LastPass teams with PwnedList to flag stolen accounts

Online password manager LastPass will leverage massive PwnedList database of stolen accounts to alert customers if their credentials have been hacked

Starting today, users of online password manager LastPass will receive email notification about a free and potentially invaluable new service that is based on the extensive list of hacked accounts maintained by PwnedList. Under the terms of a just announced agreement, PwnedList will provide its continuously updated database to LastPass so that it can perform a daily batch scan of all LastPass user accounts and generate email notifications for any username/password combinations that have been compromised.

PwnedList's comprehensive list of "pwned" accounts -- compromised log-on IDs and passwords that have been posted in public and semi-public areas -- has grown from 12 million in March to almost 24 million today. PwnedList has both an online checker, where you can submit a username/password combination to see if it's on the compromised list, and a pre-emptive service that monitors new additions to the database, to see if your credentials have been hacked. There's an option to submit your username and password in a one-way encrypted form, so PwnedList can't harvest your username. There's also an option for companies to monitor their domain names and receive notification if any of their corporate email accounts have been posted.

LastPass spokesperson Amber Gott explained the mechanics of the new service to me this way: "We do batch checking nightly, against the whole [PwnedList] database. The service is free, and opt-out via an email sent to the user."

If the scan picks up a cracked credential, the user is notified via email which says that right now would be a very good time to change the cracked password, not only on the compromised server, but anywhere else you might be using the same username/password combination.

LastPass is offering the unique service to its free and Premium individual customers, as well as to corporate Enterprise customers. For Enterprise customers, both the individual and the administrator receive notifications that a match has been found.

The service rolls out today. It's bound to make some waves.

This story, "LastPass teams with PwnedList to flag stolen accounts," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.

Copyright © 2012 IDG Communications, Inc.

How to choose a low-code development platform