PwnedList Partnership Provides Credential Monitoring for LastPass Users

A partnership announced today merges LastPass’s credential management services with PwnedList’s credential monitoring services. The companies said “credential management and credential monitoring [are] natural complements” and that the move will bolster password security for LastPass end users.

A partnership announced today merges LastPass’s credential management services with PwnedList’s credential monitoring services. The companies said “credential management and credential monitoring [are] natural complements” and that the move will bolster password security for LastPass end users.

PwnedList runs a database of some 23 million login credentials exposed in, or otherwise made public by, recent data breaches. Among Pwnedlist’s sources are the compromises of Gawker, Sony, Stratfor, Gamigo, Yahoo! and other hacks. LastPass provides password management services to individuals and enterprise clients.

The partnership will enable LastPass to cross-reference their users’ passwords and username or email address combinations against PwnedList’s database of compromised usernames, email addresses, and passwords. When a match is found between a their users’ credentials and information on the PwnedList database, LastPass will be able to send an email alert to the user in question, prompting that person to, hopefully, reset their password or passwords.

LastPass will check passwords against the PwnedList database every day. For enterprise customers, LastPass will contact administrators as well as employees when matches are found.

The partnership came about after LastPass became the first customer to sign on to PwnedList’s End User Protection Services. The service offers access to PwnedList’s compromised credential database in order to determine which of its users is at the highest risk of account takeovers and other online fraud.

PwnedList launched in November 2011 and its database has grown consistently. When Threatpost interviewed PwnedList’s co-founder Steve Thomas in March, the database contained 12 million credentials. The PwnedList database has doubled in the last six months.

Suggested articles

Discussion

  • Andrew on

    How is the comparison done, as I thought all passwords were encrypted by the users private key (i.e. passowrd), and so not accessible to anyone but the master password holder?

  • Anonymous on

    I am wondering the same thing

  • Anonymous on

    umm... something doesn't line up here

    So this isn't true?

    "We've accomplished this by using 256-bit AES implemented in C++ and JavaScript (for the website) and exclusively encrypting and decrypting on your local PC. No one at LastPass can ever access your sensitive data. We've taken every step we can think of to ensure your security and privacy."

     highly concerned now....

     

  • Brian Donohue on

    These are excellent questions. I'm following up as I type.

  • Brian Donohue on

    From LastPass:

    "...all passwords and other sensitive data are encrypted with a private key that's never shared with LastPass. ...PwnedList sends us the updates to their database, we check that list against LastPass user account email addresses, and notify users of any matches. We can't check the contents of the vault at this time."

    So, LastPass isn't checking passwords. They only run the email addresses against the list of email addresses that PwnedList gives them. PwnedList recieves no information in the exchange.

    Sorry if I wasn't clear in the article.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.