product icon
About Password Iterations

About Password Iterations

    To increase the security of your master password, LastPass utilizes a stronger-than-typical version of Password-Based Key Derivation Function (PBKDF2). At its most basic, PBKDF2 is a “password-strengthening algorithm” that makes it difficult for a computer to check that any 1 password is the correct master password during a compromising attack.

    LastPass utilizes the PBKDF2 function implemented with SHA-256 to turn your master password into your encryption key. LastPass performs a customizable number of rounds of the function to create the encryption key, before a single additional round of PBKDF2 is done to create your login hash.

    The entire process is conducted client-side. The resulting login hash is what is communicated with LastPass. LastPass uses the hash to verify that you are entering the correct master password when logging in to your account.

    LastPass also performs a large number of rounds of PBKDF2 server-side. This implementation of PBKDF2 client-side and server-side ensures that the two pieces of your data – the part that’s stored offline locally and the part that’s stored online on LastPass servers – are thoroughly protected.

    The default minimum number of password iterations is 600,000 rounds (for new accounts and those who update their existing iteration count).

    LastPass allows you to customize the number of rounds performed during the client-side encryption process in your Account Settings.
    Remember: All new users added via the LastPass API have the default password iterations value of 600,000 rounds. If desired and/or if permitted via policy, users can increase their password iterations value within their Account Settings.
    Attention: LastPass Free users who have selected "Mobile" as their active device type can still change their password iterations by logging in from a desktop (via the LastPass website or the LastPass browser extension), and they will not be required to switch their active device type. Upon login, select Dismiss or close out of the "0 device switches left" messaging, then navigate to your Account Settings to update.