From Wikipedia, the free encyclopedia
Jump to: navigation, search

Coordinates: 42°16′55.5″N 83°44′59.9″W / 42.282083°N 83.749972°W / 42.282083; -83.749972

LastPass Logo 2016.svg
Original author(s) Marvasol, Inc. dba LastPass)
Developer(s) LogMeIn, Inc.
Initial release August 22, 2008 (2008-08-22)
Stable release
4.1.25/26 (August 4, 2016; 2 months ago (2016-08-04))

4.1.25/26 (August 4, 2016; 2 months ago (2016-08-04))

4.1.25/26 (August 4, 2016; 2 months ago (2016-08-04))

Internet Explorer
4.1.20 (July 15, 2016; 3 months ago (2016-07-15))[1]

4.1.2 (March 8, 2016; 7 months ago (2016-03-08))[2]

3.3.0 (March 24, 2016; 6 months ago (2016-03-24))[3]

Mac App
3.16.0 (July 11, 2016; 3 months ago (2016-07-11))[4]

Operating system Cross-platform
Available in Multilingual
Type Password manager
License Proprietary software

LastPass is a freemium password management service which stores encrypted passwords in private accounts.[5] LastPass is standard with a web interface but also includes plugins and apps for many modern web browsers and includes support for bookmarklets.[5][6][7]

LogMeIn, Inc. acquired LastPass in October 2015.[8]


Passwords in LastPass are protected by a master password, encrypted locally, and synchronized to any other browser. LastPass has a form filler that automates password entering and form filling. It also supports password generation, site sharing and site logging.[9]

On December 2, 2010, it was announced that LastPass acquired the bookmark synchronizer Xmarks.[10] LastPass password management technology was integrated into the "Identity and Privacy" feature of Internet security company Webroot’s newest security suite. Full terms of the licensing deal were not disclosed.[11] Although it is closed source, Sameer Kochhar (one of the developers of LastPass), has argued that, theoretically, the integrity of the software could be verified without making it open source, and mentioned that the developers may be open to the future possibility of making the user interface of LastPass open source.[12]

On October 9, 2015, LastPass was acquired by LogMeIn, Inc. for $125 million; the company will be combined under the LastPass brand with a similar product, Meldium, which was also acquired by LogMeIn.[13]

On February 3, 2016, LastPass unveiled a new logo. The previous logo, which prominently featured an asterisk, was the subject of an unanticipated trademark lawsuit filed in early 2015 by E-Trade, whose logo also features an asterisk.[14][15][16]

On March 16, 2016, LastPass released LastPass Authenticator, a free two-factor authentication app.[17]


  • One master password
  • Cross-browser synchronization
  • Secure password generation
  • Password encryption
  • Form filling
  • Importing and exporting passwords
  • Portable access (using browsers)
  • Multifactor authentication
  • Password-Fingerprint verification (using local certificates or YubiKey)
  • Cross-platform availability (mobile versions available for premium accounts)
  • Mobile access available[18]
  • Free and premium credit monitoring (USA only)[19]


In March 2009, PC Magazine awarded LastPass their "Editors' Choice" for password management.[20] LastPass has a rating of 4 out of 5 stars at the Firefox Add-ons web site with over 900 reviews,[21] and it has been featured on Download Squad,[22] Lifehacker,[23] and MakeUseOf.[24]

In July 2010, LastPass's security model was extensively covered and approved of by Steve Gibson in his Security Now podcast episode 256.[25] He also revisited the subject and how it relates to the NSA in Security Now podcast episode 421.[26]

Security issues[edit]

XSS vulnerability[edit]

In February 2011, a cross-site scripting (XSS) security hole was discovered, reported by security researcher Mike Cardwell, and closed within hours.[27] There was disagreement over severity. Cardwell stated that people should be "very concerned." The company reported that a log search showed no evidence of exploitation (other than by Cardwell). However, in addition to closing the hole, LastPass took additional steps to improve security, including implementing HTTP Strict Transport Security (HSTS), as Cardwell had suggested, implementing X-Frame-Options, and a Content Security Policy-like system in order to provide defense in depth.[27][28]

2011 security breach[edit]

