How-To Geek

11 Ways to Make Your LastPass Account Even More Secure

LastPass offers a lot of security options for locking down your account and protecting your valuable data. We’re fans of LastPass here at How-To Geek – it’s a great service that a lot of you already use.

You’ll find most of these options in your LastPass account settings dialog – either click here to access your account settings or log into your LastPass vault and click the Settings button in the sidebar.

Restrict Logins to Specific Countries

On the General tab, you’ll find an option to only allow logins from selected countries. For example, if you live in the United States, you can only allow logins to your account from the United States. If you travel, you can select other countries to allow logins from, too.


Disallow Logins From Tor

You’ll also find the option to disallow logins from the Tor network here. This option is automatically enabled if you haven’t logged into your account via Tor in the past 30 days.


Increase Password Iterations

You can also increase the Password Iterations (PBKDF2) value. Essentially, the more iterations you use, the longer it will take to check if any password is the correct one. A larger value will make the login process take longer (especially on slower platforms, such as older versions of Internet Explorer and mobile browsers), but brute-force attempts at cracking your password password will also be slowed. LastPass recommends you use 500 password iterations and not exceed 1000.


Set Up Two-Factor Authentication

Two-factor authentication is key for securing your LastPass account. Even if someone discovers your password, they’ll need more information to log in.

We’ve covered setting up two-factor authentication in LastPass before. Google Authenticator (for Android and iOS) and the printable grid are free to all users. Other forms of multifactor authentication, like the physical YubiKey device, require a LastPass premium subscription.

You can also disable the Permit Offline Access option on your two-factor authentication method’s setup screen. People won’t be able to use the data stored on your computer to access your vault without your two-factor authentication method, but you won’t be able to access your LastPass vault offline, either.


Restrict Mobile Access

You can restrict account access to only specific mobile device UUIDs – particularly helpful if your two-factor authentication method doesn’t work with mobile devices. Smartphones and tablets you’ve logged in with appear here – enable the check box and use the Enable link to control which devices are allowed. To add a new mobile device to the list, temporarily uncheck the check box and log in with the device.

If you never log in via mobile devices, you can disable mobile access entirely by enabling this checkbox and not allowing any exceptions.


Log Off Automatically

All the LastPass security settings in the world are no good if you leave LastPass logged in 24/7 and someone gains access to your computer. To help protect yourself, you can have LastPass automatically log out after a period of time – or when you close your browser.

If you use LastPass via the LastPass website or a browser bookmarklet, you can adjust the two auto-logoff timeout settings on the General tab in your account settings.


If you use a LastPass browser extension, you’ll find the appropriate options in your browser extension’s settings. For example, in LastPass for Chrome, click the LastPass icon on the toolbar and select Preferences.

You can have LastPass automatically log off after your computer is idle or when all your browser windows are closed.


Enable Security Notifications

On the security tab, you can have LastPass notify you if your LastPass password ever changes, or if someone changes a website’s username or password in your LastPass vault. This can alert you to unauthorized access, should it ever occur.


Re-Prompt For Password

You can also have LastPass re-prompt you for your master password for certain actions, even if you’re logged in. People that gain access to your computer while you’re logged in won’t be able to perform any actions you restrict, but you’ll have to enter your LastPass master password additional times while using LastPass.


You can also enable the Require Password Reprompt setting on a per-site basis by editing one of the saved websites in your LastPass vault.


Use a Dedicated Security Email Address

For additional security, you can have LastPass send security-related emails to a special security email address instead of your normal email address. For example, password hint emails, account recovery emails, and multifactor authentication disable emails will all be sent here.

This email should be an extra-secure email address only you know about – if someone gains access to your day-to-day email account, they won’t be able to access your LastPass vault without access to your security email account.


Create One-Time Passwords to Log In From Untrusted Computers

If you’re using a public computer that you don’t necessarily trust, you can log in with a one-time password for increased security. These passwords are only good once – after you log in with one, it will never work again.

To generate one-time passwords, click your email address at the top-right corner of your LastPass vault and select One Time Passwords or click here to access the One Time Passwords page. From the page, you can generate one-time passwords and write them down.

