Company type | Private |
---|---|
Industry | |
Founded | 2008 |
Headquarters | 125 High Street, , United States |
Key people | Karim Toubba, CEO (2022-Present) |
Revenue | $200 million (2021) |
Owners |
|
Number of employees | 800+ (2024) |
Website | lastpass |
Footnotes /references [1] [2] |
LastPass is a password manager application. [3] The standard version of LastPass comes with a web interface, but also includes plugins for various web browsers and apps for many smartphones. It also includes support for bookmarklets.
Founded in 2008 by four developers, [4] [5] Lastpass was acquired by GoTo (formerly LogMeIn Inc.) for $110 million in 2015. [6] LastPass was spun-off from GoTo into a stand-alone business in 2024. [7]
LastPass suffered significant security incidents between 2011 and 2022. Notably, in late 2022, user data, billing information, and vaults (with some fields encrypted and others not) [a] [8] were breached, leading many security professionals to call for users to change all their passwords and switch to other password managers. [9]
A user's content in LastPass, including passwords and secure notes, is protected by one master password. The content is synchronized to any device the user uses the LastPass software or app extensions on. Information is encrypted with AES-256 encryption with PBKDF2 SHA-256, salted hashes, and the ability to increase password iterations value. Encryption and decryption takes place at the device level. [10] [11]
LastPass has a form filler that automates password entering and form filling, and it supports password generation, site sharing and site logging, and two-factor authentication. LastPass supports two-factor authentication via various methods including the LastPass Authenticator app for mobile phones as well as others including YubiKey. [12]
Unlike some other major password managers, LastPass offers a user-set password hint, allowing access when the master password is missing. [13]
On December 2, 2010, it was announced that LastPass had acquired Xmarks, a web browser extension that enabled password synchronization between browsers. The acquisition meant the survival of Xmarks, which had financial troubles, and although the two services remained separate, the acquisition led to a reduced price for paid premium subscriptions combining the two services. [14] [15] On March 30, 2018, the Xmarks service was announced to be shut down on May 1, 2018, according to an email to LastPass users. [16]
On October 9, 2015, GoTo acquired LastPass for $110 million. The company was combined under the LastPass brand with a similar product, Meldium, which had already been acquired by GoTo. [17] [18]
On March 16, 2016, LastPass released LastPass Authenticator, a free two-factor authentication app. [19]
On November 2, 2016, LastPass announced that free accounts would now support synchronizing user content to any device, a feature previously exclusive to paid accounts. Earlier, a free account on the service meant it would sync content to only one app. [20] [21]
In August 2017, LastPass announced LastPass Families, a family plan for sharing passwords, bank account info, and other sensitive data among family members for a $48 annual subscription. They also doubled the price of the Premium version without adding any new features to it. Instead, some features of the free version were removed. [22]
On December 14, 2021, GoTo announced that LastPass would be established as an independent company. [23] The spin-off was completed in May 2024, with LastPass being directly controlled by Francisco Partners and Elliott Management, the private equity firms that took GoTo private in 2020. [7] [24]
In March 2009, PC Magazine awarded LastPass five stars, an "Excellent" mark, and their "Editors' Choice" for password management. [25] A new review in 2016 following the release of LastPass 4.0 earned the service again five stars, an "Outstanding" mark, and "Editors' Choice" honor. [26]
In July 2010, LastPass's security model was extensively covered and approved of by Steve Gibson in his Security Now podcast episode 256. [27] He also revisited the subject and how it relates to the National Security Agency in Security Now podcast episode 421. [28]
In October 2015 when GoTo acquired LastPass, founder Joe Siegrist's blog was filled with user comments voicing criticism of GoTo. [29] Web sites ZDNet, Forbes and Infoworld posted articles mentioning the outcry by existing customers, some of whom said they would refuse to do business with GoTo, and raised other concerns about GoTo's reputation. [30] [31] [32]
In a 2017 Consumer Reports article commented LastPass a popular password manager (alongside Dashlane, KeePass, and 1Password), with the choice between them mostly down to personal preference. [13] In March 2019, Lastpass was awarded the Best Product in Identity Management award during the seventh annual Cyber Defense Magazine InfoSec Awards. [33]