On Tuesday, May 3, 2011, LastPass discovered an anomaly in their incoming network traffic, and then another, similar anomaly in their outgoing traffic.[29] Administrators found none of the hallmarks of a classic security breach (for example, database logs showed no evidence of a non-administrator user being elevated to administrator privileges), but neither could they determine the root cause of the anomalies. Furthermore, given the size of the anomalies, it is theoretically possible that data such as email addresses, the server salt, and the salted password hashes were copied from the LastPass database. To address the situation, LastPass decommissioned the "breached" servers so they could be rebuilt, and on May 4, 2011, they requested all users to change their master password. However, the resulting user traffic overwhelmed the login servers and, temporarily, administrators were asking users to refrain from changing their passwords until further notice, having judged that the possibility of the passwords themselves being compromised was trivially small. LastPass also stated that while there was no direct evidence any customer information was directly compromised, they preferred to err on the side of caution.[30] There have been no verified reports of customer data loss or password leaks since these precautions were taken. In comment 6, Joe Siegrist committed to a third-party audit, saying one "is certainly prudent". However, no audit results have been published to date.

2015 security breach[edit]

On Monday, June 15, 2015, LastPass posted a blog post indicating that the LastPass team discovered and blocked suspicious activity on their network on the previous Friday.[31] Their investigation revealed that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised. LastPass encrypted user vault data were not taken in this incident. The blogpost was quoted as saying, "We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed."[32]

2016 incidents[edit]

A July 27th blog post published by independent online security firm Detectify detailed a method for reading plaintext passwords for arbitrary domains from a LastPass user's vault when that user visited a malicious web site.[33] This vulnerability was made possible by poorly written URL parsing code in the LastPass extension. The flaw was not disclosed publicly by Detectify until LastPass was notified privately and able to fix their browser extension.

LastPass responded to the public disclosure by Detectify in a post on their own blog. In that post they revealed knowledge of an additional vulnerability, discovered by a member of the Google Security Team.[34]

See also[edit]


  1. ^ "Recent changes to LastPass". Retrieved August 20, 2016. 
  2. ^
  3. ^
  4. ^
  5. ^ a b "Features". LastPass. Retrieved 27 April 2014. 
  6. ^ "Bookmarklets". LastPass. Retrieved 27 April 2014. 
  7. ^ Michael Riley (5 May 2011). "LastPass says hackers may have stolen passwords for 1.25 million customers". Bloomberg News. Retrieved 28 April 2014. 
  8. ^
  9. ^ Bacon, Roger. "Top Ten Mobile Apps to Keep an Eye On". Wamda. Retrieved 3 March 2016. 
  10. ^ "LastPass Acquires Xmarks!". LastPass blog. 2010-12-02. 
  11. ^ Automation, partnerships drive Webroot revamp 2010-07-26.
  12. ^ "LastPass Forums". 
  13. ^ "LogMeIn buys LastPass for $125 million". The Verge. Retrieved 9 October 2015. 
  14. ^ "Meet the New LastPass Logo". The LastPass Blog. Retrieved 3 February 2016. 
  15. ^ "LastPass Forums • View topic - New Logo tomorrow - so what?". LastPass Forums. Archived from the original on 2016-02-11. Retrieved 2016-02-11. 
  16. ^ "Case Summary: E Trade Financial Corporation v. Marvasol, Inc.". New York Southern District Court -- Electronic Case Filing. Retrieved 2016-02-11. (registration required (help)). 
  17. ^ "LastPass Authenticator Makes Two-Factor Easy". Retrieved 16 March 2016. 
  18. ^ LastPass mobile
  19. ^ "LastPass Credit Monitoring". User Manual. 
  20. ^ "LastPass 1.50". PCMAG. 
  21. ^ "LastPass Password Manager". 
  22. ^ "Engadget - Technology News, Advice and Features". Engadget. 
  23. ^ Adam Pash. "LastPass Adds Form Filler, Syncs Form Profiles and Passwords". Lifehacker. Gawker Media. 
  24. ^ T.J. Mininday. "Securely Synchronize Your Browser Passwords With LastPass". MakeUseOf. 
  25. ^ "Security Now 256". 
  26. ^ "Security Now 421". 
  27. ^ a b LastPass Vulnerability Exposes Account Details (Archived by WebCite®)
  28. ^ Cross Site Scripting vulnerability reported, fixed (Archived by WebCite®)
  29. ^ "LastPass Security Notification". The LastPass Blog. 
  30. ^ LastPass Security Notification(Archive)
  31. ^ "LastPass Security Notice". The LastPass Blog. 
  32. ^ "Hack of cloud-based LastPass exposes hashed master passwords". Ars Technica. 
  33. ^ "How I made LastPass give me all your passwords". Retrieved 2016-09-26. 
  34. ^ "LastPass Security Updates". Retrieved 2016-09-26. 

External links[edit]