[Donald]

> What would be even cooler is an API on top of LastPass that sites like Zappos could hook into to force a behind-the-scenes change of passwords

How would Lastpass protect against an attacker masquerading as the third party website? (Especially considering this feature would be used when a website finds itself compromised.)

[IgorPartola]

Maybe an API is an overkill in this case. Instead, a simple web service with a twist: Zappos has a private key and LastPass has the corresponding public key. Now, if Zappos.com is compromised and the breached is discovered and fixed, their CEO/CTO/head security guy grabs the private key and authenticates to LastPass, telling them that he is in fact who he says he is, and finally triggers the massive automatic password reset. Obviously, this will not work if the private key is compromised, but then again, our whole web security paradigm is "trust that the website owner knows what s/he is doing", so this is already a step up.

Or, as I mentioned, let's do away with passwords. Anyone can have your public key so long as your private key stays private.

[tedivm]

Well, lastpass doesn't store the passwords on its servers in a way that they could just change. From my understanding the database is only decrypted on the client machines when the master password is entered.

Still, the idea of a service for handling this makes sense. Rather than one based on a single vendor, a simple API for querying compromised domains would handle it. Then the lastpass extension can call that api for a list of the user's domains and see if anything needs to be changed. Being more general (just giving out information about recently compromised sites) also seems more useful, in that people would do a lot of different things with it.