On Monday, June 15, 2015, LastPass posted a blog post indicating that the LastPass team had discovered and halted suspicious activity on their network the previous Friday. Their investigation revealed that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised; however, encrypted user vault data had not been affected. [34]
In 2021, it was discovered that the Android app contained third-party trackers. [35] Also, at the end of 2021, an article at the site BleepingComputer reported that LastPass users were warned that their master passwords were compromised. [36]
In August 2022, a hacker stole a copy of a customer database, and some copies of the customers' password vaults. The stolen information includes names, email addresses, billing addresses, partial credit cards and website URLs. [37] Some of the data in the vaults was unencrypted, while other data was encrypted with users' master passwords. The security of each user's encrypted data depends on the strength of the user's master password, or whether the password had previously been leaked, and the number of rounds of encryption used. Details of the number of rounds for each customer was stolen. Some customer vaults were more vulnerable to decryption than others. [38] [39]
In November 2022, LastPass assured users that passwords stored with the service were still secure. [40]
The customer data included customers' names, billing addresses, phone numbers, email addresses, IP addresses and partial credit card numbers, and the number of rounds of encryption used, MFA seeds and device identifiers. [38] The vault data included, for each breached user, unencrypted website URLs [b] [8] and site names, and encrypted usernames, passwords and form data for those sites. [38]
The threat actor first gained unauthorized access to portions of their development environment, source code, and technical information through a single compromised developer's laptop. [41] LastPass responded by re-building their development environment and rotating certificates. [42] The actor, however, used the information to target and hack the computer of a senior DevOps engineer, [42] and used a key logger to obtain that engineer's master password. The actor then gained access to an encrypted corporate vault, which was shared between just four engineers. That vault contained keys to S3 buckets of the backups to customer files. [43] The actor obtained the user database of August 14, 2022, and several password vault backups taken between August 20 and September 16, 2022. [44]
Commentators expressed concerns that if a user's master password was weak or leaked, [38] the encrypted parts of the customer's data could be decrypted. [45] Initially, LastPass stated no action was necessary for the majority of its customers, [46] but other sources recommended changing all passwords and vigilance against possible phishing attacks. [38] [47]
A class-action lawsuit was initiated in early 2023, with the anonymous plaintiff stating that LastPass failed to keep users' information safe. [48] Of particular concern in the lawsuit was the increased risk of the details being used in phishing attacks. [48]
In September 2023, a potential link was made between the 2022 data theft and a total of more than $35 million in cryptocurrency that had been stolen from over 150 victims since December 2022. The link was made due the fact that almost all victims were LastPass users. [49] [50]
End-to-end encryption (E2EE) is a method of implementing a secure communication system where only communicating users can participate. No one else, including the system provider, telecom providers, Internet providers or malicious actors, can access the cryptographic keys needed to read or send messages.
BitLocker is a full volume encryption feature included with Microsoft Windows versions starting with Windows Vista. It is designed to protect data by providing encryption for entire volumes. By default, it uses the Advanced Encryption Standard (AES) algorithm in cipher block chaining (CBC) or "xor–encrypt–xor (XEX)-based Tweaked codebook mode with ciphertext Stealing" (XTS) mode with a 128-bit or 256-bit key. CBC is not used over the whole disk; it is applied to each individual sector.
A password manager is a software program to prevent password fatigue by automatically generating, autofilling and storing passwords. It can do this for local applications or web applications such as online shops or social media. Web browsers tend to have a built-in password manager. Password managers typically require a user to create and remember a single password to unlock to access the stored passwords. Password managers can integrate multi-factor authentication.
This is a technical feature comparison of different disk encryption software.
Matthew Rosenfeld, better known by the pseudonym Moxie Marlinspike, is an American entrepreneur, cryptographer, and computer security researcher. Marlinspike is the creator of Signal, co-founder of the Signal Technology Foundation, and served as the first CEO of Signal Messenger LLC. He is also a co-author of the Signal Protocol encryption used by Signal, WhatsApp, Google Messages, Facebook Messenger, and Skype.
