt-out of the feature, users need to receive an email notification to do so.

I personally like LastPass' future plans best. Instead of just checking the account email, the company plans to run regular checks over the entire password database of users, so that all usernames and emails are checked against the leaked password database. Frequency checks may also be increased, with the likelihood that premium and enterprise customers will benefit from more frequent changes - the blog mentions near real-time notifications.

Some users have asked how LastPass is performing the checks. The account email address check currently is likely a plain text check. It is different when LastPass runs the check across a password list. Here it is likely that the company will only perform those checks if the user is logged in. Since the information should be encrypted if the user is not logged in, the company in theory should not have access to usernames or passwords.

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:

Comments

  1. Eyes Only said on September 18, 2012 at 3:49 am
    Reply

    Great news Martin…

    I’ll give a try.

    THX!!

    Great page.

  2. Roy said on September 18, 2012 at 9:52 am
    Reply

    I guess they should stress that their future plans to check your accounts in the vault is local to your machine. It’s confusing many people as they have the impression that LastPass does not have access to their vault contents.

  3. Vladislav said on September 22, 2012 at 8:49 pm
    Reply

    Hi

  4. Vladislav said on September 22, 2012 at 8:51 pm
    Reply

    Security

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.