While logging in, click the One Time Passwords button on the LastPass login page to access the one-time passwords page, where you can log in with a one-time password you’ve created.


The virtual keyboard can also help protect you against keyloggers – click the Show Keyboard link on the LastPass login screen to access it and type your password by clicking the buttons on your screen.

These two features won’t protect you against more sophisticated attacks, but they do help protect against standard keyloggers.


Take the LastPass Security Challenge

The LastPass security challenge analyzes your stored passwords and tells you what you can do to make your digital life more secure – for example, if you’re using duplicate passwords or weak passwords, LastPass will tell you about them. LastPass displays strength of all your passwords in the results.

At the end of the challenge, you’ll get a security score and rank that you can compare to other users. To access the security challenge, click here or click the Security Check button at the left side of your LastPass vault.


Chris Hoffman is a technology writer and all-around computer geek. He's as at home using the Linux terminal as he is digging into the Windows registry. Connect with him on Google+.

  • Published 08/9/12

Comments (13)

  1. ti

    Freaking love LastPass and all the great ways you can secure sensitive info like this. This is why I use their service. My Google account + LastPass … both with 2factor == pure awesomeness. Soon enough, once Dropbox supports it too, I’ll have all my fav services as secure as I can get them.

  2. Xz!llA

    Thanks for this article=) I am now re-considering using LastPass again.

  3. Nathan

    What you fail to mention is that most of these options are only good if you have the paid version of LastPass.

    I have the free version and I can’t do any of these things.

  4. Stinky

    Awesome article! Thanks!

    I have the free version and was able to make all of the changes

  5. cam2644

    I’ve had the free version for some time and was able to make the changes I wanted. It’s a great service

  6. Kevin

    A little morbid but you also have to think about what your family is going to do should you kick the bucket. All these are fine security measures but if your family can’t get into it, they will struggle unnecessarily. I’m sure that is the last thing anyone wants to happen. Leave them instructions in your physical safe as I do. Only a few select people have the safe combo.

  7. George

    The only protection they need now is a physical attack one as if you are attacked for the password, unfortunatly all these security measures become useless.

  8. Caroline

    I have an “Open This When I am Dead” file on the desktop of my home and office computer. It gives directions on where to find my LastPass master password. I wrote it down, put it in an envelope and placed it in a secure spot inside my condo. The first line in the file says, “Remember I have cats.” It then goes on to list where to find the will, tax receipts etc. Who to call. Who are my banker, lawyer etc. What recurring payments to expect. Etc. The file just keeps growing.

  9. Dark Reality

    Free account user, everything I tried worked.

    I have had problems with two-factor authentication in Gmail. “One-factor” is good enough for me. (I can’t remember the exact details of the problem I had. It was a giant PITA.)

    As for getting the password through coercion, that would not be a hard feature to implement. What you do is set a dummy password and remember that as well. Give the person the dummy password. Then you set the client up to contact authorities on your behalf if the dummy password is used, and then allow access, but track all changes, so if the person changes passwords, they can easily be changed back. But I think site owners (e.g. Facebook) need to support dummy passwords, so you would have a whole second set of dummy passwords maintained by LastPass. So if you login with the dummy password on Facebook, all your posts and changes get sandboxed — they show up (don’t want to tip the attacker off if he logs in as someone else) but can all be rolled back with one command when the real password is used. But security is always a cat and mouse game. We just try to stay ahead of most attacks to serve most people.

  10. Julie

    Please, Please add a “Logoff after X time period” to the browser extension for Dolphin Browser for Android. Please.

  11. Tim

    Lastpass is simply the best, most important, app I have ever used.
    If you don’t have it, get it. There is nothing better, period.

  12. ivan

    Very helpful summary of some important Lastpass elements.

    Big thanks!

    I’ve been using Lastpass Sesame (with an encrypted flash drive) for the past 3 years and it’s a killer combination. I might suggest adding one additional point. Well, its more of an important reminder really….

    Have a REALLY good, long, master password that is both impossible to easily guess and equally a challenge for those attempting a ‘brute force attack’.

    Thanks again…

  13. Barry49

    Last Pass dosen’t work right with Bank of America. Any suggestions?

More Articles You Might Like

Enter Your Email Here to Get Access for Free:

Go check your email!