Apple Account, formerly known as Apple ID, is a user account by Apple for their devices and software. Apple Accounts contain the user's personal data and settings, and when an Apple Account is used to log in to an Apple device, the device will automatically use the data and settings associated with the Apple Account.
Tresorit is a cloud storage platform that offers functions for administration, storage, synchronization, and transfer of data using end-to-end encryption.
SecureSafe is a cloud based software-as-a-service with a password safe, a document storage and digital spaces for online collaboration. The service is developed based on the principles of security by design and privacy by design.
Proton Mail is a Swiss end-to-end encrypted email service founded in 2013 and headquartered in Plan-les-Ouates, in the Canton of Geneva of Switzerland. Proton Mail is now run by Proton AG, which also operates Proton VPN, Proton Drive, Proton Calendar, Proton Pass and Proton Wallet. It uses client-side encryption to protect email content and user data before they are sent to Proton Mail servers, unlike other common email providers such as Gmail and Outlook.com.
Keeper Security, Inc. (Keeper) is a global cybersecurity company founded in 2009 and headquartered in Chicago, Illinois. Keeper provides zero-knowledge security and encryption software covering functions such as password and passkey management, secrets management, privileged access management, secure remote access and encrypted messaging.
Riseup is a volunteer-run social movement organization providing secure email, email lists, a VPN service, online chat, and other online services to support activists engaged in various social justice causes and opposition to capitalism. This organization was launched by activists in Seattle with borrowed equipment and a few users in 1999 or 2000, and quickly grew to millions of accounts.
The American cloud storage and file synchronization company Dropbox Inc. had several security and privacy controversies. Issues include a June 2011 authentication problem that let accounts be accessed for several hours without passwords; a July 2011 privacy policy update with language suggesting Dropbox had ownership of users' data; concerns about Dropbox employee access to users' information; July 2012 email spam with reoccurrence in February 2013; leaked government documents in June 2013 with information that Dropbox was being considered for inclusion in the National Security Agency's PRISM surveillance program; a July 2014 comment from NSA whistleblower Edward Snowden criticizing Dropbox's encryption; the leak of 68 million account passwords on the Internet in August 2016; and a January 2017 accidental data restoration incident where years-old supposedly deleted files reappeared in users' accounts.
NordVPN is a Lithuanian VPN service with applications for Microsoft Windows, macOS, Linux, Android, iOS, Android TV, and tvOS. Manual setup is available for wireless routers, NAS devices, and other platforms.
Bitwarden is a freemium open-source password management service that is used to store sensitive information, such as website credentials, in an encrypted vault. The platform hosts multiple client applications, including a web interface, desktop applications, browser extensions, mobile apps, and a command-line interface. The platform offers a free US or European cloud-hosted service as well as the ability to self-host.
NordPass is a proprietary password manager launched in 2019. It allows its users to organize their passwords and secure notes by keeping them in a single encrypted vault. NordPass, which operates on a freemium business model, was developed by the VPN service NordVPN.
Microsoft Autofill is a password manager developed by Microsoft. It supports multiple platforms such as Android, iOS, and Google Chrome or other Chromium-based web browsers. It is a part of Microsoft Authenticator app in Android and iOS, and a browser extension on Google Chrome. It stores users' passwords under the user's Microsoft Account. It can import passwords from Chrome and some popular password managers or from a CSV file. In Microsoft Authenticator app, it requires multi-factor authentication to sign in which provides an additional layer of security. The passwords are encrypted both on the device and the cloud.
The following is a general comparison of OTP applications that are used to generate one-time passwords for two-factor authentication (2FA) systems using the time-based one-time password (TOTP) or the HMAC-based one-time password (HOTP) algorithms.
Proton Pass is a password manager developed by the Swiss software company Proton AG. It stores login credentials, email aliases, credit card data, passkeys, 2FA secret keys, and notes in virtual vaults that are encrypted using 256-bit AES-GCM.