LastPass Sentry: automatic leak checks for leaks

Martin Brinkmann
Sep 17, 2012

The online password management service LastPass has a new security feature that aims to reduce the time it takes to inform users if some of their account information, that is username and password, have leaked on the Internet. The idea behind the service is simple but effective. Some hackers releases password databases and lists to the public after a successful hack. Those public information are managed and made available by various services on the Internet. LastPass has teamed up with pwnedlist to check all account emails against that list to make sure users of the LastPass service are not affected by the leak.

LastPass Sentry performs checks once a day using the latest version of the pwnedlist database. LastPass users are informed by email if their email address has been found in the database. This email contains information about the domain that the email address has been associated with so that users know where the leak occurred.

LastPass recommends to change the password on the affected website immediately, and run the Security Challenge on the LastPass website to check if the password has been used on other websites as well. If that is the case, it is highly recommended to change the passwords on those sites as well.

The feature is available and enabled for all LastPass users. To opt-out of the feature, users need to receive an email notification to do so.

I personally like LastPass' future plans best. Instead of just checking the account email, the company plans to run regular checks over the entire password database of users, so that all usernames and emails are checked against the leaked password database. Frequency checks may also be increased, with the likelihood that premium and enterprise customers will benefit from more frequent changes - the blog mentions near real-time notifications.

Some users have asked how LastPass is performing the checks. The account email address check currently is likely a plain text check. It is different when LastPass runs the check across a password list. Here it is likely that the company will only perform those checks if the user is logged in. Since the information should be encrypted if the user is not logged in, the company in theory should not have access to usernames or passwords.


Previous Post: «
Next Post: «


  1. Vladislav said on September 22, 2012 at 8:51 pm


  2. Vladislav said on September 22, 2012 at 8:49 pm


  3. Roy said on September 18, 2012 at 9:52 am

    I guess they should stress that their future plans to check your accounts in the vault is local to your machine. It’s confusing many people as they have the impression that LastPass does not have access to their vault contents.

  4. Eyes Only said on September 18, 2012 at 3:49 am

    Great news Martin…

    I’ll give a try.


    Great page.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.