Why does my password strength and security score change?
LastPass uses the industry-standard zxcvbn library to assist in calculating each password's strength. As a result, your individual passwords' strength and your security score for all of your passwords in your vault may vary. Individual password strengths can be 0-25-50-75-100 while the security score can be anywhere between 0-100.
How is password strength calculated?
The password strength for each of the passwords in your vault are calculated using the
zxcvbn library, and provides results outlined in the table below.
Note: The password strength percentage displayed (when you view at-risk passwords in the Security Dashboard) may show a different value than those listed below if the password has been reused on multiple site password entries in your vault (e.g., if a very strong password has been reused on 3 separate password entries, the score will be 33% because a password strength score of 100% ÷ 3 = 33%).
| Password Strength | Score in zxcvbn | Password Strength in Vault |
|---|---|---|
| Very weak | 0 | 0% |
| Weak | 1 | 25% |
| Average | 2 | 50% |
| Strong | 3 | 75% |
| Very strong | 4 | 100% |
Password strength is displayed when you do any of the following:
- Create a new account
- Reset your master password
- Generate a secure password
- Add a new site password
- View your Security Dashboard, which includes your security score
- View your Password Security page to see at-risk passwords in your vault
- Access the Admin Console and view user details, security reports, and policies (for LastPass Teams and LastPass Business accounts only)
How is the security score calculated?
Your security score is a combined rating of how strong your passwords generally are – meaning their overall length and complexity – with the highest possible score being 100 points. However, in order to get a perfect score, you must have at least 50 site passwords stored in your LastPass vault.
Note: Federated login users are granted an automatic increase of 10% on their security score since multifactor authentication must be set up at the Identity Provider level (within AD FS, Azure AD, Okta, PingOne, PingFederate, Google Workspace, or OneLogin settings) and not at the LastPass level (within the Multifactor Options tab in the Account Settings of their vault).
Your security score is calculated using a scale that is outlined in the table below.
The following settings affect your overall security score:
| Rating | Security Score (Combining Various Factors) |
|---|---|
| Low | 0 ≤ X < 50 |
| Average | 50 ≤ X < 75 |
| High | 75 ≤ X < 100 |
| Highest | X = 100 |
- The total number of secure passwords you have stored in your vault – must have at least 50 passwords stored in order to pass with a perfect score of 100 points.
- Whether or not you have enabled multifactor authentication accounts for 10 points. Learn how to enable.
- Permitting offline access deducts 1 point.
- Allowing unrestricted mobile devices to access your vault deducts 1 point.
- Allowing trusted devices to skip multifactor authentication prompts deducts 1 point.
Note: Sites that manage their own password requirements (e.g., passwords are not permitted to be complex and/or lengthy, using a Pin code instead of a password, etc.) may be counted against users as "weak passwords" in their security score.