product icon
Why did my LastPass extension just warn me that I was reusing my master password elsewhere?

Why did my LastPass extension just warn me that I was reusing my master password elsewhere?

    This is a security feature implemented to help prevent phishing, and only works on machines where you have successfully logged in to the LastPass browser extension. This feature takes action whether you are logged in to the extension or not.

    Your master password is a key part of your security. That means that whatever you choose, it should be unique to LastPass because once you share it with another website – if that website were to ever have a security incident or if you were to be lured into a phishing attack – you could unknowingly reveal your master password. Though we have other protections in place to protect your account, this significantly reduces the security of your LastPass vault and everything you've stored in it.

    LastPass will detect if you enter your master password on a non-LastPass page and prompts a strong warning, even before you submit it to the page. You will know immediately that your master password may have been compromised and can change it.

    How do you know my master password if you can't detect it?

    LastPass uses a hash of the master password and compares that with a hash of entered text on the webpage. We run it through the same local hashing PBKDF2 rounds you've chosen for your account, so the offline attacking is limited in the same way as your local copy of vault.

    But doesn't this mean that, should someone compromise my computer, they could get my master password? 

    If your computer is compromised, LastPass (or any other software, including all existing anti-virus) cannot protect you. However, keeping a clean machine and avoiding behaviors that could lead to malware are also key to protecting your device and your LastPass account.