How does their "Updated Cert?" check work? If it's just checking notBefore, it's going to have a ton of false negatives, as a lot of CAs are just re-issuing certs using the original notBefore.

Wait. When I click "Security Check" in my LastPass Tools... menu (this is in Chrome), I get taken to an internet-hosted web page where I'm prompted to enter my master password. [1] I am not taken to a chrome:// page or some other client-side tool. I take this to mean that I'm giving LastPass's web server my actual master password, and that they will do server-side decryption of my Vault and have server-side access to my passwords in cleartext. Is that accurate? [1] https://lastpass.com/index.php?securitychallenge=1&lang=en-US&fromwebsite=1&lpnorefresh=1

Notably some sites are using fresh certificates that have the same (months-in-the-past) starting-validity date as their old certificates. For example, Heroku has done this. (I can think of a few process and fee reasons this approach might be picked. Perhaps a CA might offer a free new cert and revocation, if and only if the new cert has the same validity range as the one it replaces. An ops team might prefer one consistent time of year for the ceremony of non-emergency certificate rotation.) I didn't notice any field in the cert-viewers of Firefox or Chrome that could reliably tell the true issue-date of a new certificate. Is LastPass just looking at the start of the validity, or does it have some way to know if the certificate is truly new?

I wish there was (or maybe there is) a protocol for updating your password. Then managers like lastpass and 1Password could more easily update your password. Maybe, behind the scenes they could rotate your password every x days automatically. Having a protocol in place would also make breach notices an easy "update all passwords" click away. There's probably a reason this is a bad idea. Let's hear it! :)

I've been meaning to switch to a password organizer rather than rely on my browser's built-in one (I know)... I've seen a few discussions on here but I haven't seen a clear victor. In your opinion, is LastPass the one I should go with? Or Keepass or OnePass or one of the others? Edit just to say I think this is a very nice feature by LastPass and thanks for posting.