product icon

Security Bulletin: Recommended Actions for Free, Premium, and Families Customers

    Overview

    When it comes to securing your LastPass vault, customers who make use of our default settings and follow our best practices are better protected against potential brute force attacks. So we’ve created this guide to help you confirm that you are following our best practices and respond to the recent LastPass security incident in a way that meets your personal needs.

    Note: To read the complete update on the security incident from our CEO, Karim Toubba, visit the LastPass blog.

    Do you need to act? Ask yourself these questions to decide:

    • Is your master password strong and unique?

      yes / no / unsure

    • Is your master password hash Iteration value set to at least 600,000?

      yes / no / unsure

    • Are the passwords in your vault all strong and unique?

      yes / no / unsure

    • Are you using multifactor authentication on LastPass and other important accounts?

      yes / no / unsure

    Did you answer no or unsure to any of these questions? If so, keep reading and please take the recommended actions until all answers are a yes.

    Topic 1: Your master password

    First and foremost, it’s important to create a strong and unique master password that’s at least 12 characters long, but ideally 16-20. As you may know, LastPass uses the master password and username to create a unique encryption key that keeps sensitive data from being exposed. The longer and more complex the master password, the stronger the encryption key. And without the encryption key, no one, including LastPass or bad actors, has access to unencrypted data in a user’s vault.

    We recommend using the following best practices when creating your master password:

    • Use a minimum of 12 characters, but longer is better
    • Use at least one of each upper case, lower case, numeric, symbols and special characters
    • Make sure it's unique (don't use it anywhere else)
    • Don't use personal information
    • To maximize your security use a randomly generated master password
      Tip: To generate a random password, use the LastPass Password Generator.
    Note: To LastPass Families customers: Make sure all members of your Families account follow these best practices. The safety of your shared items is determined by the person with the weakest master password.

    Task 1.1 (OPTIONAL): Reset master password

    Depending on the length and complexity of your master password and iteration count setting (Topic 2 below), you may want to reset your master password. To reset your master password, follow these instructions.

    Task 1.2: Ensure your master password isn't reused

    It’s impossible to exaggerate the importance of your master password and the need for it to be strong and unique. Your master password allows access to everything in your account: all site passwords, secure notes, form fill items, and more. It must be unique and never reused as a password on any other site. If your master password is reused on other sites and those sites are later compromised, you run the risk of your master password being exposed to threat actors.

    Recommendation:
    • Review the site passwords stored in your vault and ensure that your master password isn’t reused in any of them. If you detect reuse, change your master password following these instructions.

    Topic 2: Iteration counts for master password

    LastPass makes use of the Password Based Key Derivation Function (PBKDF2) which makes it harder for someone to guess your account password through a brute-force attack. Each round of PBKDF2 hashing converts your original input – the master password – into a unique encryption key using hashing. This type of hashing can’t be reversed. The more PBKDF2 iterations you apply, the more secure the encryption key will be and the harder it will be to guess.

    Task 2.1: Review and increase your master password iteration count settings

    Recommendation:
    • In January 2023, OWASP updated their recommended number of PBKDF2 iterations to 600,000. In response, we are raising our default minimum iterations count to 600,000. Please go into your account settings and change your iteration value to 600,000, as documented in this support article.

    From now on, all new users will have their iteration value set to 600,000 as a default.

    Note: If you’re using LastPass Free on mobile devices only, for now you should log into the web extension or web vault to change your iteration count, as outlined in this support article. You'll be able to change your iteration count directly in the mobile app in a future release.
    Note: In the coming months, we will be increasing the minimum required iterations value for existing customers to 600,000 rounds. When this change takes place, all newly created accounts will begin with the new minimum default of 600,000 rounds, and all existing accounts will be upgraded automatically to meet the new minimum value (no customer action required).

    Topic 3: Evaluate password hygiene

    There are numerous ways to determine the strength of the passwords in your vault. Ideally, these passwords are at least 12 characters in length and contain upper/lowercase characters, numbers, symbols and special characters. Ideally, you use a random password generator that can be used from the vault, extension, or from our website.

    Task 3.1: Review your overall password strength using the Security Dashboard

    The Security Dashboard, available in your LastPass vault, displays your security score, your dark web monitoring alerts, and all email addresses being monitored for involvement in third-party security incidents.

    Note: As of publication, the Security Dashboard is available only to Premium and Families subscribers. During the upcoming weeks we’ll be making this service available to Free users, as well, on both mobile and web.
    Recommendation:
    • Go to the Security Dashboard in your vault and review your security score. Your security score is calculated by evaluating the passwords in your vault.
    • To protect your accounts and maintain good password hygiene, change all passwords identified as unsafe (weak, reused). For further instructions, read this support article about the Security Dashboard.

    Task 3.2: Turn on dark web monitoring

    The dark web monitoring feature evaluates email addresses saved in your vault items. It alerts you immediately (via email notification, in the extension, and within the Security Dashboard) if any of your email addresses have been found in the database of credentials breached in third-party security incidents. This database contains emails and passwords of other websites that have been previously breached and potentially leaked onto the dark web for bad actors to abuse. If we detect compromised email addresses, we take you step-by-step through the process of changing your password for each site associated with a known third-party breach. Learn more about dark web monitoring.

    Note: As of publication, dark web monitoring is available only to Premium and Families subscribers. During the upcoming weeks, we'll be making this service available to Free users, as well, on both mobile and web.
    Recommendation:
    • Go to the Security Dashboard in your vault and turn on dark web monitoring
    • Take action per any resulting alerts

    Topic 4: Multifactor authentication (MFA) for your vault

    Multifactor authentication is an added layer of security that you can enable within LastPass. It forces a second step before you can gain access to your account. Enabling this security feature helps protect your account from keyloggers and other threats.

    Task 4.1: Enable MFA for your LastPass vault

    If you don’t have MFA enabled, we recommend enabling it as an extra layer of protection for your vault. Learn how to enable MFA.

    Task 4.2: Already using MFA? Regenerate your MFA shared secret

    If you already have enabled one of these MFA services, please regenerate your shared secrets in your LastPass account settings: LastPass Authenticator, Google Authenticator, Microsoft Authenticator, or Grid. Find instructions here:

    Task 4.3: Using the LastPass Authenticator to store additional TOTP codes

    If you are using the LastPass Authenticator to store TOTP codes for applications other than access to your LastPass vault (e.g. LinkedIn, Facebook, etc.) AND you have “Save accounts to the cloud” enabled, the TOTP seeds used to generate the six-digit TOTP codes in your LastPass Authenticator are backed up to your LastPass vault using zero knowledge.

    If you determined via Topic 1 and Topic 2 that either your master password strength or iteration count were insufficient, you may want to consider the following:
    1. Log in to the application using the existing TOTP codes from your LastPass Authenticator.
    2. Temporarily disable the 2FA/MFA configuration.
    3. Delete the TOTP entry in your LastPass Authenticator (instructions here).
    4. Re-enable 2FA/MFA configuration in the application, which will enable you to re-enroll your LastPass Authenticator.

    Thanks for your time and attention to these important matters. For further assistance, feel free to contact our team.