Password age reporting

cumbersomegirdl · ‎12-28-2022

I am quite certain that years ago I was able to note down the age of my passwords. Don't recall how this was done, but pretty sure the feature existed.

With the known security breach, and wishy washy deflecting responses from lastpass/logmein management... I am wanting to go through and update all of my passwords.

But as it stands I have to make note within the password record when I last updated or otherwise remember where I am at with my resetting. The "last access" column isnt helpful in this regard.

At the very least we need tracking for password ages. I am flabber ghasted that this does not already exist!
But ideally we need additional features around it such as setting an age limit at which point records are flagged for the user to update or otherwise receive an email reminder.

But a bare minimum is a column with age or a report that we can sort through.

Get with it guys.

evs2 · ‎01-05-2023

I came here searching for the EXACT same thing for the EXACT same reasons, and I feel the EXACT same way. It is incredible that this report does not exist, already.

studog · ‎01-05-2023

I like this idea. It would be great if we had a Last Changed Date column on the Security Dashboard \ Password Security page. This way you could sort all of the password by Last Changed date. Also it would be nice to be able to have a "Risk" added to the same page that you could set a Last Change Date by. IE Let the end user pick a time frame, say 1 year or 6 months, and when a Last Changed Date goes past the defined time, it becomes a "Risk".

nickgrealy · ‎01-15-2023

I found a couple of other feature requests related to "show password last changed date".

Please signal boost this feature, by upvoting this issue ->

https://community.logmein.com/t5/LastPass-Feature-Suggestions/Show-password-change-history-in-vault-...

DubiousUser · ‎01-24-2023

The reality is that given their data breach, this feature is essential. We know that the user vaults were stolen on or about August, 2022 (and perhaps thereafter - LastPass hasn't said exactly). That means any vault containing a password of that age or older is vulnerable should the hackers manage to reverse engineer/decrypt what they have already stolen.

Sadly, since other things are not so readily changed: credit and debit card numbers, license keys, VINs, passports... if you have or HAD those things in your vault you're just flat out screwed. To make matters worse, LastPass has admitted that some parts of that data are NOT encrypted (e.g. URLs - see below). So if I were a hacker, and I noticed that "bankofamerica.com" was among those URLs, of course I'd attack those first thinking I could get rich stealing out of the hacked customer's bank accounts. In other words, because LastPass was lazy about protecting the whole vault security, they made it easier for the attackers to choose "high value" targets first.

The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data. [https://blog.lastpass.com/2022/12/notice-of-recent-security-incident]

Unfortunately this doesn't specify what else is "unencrypted" - so e.g. if a notes field is unencrypted and contains sensitive information, hacker may already have that data!