How do I run the Security Challenge for LastPass on my mobile device?
It can be overwhelming when you're trying to start improving your online security. LastPass can help by evaluating everything you've stored in your vault, checking for weak, duplicate, or compromised passwords. To do so, run the Security Challenge in the LastPass Password Manager mobile app, and learn about what each of these scores mean.
- Install and open the LastPass app for iOS or Android.
- Enter your email address and master password, then tap Log In.
- Select Security in the bottom toolbar.
- Tap Start the Challenge.
- A summary of your Security Challenge scores is displayed, which includes the following information:
- Your Score
This is a combined rating of how strong your passwords generally are, meaning their overall length and complexity, with the highest possible score being 100 points. However, in order to get a perfect score, you must have at least 50 passwords stored in your LastPass vault.
Note: LastPass uses the industry-standard zxcvbn library to assist in calculating each password's strength. As a result, your individual passwords' strength and your security score for all of your passwords in your vault may vary. Individual password strengths can be 0-25-50-75-100 percent (or a different value if the individual password is reused on multiple site password entries) while the security score can be anywhere between 0-100. Learn more about password strength and security score calculation.
The following settings affect your overall security score:
Note: Sites that manage their own password requirements (e.g., passwords are not permitted to be complex and/or lengthy, using a Pin code instead of a password, etc.) may be counted against users as "weak passwords" in their security score.
- The total amount of stored passwords you have – must be at least 50 passwords in order to pass with a perfect score of 100 points.
- Whether or not you have enabled Multifactor Authentication accounts for 10 points. Learn how to enable.
- Permitting offline access deducts 1 point.
- Allowing unrestricted mobile devices to access your vault deducts 1 point.
- Your Rank
- This compares your scores against all other LastPass users who have run the Security Challenge. You are placed in a percentile according to your current security score. The lower the number, the better your ranking.
- Number of sites scanned
- The total number of sites stored in your LastPass vault that were analyzed.
- Average password strength
- The sum of all password strengths divided by the total number of sites analyzed. Sites that do not have a password are excluded from this statistic.
- Average password length
- The sum of the number of characters of each password divided by the total number of sites analyzed. Sites that do not have a password are excluded from this statistic.
- Number of duplicate passwords
- The total number of unique passwords that are shared by at least 2 sites with different domains. Sites that do not have a password are excluded from this statistic.
- Number of sites having duplicate passwords
- The total number of sites that have at least one other site with a different 2nd level domain but with an identical password. Sites that do not have a password are excluded from this statistic.
- Number of weak passwords
- The total number of sites that have weak passwords. This includes any sites that have a duplicate password, any site whose password is susceptible to a dictionary attack, and any site whose password strength is less than 50%. Sites that do not have a password are excluded from this statistic.
- Number of blank passwords
- The total number of sites that have blank passwords.
- Overall secure usage count score
- Two points are awarded for each secure password found, up to a maximum of 100 points. The resulting number counts toward 10% of your overall score.
- Multifactor authentication score
- If you have a LastPass Multifactor Authentication scheme enabled, then you start off at 10 points. One point is deducted if you permit offline storage of your vault, another point is deducted if you allow mobile devices to access your vault, and a final point is deducted if you have any trusted devices that allow bypassing multifactor authentication.
- Your LastPass master password strength
- This rates how strong your master password is based on length and complexity.
- If desired, tap Details to view a list of sites that are categorized by the following:
- Sites that use the same password
- Sites that have unique passwords
- Sites with no password
How can I improve my security score?
- Eliminate duplicate passwords – View your detailed results, then visit each site that is listed with the same password in use and change the password to something long, unique, and complex. We recommend using the Generate Password feature.
- Eliminate weak passwords – View your detailed results, then visit each site that is listed as having a weak password in use and change the password to something long, unique, and complex. We recommend using the Generate Password feature.
- Stop storing passwords insecurely – If you are storing your passwords in any format that is unencrypted (e.g., web browser password manager, email, notepad, Google Docs, etc.), it is recommended that you use the import passwords feature to begin storing them in your LastPass vault.
- Start using a multifactor authentication scheme – Enabling and using multifactor authentication significantly increases the security of your account. Learn how to enable a multifactor authentication option.
- Re-run the LastPass Security Challenge on a routine basis – Keeping good password hygiene is a daily best practice. It is recommended that you re-run the Security Challenge every few weeks to stay on top of secure password storage.