Security Score

Your security score is calculated automatically by evaluating all of your stored site passwords in your vault. If there are passwords that are considered unsafe (i.e., weak, reused, or missing), you are advised to change the site password in order to maintain good password hygiene. As more site passwords are added and evaluated, your security score updates and shows you how your passwords measure up with security best practices and prompts you to make any updates needed. Learn more about fixing at-risk passwords.

Note: LastPass uses the industry-standard zxcvbn library to assist in calculating each password's strength. As a result, your individual passwords' strength and your security score for all of your passwords in your vault may vary. Individual password strengths can be 0-25-50-75-100 percent (or a different value if the individual password is reused on multiple site password entries) while the security score can be anywhere between 0-100. Learn more about password strength and security score calculation.

Note: Federated login users are granted an automatic increase of 10% on their security score since multifactor authentication must be set up at the Identity Provider level (within AD FS, Azure AD, Okta, PingOne, PingFederate, Google Workspace, or OneLogin settings) and not at the LastPass level (within the Multifactor Options tab in the Account Settings of their vault).

Dark Web Monitoring

The dark web monitoring feature evaluates all of your stored email addresses for the items in your vault, and alerts you immediately – via email notification and within the Security Dashboard – if any of your email addresses have been found in the database of breached credentials. If you have compromised email addresses, you are guided through steps to change your password for the site associated with the breach. You can also manage the email addresses you want to exclude from being monitored. To get started, click Start monitoring in the dark web monitoring pane, and learn more about managing dark web monitoring alerts.

Restriction: If you have a LastPass Teams or LastPass Business account, the ability to perform these actions may be limited or prohibited due to policies enabled by your LastPass admin.

Note: Dark web monitoring evaluates the following number of emails depending on your LastPass Plan:

• LastPass Free: 10 email addresses
• LastPass Premium, Families, Teams, Business, or Trial: 200 email addresses

Note: For individually shared items, the email address associated can only be monitored within the sharer's Security Dashboard. For example, if you share a vault item that has a monitored email address, it will only be monitored within your own Security Dashboard. Alternatively, if a vault item is shared with you, then the email address will only be monitored within the sharer's Security Dashboard and not yours.

Additionally, shared folder items that have email addresses associated with the entries will not be monitored.

The LastPass Security Dashboard allows users to see an overview of the security of all their accounts in one place. This view is much easier to use and provides actionable steps to help users strengthen their online security.

The previous functionality, which was called the LastPass Security Challenge, required users to manually run a security scan every time they wanted to see the health of their accounts. Now, every time they open their Security Dashboard, their information is immediately available to them.

We’ve also introduced dark web monitoring, which allows users to monitor their email addresses for breaches. Previously, users could manually check if their email addresses had been compromised at that one point in time, but in the new experience their email addresses are being continually monitored. Users simply enable dark web monitoring once, and it will run in the background, making sure their information is secure. The new experience also provides alerts in the Security Dashboard and email notifications every time their email address is associated with a breach.