HELP FILE

Reset a User's Master Password (Super Admin)

    LastPass admins can enable the "Permit super admins to reset master passwords" policy for their account to allow designated admins to reset a user's master password.

    Once enabled, user accounts will be able to have their master passwords reset as long as they have logged in to the LastPass browser extension at least once.

    Attention: The "Reset master password" option only becomes available after the user has logged out and logged back in using the LastPass browser extension (as login via the LastPass website at https://lastpass.com will not activate the "Reset master password" option for the admin).

    In the new Admin Console

    • Enable the policy.
      1. Enable the "Permit super admins to reset master passwords" policy.
    • User activates the policy.
      1. User logs in via the LastPass browser extension, that activates the policy in Step #1 above.

        Note: At this point during the process, the listed super admin will have the option in the new Admin Console to reset the master password for their selected user.

        Troubleshooting: The "Reset master password" option only becomes available after the user has logged out and logged back in using the LastPass browser extension (as login via the LastPass website at https://lastpass.com will not activate the "Reset master password" option for the admin). If your user is actively logged in to LastPass, you can force your user to log off.

    • Review important information.
      1. Before proceeding, please be aware of the following:

        Warning: When you reset a user's master password, any linked personal LastPass account of the user will automatically become de-linked from their company LastPass account. If desired, the user can link their personal account again.
        Warning: If the user whose master password you are resetting is a federated user, they will be converted to a non-federated user account upon reset. Before the user can be re-federated, they must log in using their new master password. Learn how they can become a federated user again without the risk of data loss using AD FS or PingFederate or using Azure AD, Okta, Google Workspace, PingOne, or OneLogin.

    • Reset the user's master password (as a Super Admin).
      1. Log in with your email address and master password to access the new Admin Console at https://admin.lastpass.com.
      2. If prompted, complete steps for multifactor authentication (if it is enabled for your account).
      3. Go to Users > User.
      4. Select your desired user.
      5. Select Reset master password.

        Reset a user's master password in new Admin Console

      6. When prompted, enter your own master password then select Submit.
      7. Enter a new master password for the user, then re-enter to confirm.
      8. Optional: If desired, select Change the user's email and enter a new email address then re-enter to confirm (which will update their LastPass username).
      9. Optional: If desired, uncheck the Force password change on next login setting to disable it (this setting is enabled by default for security best practices).
      10. Click Close when finished.
    Results: You have reset your selected user's master password.

    In the old Admin Console

    1. Enable the "Permit super admins to reset master passwords" policy.
    2. User logs in via the LastPass browser extension, that activates the policy in Step #1 above.

      Note: At this point during the process, the listed super admin will have the option in the Admin Console to reset the master password for their selected user.

    3. Super admin resets the user's master password.

      Warning: When you reset a user's master password, any linked personal LastPass account of the user will automatically become delinked from their company LastPass account. If desired, the user can link their personal account again.
      Warning: If the user whose master password you are resetting is a federated user, they will be converted to a non-federated user account upon reset. Before the user can be re-federated, they must log in using their new master password. Learn how they can become a federated user again without the risk of data loss using AD FS or PingFederate or using Azure AD, Okta, Google Workspace, PingOne, or OneLogin.

      1. In the Admin Console, go to Users in the left menu.
      2. Click on the email address of the user, then click the More icon and select Reset Master Password.
      3. When prompted, click OK.
      4. Enter your own master password, then click Submit.
      5. Enter a new master password for the user, then re-enter it to confirm.
      6. If desired, you can click Change the user's email to also update their LastPass username.
      7. You can choose to uncheck the box to disable the Force password change on next login option, as it is enabled by default for security best practices.
      8. When finished, click Submit.
    Results: You have reset your selected user's master password.
    What to do next:
    Important: If you have been added as a super admin in your account's policies and do not see the "Super admin master password reset" option for a user, it may mean that the user has not yet logged out of their active LastPass session. You can force user log off, then advise them to log back in to their account via the LastPass browser extension (not the website). Once they have done so, you can refresh the User page in the Admin Console and try again.
    Important: If your LastPass Business organization is using federated login to provision new users (using AD FS, Azure AD, Okta, Google Workspace, PingOne, PingFederate, or OneLogin), then the master password used to log into LastPass using their Identity Provider account is the password that is stored in their Identity Provider. If a federated user's master password is reset, it will convert them to a non-federated user status upon reset. Before the user can be re-federated, they must log in using their new master password. Learn how they can become a federated user again without the risk of data loss using AD FS or PingFederate or using Azure AD, Okta, Google Workspace, PingOne, or OneLogin.