LastPass offers a lot of security options for locking down your account and protecting your valuable data. We’re fans of LastPass here at How-To Geek – it’s a great service that a lot of you already use.
You’ll find most of these options in your LastPass account settings dialog – either click here to access your account settings or log into your LastPass vault and click the Settings button in the sidebar.
On the General tab, you’ll find an option to only allow logins from selected countries. For example, if you live in the United States, you can only allow logins to your account from the United States. If you travel, you can select other countries to allow logins from, too.
You’ll also find the option to disallow logins from the Tor network here. This option is automatically enabled if you haven’t logged into your account via Tor in the past 30 days.
You can also increase the Password Iterations (PBKDF2) value. Essentially, the more iterations you use, the longer it will take to check if any password is the correct one. A larger value will make the login process take longer (especially on slower platforms, such as older versions of Internet Explorer and mobile browsers), but brute-force attempts at cracking your password password will also be slowed. LastPass recommends you use 500 password iterations and not exceed 1000.
Two-factor authentication is key for securing your LastPass account. Even if someone discovers your password, they’ll need more information to log in.
We’ve covered setting up two-factor authentication in LastPass before. Google Authenticator (for Android and iOS) and the printable grid are free to all users. Other forms of multifactor authentication, like the physical YubiKey device, require a LastPass premium subscription.
You can also disable the Permit Offline Access option on your two-factor authentication method’s setup screen. People won’t be able to use the data stored on your computer to access your vault without your two-factor authentication method, but you won’t be able to access your LastPass vault offline, either.
You can restrict account access to only specific mobile device UUIDs – particularly helpful if your two-factor authentication method doesn’t work with mobile devices. Smartphones and tablets you’ve logged in with appear here – enable the check box and use the Enable link to control which devices are allowed. To add a new mobile device to the list, temporarily uncheck the check box and log in with the device.
If you never log in via mobile devices, you can disable mobile access entirely by enabling this checkbox and not allowing any exceptions.
All the LastPass security settings in the world are no good if you leave LastPass logged in 24/7 and someone gains access to your computer. To help protect yourself, you can have LastPass automatically log out after a period of time – or when you close your browser.
If you use LastPass via the LastPass website or a browser bookmarklet, you can adjust the two auto-logoff timeout settings on the General tab in your account settings.
If you use a LastPass browser extension, you’ll find the appropriate options in your browser extension’s settings. For example, in LastPass for Chrome, click the LastPass icon on the toolbar and select Preferences.
You can have LastPass automatically log off after your computer is idle or when all your browser windows are closed.
On the security tab, you can have LastPass notify you if your LastPass password ever changes, or if someone changes a website’s username or password in your LastPass vault. This can alert you to unauthorized access, should it ever occur.
You can also have LastPass re-prompt you for your master password for certain actions, even if you’re logged in. People that gain access to your computer while you’re logged in won’t be able to perform any actions you restrict, but you’ll have to enter your LastPass master password additional times while using LastPass.
You can also enable the Require Password Reprompt setting on a per-site basis by editing one of the saved websites in your LastPass vault.
For additional security, you can have LastPass send security-related emails to a special security email address instead of your normal email address. For example, password hint emails, account recovery emails, and multifactor authentication disable emails will all be sent here.
This email should be an extra-secure email address only you know about – if someone gains access to your day-to-day email account, they won’t be able to access your LastPass vault without access to your security email account.
If you’re using a public computer that you don’t necessarily trust, you can log in with a one-time password for increased security. These passwords are only good once – after you log in with one, it will never work again.
To generate one-time passwords, click your email address at the top-right corner of your LastPass vault and select One Time Passwords or click here to access the One Time Passwords page. From the page, you can generate one-time passwords and write them down.
While logging in, click the One Time Passwords button on the LastPass login page to access the one-time passwords page, where you can log in with a one-time password you’ve created.
The virtual keyboard can also help protect you against keyloggers – click the Show Keyboard link on the LastPass login screen to access it and type your password by clicking the buttons on your screen.
These two features won’t protect you against more sophisticated attacks, but they do help protect against standard keyloggers.
The LastPass security challenge analyzes your stored passwords and tells you what you can do to make your digital life more secure – for example, if you’re using duplicate passwords or weak passwords, LastPass will tell you about them. LastPass displays strength of all your passwords in the results.
At the end of the challenge, you’ll get a security score and rank that you can compare to other users. To access the security challenge, click here or click the Security Check button at the left side of your LastPass vault.