LastPass Sentry: automatic leak checks for leaks
The online password management service LastPass has a new security feature that aims to reduce the time it takes to inform users if some of their account information, that is username and password, have leaked on the Internet. The idea behind the service is simple but effective. Some hackers releases password databases and lists to the public after a successful hack. Those public information are managed and made available by various services on the Internet. LastPass has teamed up with pwnedlist to check all account emails against that list to make sure users of the LastPass service are not affected by the leak.
LastPass Sentry performs checks once a day using the latest version of the pwnedlist database. LastPass users are informed by email if their email address has been found in the database. This email contains information about the domain that the email address has been associated with so that users know where the leak occurred.
LastPass recommends to change the password on the affected website immediately, and run the Security Challenge on the LastPass website to check if the password has been used on other websites as well. If that is the case, it is highly recommended to change the passwords on those sites as well.
The feature is available and enabled for all LastPass users. To opt-out of the feature, users need to receive an email notification to do so.
I personally like LastPass' future plans best. Instead of just checking the account email, the company plans to run regular checks over the entire password database of users, so that all usernames and emails are checked against the leaked password database. Frequency checks may also be increased, with the likelihood that premium and enterprise customers will benefit from more frequent changes - the blog mentions near real-time notifications.
Some users have asked how LastPass is performing the checks. The account email address check currently is likely a plain text check. It is different when LastPass runs the check across a password list. Here it is likely that the company will only perform those checks if the user is logged in. Since the information should be encrypted if the user is not logged in, the company in theory should not have access to usernames or passwords.Advertisement