If you use LastPass, you should take the Security Challenge. It will scan your vault for compromised, weak, reused, and old passwords and recommend passwords you should change. LastPass will give you a numerical security score, too.
Other password managers may have similar features, too. For example, 1Password has the Watchtower feature, which identifies problems like weak, reused, and compromised passwords and recommends passwords you should change.
How to Take the Security Challenge
If you’re a LastPass user, you can access the challenge via the browser extension, on the web, or in the mobile app.
In your web browser, click the LastPass browser extension icon and select Account Options > Security challenge. On the LastPass website, click “Security Challenge” at the bottom-left corner of your vault screen. In the mobile app, tap the “Security” tab and tap “Security challenge.”
LastPass will prompt you for your master password before analyzing your password vault for problems you can improve on.
Improve Your Master Password Score
The Master Password Score rates your master password “based on how long and complex it is.” It will also warn you if your master password matches a password in your vault—in other words if you’ve reused your master password on different websites. You shouldn’t do this—your master password should be unique. LastPass will warn you if your master password matches a password for an item in your vault when you start the challenge.
To boost your master password score, change your master password to be longer and stronger—and ensure it doesn’t match a password for a website that’s already in your vault. You must have a strong master password to protect all your other ones. LastPass has a guide on creating a strong master password.
Boost Your Score By 10% By Enabling 2FA
Here’s one easy way to boost your score: If you haven’t yet enabled multifactor authentication, you can increase your security score by 10% by doing so. Two-factor authentication protects your LastPass account from unauthorized access. Even if someone has your master password, they won’t be able to sign in without a code or physical key you have.
From your LastPass vault, select “Account Settings” and then click “Multifactor Options.” Many free options are available, including the LastPass Authenticator, Google Authenticator, and Microsoft Authenticator mobile apps. We recommend using LastPass Authenticator, which lets LastPass prompt you on your phone when you’re signing in. You can allow the sign-in with a quick tap.
Compromised, Weak, Reused, and Old Passwords
Under “Improve Your Score,” the LastPass Security Challenge will recommend which passwords you should change. There are four types of passwords: Compromised, weak, reused, and old. Don’t worry about the old passwords, though—they’re the least important thing LastPass warns about.
- Compromised Passwords: You should definitely change these. As LastPass puts it, “these passwords are at risk because of known data breaches elsewhere on the web.” LastPass tracks when websites experience breaches and, if you haven’t changed your passwords since a website experienced a problem, it recommends you change the password for that website in that specific section.
- Weak Passwords: Weak passwords are easy-to-guess passwords. For example, if you sign into a website with “password” or “letmein,” LastPass will display those as weak passwords and recommend you change them in this section. LastPass can automatically generate and remember strong passwords for you, and you should take advantage of that.
- Reused Passwords: Reusing passwords is extremely risky, as a leak at one website can leave your other websites open. Let’s say you sign in with the username “email@example.com” and the password “password” everywhere. If one site experiences a breach and your information gets out there, “hackers” can simply try signing into other websites with “firstname.lastname@example.org” and that password. Password managers like LastPass protect against this risk by automatically generating strong passwords and remembering them for you. Ensure you aren’t reusing the same password on more than one website in LastPass.
- Old Passwords: LastPass will also recommend you change old passwords to stay safe. This is the least important thing in the challenge. If you have some time, it might be worth changing website passwords—especially if they have older passwords that weren’t automatically generated by LastPass or if they’re passwords to critical accounts like your online banking. But feel free to skip over this section unless there’s a particularly important account you really want to protect, like your bank. Don’t feel compelled to change hundreds of old passwords just because LastPass says they’re old. We’ve noticed that old passwords often don’t bring your score down by much, anyway.
If you scroll down to the “All” section, you’ll see a list of websites sorted by password strength with the weakest passwords first.
Check Again to See Your Higher Score
Once you’ve addressed some of the issues LastPass points out, you can re-run the LastPass Security Challenge, and it will give you a higher score. To do so, refresh the web page and re-enter your master password. LastPass will rerun the scan.
Keep it up, and you’ll climb the ranks, getting to the coveted top 1% of LastPass users. Of course, there’s no reward for this beyond bragging rights and the assurance that your accounts are secure.
Don’t Obsess Over the Score
At the end of the day, the Security Challenge score is just a number to encourage you to improve your account security. LastPass displays this number in your vault and the mobile app, but it’s only a rough number.
For example, LastPass says it deducts points from your score for the following things:
One point is deducted if you permit offline access, another is deducted if you allow unrestricted mobile devices to access your vault, and a final point is deducted if you have any trusted devices that allow bypassing of multifactor authentication.
Sure, you could boost your score by removing offline access to your vault and forcing yourself to provide multifactor authentication every time you sign in on the same device, but is that a good idea? It’s pretty safe to allow offline access and skip two-factor authentication on trusted devices. And it’s handy to have access to your LastPass vault on your phone even when you don’t have Wi-Fi or a cellular data signal. Don’t feel pressured to change your settings just to make a numerical score go up.
For more information, read the LastPass Security Challenge guide.