From Wikipedia, the free encyclopedia
  (Redirected from LastPass Password Manager)
Jump to: navigation, search
LastPass Logo 2016.svg
Original author(s) Marvasol, Inc. (dba LastPass)
Developer(s) LogMeIn
Initial release August 22, 2008 (2008-08-22)
Operating system Cross-platform
Available in Multilingual
Type Password manager
License Proprietary software

LastPass is a freemium password management service that stores encrypted passwords in private accounts. LastPass is standard with a web interface, but also includes plugins for many web browsers and apps for many smartphones.[1] It also includes support for bookmarklets.[2]

LogMeIn, Inc. acquired LastPass in October 2015.[3]

Overview and history[edit]


A user's content in LastPass, including passwords and secure notes, is protected by one master password. The content is synchronized to any device the user uses. Information is encrypted with AES-256 bit encryption with PBKDF2 SHA-256, salted hashes, and the ability to increase Password Iterations value. Encryption and decryption takes place at the device level. LastPass has a form filler that automates password entering and form filling, and it supports password generation, site sharing and site logging, and Two-Factor Authentication .[1][4]

LastPass is available as an extension to many web browsers, including Google Chrome, Mozilla Firefox, Apple Safari, Microsoft Edge, and Opera. LastPass has apps available for smartphones running the Android, iOS, or Windows Phone operating systems. The apps have offline functionality.[1]


On December 2, 2010, it was announced that LastPass had acquired Xmarks, a web browser extension that enables password synchronization between browsers. The acquisition meant the survival of Xmarks, which had financial troubles, and although the two services will be largely separate, the acquisition did mean a reduced price for paid premium subscriptions combining the two services.[5][6]

On October 9, 2015, LastPass was acquired by LogMeIn, Inc. for $125 million; the company will be combined under the LastPass brand with a similar product, Meldium, which was also acquired by LogMeIn.[3][7][8]

On February 3, 2016, LastPass unveiled a new logo. The previous logo, which prominently featured an asterisk, was the subject of an unanticipated trademark lawsuit filed in early 2015 by E-Trade, whose logo also features an asterisk.[9]

On March 16, 2016, LastPass released LastPass Authenticator, a free two-factor authentication app.[10][11]

On November 2, 2016, LastPass announced that free accounts would now support synchronizing user content to any device, a feature previously exclusive to paid accounts. Earlier, a free account on the service meant it would only sync content to one app.[12][13]

In August 2017, LastPass announced LastPass Families, a family plan for sharing passwords, bank account info, and other sensitive data among family members for a $48 annual subscription.[14]


In March 2009, PC Magazine awarded LastPass five stars, an "Excellent" mark, and their "Editors' Choice" for password management.[15] A new review in 2016 following the release of LastPass 4.0 earned the service again five stars, an "Outstanding" mark, and "Editors' Choice" honor.[16]

In July 2010, LastPass's security model was extensively covered and approved of by Steve Gibson in his Security Now podcast episode 256.[17] He also revisited the subject and how it relates to the National Security Agency in Security Now podcast episode 421.[18]

Security issues[edit]

XSS vulnerability[edit]

In February 2011, a cross-site scripting (XSS) security vulnerability was discovered, reported by security researcher Mike Cardwell, and closed within hours.[19][20]

There was disagreement over severity. Cardwell stated that users should be "very concerned." The company reported that a log search showed no evidence of exploitation (other than by Cardwell). However, in addition to closing the hole, LastPass took additional steps to improve security, including implementing HTTP Strict Transport Security (HSTS), as Cardwell had suggested, implementing X-Frame-Options, and a Content Security Policy-like system in order to provide defense in depth.[19][20]

2011 security breach[edit]

On Tuesday, May 3, 2011, LastPass discovered an anomaly in their incoming network traffic, and then another, similar anomaly in their outgoing traffic. Administrators found none of the hallmarks of a classic security breach (for example, database logs showed no evidence of a non-administrator user being elevated to administrator privileges), but neither could they determine the root cause of the anomalies. Furthermore, given the size of the anomalies, it is theoretically possible that data such as email addresses, the server salt, and the salted password hashes were copied from the LastPass database. To address the situation, LastPass decommissioned the "breached" servers so they could be rebuilt, and on May 4, 2011, they requested all users to change their master password. However, the resulting user traffic overwhelmed the login servers and, temporarily, administrators were asking users to refrain from changing their passwords until further notice, having judged that the possibility of the passwords themselves being compromised was trivially small. LastPass also stated that while there was no direct evidence any customer information was directly compromised, they preferred to err on the side of caution.[21][22]

2015 security breach[edit]

On Monday, June 15, 2015, LastPass posted a blog post indicating that the LastPass team discovered and blocked suspicious activity on their network on the previous Friday. Their investigation revealed that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised. LastPass encrypted user vault data were not taken in this incident. The blogpost was quoted as saying, "We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed."[23][24]

2016 incidents[edit]

In July 2016, a blog post published by independent online security firm Detectify detailed a method for reading plaintext passwords for arbitrary domains from a LastPass user's vault when that user visited a malicious web site. This vulnerability was made possible by poorly written URL parsing code in the LastPass extension. The flaw was not disclosed publicly by Detectify until LastPass was notified privately and able to fix their browser extension.[25] LastPass responded to the public disclosure by Detectify in a post on their own blog, in which they revealed knowledge of an additional vulnerability, discovered by a member of the Google Security Team, and already fixed by LastPass.[26]

2017 incidents[edit]

On March 20th, Tavis Ormandy discovered a vulnerability in the LastPass Chrome extension. The exploit applied to all LastPass clients, including Chrome, Firefox and Edge. These vulnerabilities were disabled on March 21st, and patched on March 22nd. [27]

On March 25th, he discovered an additional security flaw allowing remote code execution based on the user navigating to a malicious website. This vulnerability was also patched.[28][29]

See also[edit]


  1. ^ a b c "The best way to manage passwords". LastPass. Retrieved November 2, 2016. 
  2. ^ "Bookmarklets". LastPass. Retrieved November 2, 2016. 
  3. ^ a b "LastPass Joins the LogMeIn Family". LastPass. Retrieved November 2, 2016. 
  4. ^ "11 Ways to Make Your LastPass Account Even More Secure". Retrieved 17 July 2017. 
  5. ^ "LastPass Acquires Xmarks!". LastPass. Retrieved November 2, 2016. 
  6. ^ Purdy, Kevin (December 2, 2010). "LastPass Acquires Xmarks, Keeping Free Bookmark-Syncing Plans Available". Lifehacker. 
  7. ^ Brodkin, Jon (October 9, 2015). "LogMeIn buys LastPass password manager for $110 million". Ars Technica. Retrieved November 2, 2016. 
  8. ^ Perez, Sarah (October 9, 2015). "LogMeIn Acquires Password Management Software LastPass For $110 Million". TechCrunch. Retrieved November 2, 2016. 
  9. ^ Siegriest, Joe. "Meet the New LastPass Logo". LastPass. Retrieved November 2, 2016. 
  10. ^ "LastPass Authenticator Makes Two-Factor Easy". LastPass. Retrieved November 2, 2016. 
  11. ^ Whitwam, Ryan (March 16, 2016). "LastPass Releases Its Own 2-Factor Mobile Authenticator App". AndroidPolice. Retrieved November 2, 2016. 
  12. ^ Siegriest, Joe. "Get LastPass Everywhere: Multi-Device Access Is Now Free!". LastPass. Retrieved November 2, 2016. 
  13. ^ Kastrenakes, Jacob (November 2, 2016). "There’s now one less excuse not to use a password manager". The Verge. Retrieved November 2, 2016. 
  14. ^ Maring, Joe (2017-08-03). "LastPass announces pricing for ‘Families’ plan; doubles cost of Premium option". 9to5Google. Retrieved 2017-08-04. 
  15. ^ Rubenking, Neil (March 20, 2009). "LastPass 1.50 Review". PC Magazine. Archived from the original on March 24, 2009. Retrieved November 2, 2016. 
  16. ^ Rubenking, Neil (November 2, 2016). "LastPass 4.0 Review". PC Magazine. Retrieved November 2, 2016. 
  17. ^ "Security Now 256". Retrieved November 2, 2016. 
  18. ^ "Security Now 421". Retrieved November 2, 2016. 
  19. ^ a b "Cross Site Scripting vulnerability reported, fixed". LastPass. Retrieved November 2, 2016. 
  20. ^ a b Cardwell, Mike. "LastPass Vulnerability Exposes Account Details". Archived from the original on September 26, 2016. Retrieved November 2, 2016. 
  21. ^ "LastPass Security Notification". LastPass. Retrieved November 2, 2016. 
  22. ^ Raphael, JR (May 5, 2011). "LastPass CEO Explains Possible Hack". PC World. Retrieved November 2, 2016. 
  23. ^ "LastPass Security Notice". LastPass. Retrieved November 2, 2016. 
  24. ^ Goodin, Dan (June 15, 2015). "Hack of cloud-based LastPass exposes hashed master passwords". Ars Technica. Retrieved November 2, 2016. 
  25. ^ "How I made LastPass give me all your passwords". Detectify. Retrieved November 2, 2016. 
  26. ^ "LastPass Security Updates". LastPass. Retrieved November 2, 2016. 
  27. ^ "Important Security Updates for Our Users". The LastPass Blog. Retrieved 2017-04-09. 
  28. ^ Ormandy,Travis. "Travis Ormandy Announces New Last Pass Vulnerability". Retrieved March 25, 2017. 
  29. ^ "Security Update for the LastPass Extension". The LastPass Blog. Retrieved 2017-06-12. 

External links[edit]