Call : ‪(704) 269-8354‬ info@topgeekllc.com

LastPass Security Options

Introduction

In another blog post, we discussed the need for a password manager.  We stopped short of recommending one, as the post was simply to make folks aware of the need for one.  However, this post not only recommends LastPass as our password manager of choice, but how to better secure it as well. 

We believe LastPass is your best option, and you will create an account too, because you take your online data seriously. You know that reusing passwords is a horrible idea. Each account should have a unique password. And no one should know that password – perhaps, not even you.

Let’s take Lastpass security to the next level? We are going to show you 26 ways to do this, each with a step-by-step outline.

  1. Use a Strong Master Password You Can Remember

Lastpass forces you to make a master password when you create your account.  Because your Master Password is essentially a password for all other passwords, it is best to make it very strong. As you have a password manager, the only password you need to remember is this one.

How to Set Up a Strong Password That is Easy to Remember

There are some great tips for making strong passwords that are easy to remember in this article.  Here is an example of a very strong password using a quote: 

Create a sentence using a quote:

Perhaps a Beatles reference:

Yesterday, all my troubles seemed so far away / Now it looks as though they’re here to stay / Oh, I believe in yesterday


which in password form converts to

Y,amtssfaNilatth2s/O,Ibiy


That is a very strong password. And it is quite easy to remember. Using these tricks is a great way of creating a strong Master Password for your LastPass account.

  • Add a Yubikey for Two Factor Authentication

Yubikeys are one of the most important security measures you can add to your LastPass account. You should add a Yubikey to every online account that will let you.

What is a Yubikey?

A Yubikey is known as a hardware authenticator or USB security key. Yubikey does the same thing authenticator apps, such as Google Authenticator does. Instead of providing a series of six digits when you log in to an account, you insert a thumb drive in your device and press a button.

You can see what that request looks like here:

Therefore, it is called a hardware authenticator. You need the device on you to log in to your account. This makes it impossible for someone to log in to your account unless they have your Yubikey.  You can purchase a Yubikey here.

You can also set up your Yubikey to be your second-factor authentication on your iOS and Android devices.

  • How to disable SMS Account Recovery on LastPass:

While LastPass provides the SMS account recovery option, it is highly recommended to be disabled.  With that, to disable SMS account recovery in Account Settings, go to the “General” tab (the first tab).

Scroll down to the very bottom, and you will see a section called “SMS account recovery”.

Disable this method. A better option is to use your Yubikey or an Authenticator app as a second factor on your email account. Then create a new strong password that you can memorize for your email account.

  • Don’t Reuse Your Master Password Elsewhere

 Warning: This should go without saying, but it will be said anyway: DO NOT USE YOUR MASTER PASSWORD FOR LastPass ANYWHERE ELSE!

The whole point of using LastPass in the first place is so you don’t need to re-use passwords ever. You should let LastPass generate passwords randomly for all your other online accounts.

  • Don’t Save Your Master Password Anywhere

LastPass has made it abundantly clear that they do not know your Master Password, so there is no way for them to recover it if you forget it.  That, however, does not mean you should write it down!  Remember, it holds the keys to your digital kingdom – don’t write down your master password anywhere. This is especially true if that device ever connects to the internet. 

  • Use a VPN if using a public (unsecured) internet connection.

It is usually a good idea to avoid using public WiFi. There is no way to tell how secure the network is, nor if has been compromised and someone can watch everything you are doing. This is especially dangerous if you must log in to sensitive accounts using public WiFi. And no account is more sensitive than our LastPass account. It stores all our other passwords, after all.

If you must use public WiFi, and you must log in to LastPass, then do it while connected to a VPN. A VPN allows you some nice privacy and security features in this situation.

Most important among them is an encrypted connection. Anyone who is eavesdropping on the local network will not be able to see your communication with LastPass. This means that your account should remain secure even if the network isn’t.

  • Set Up Re-prompts for Master Password

Re-prompts force LastPass to require the entry of your master password for different actions. For instance, if a setting in your LastPass account changes, a re-prompt would force you to input your master password again to confirm the change.

Select Account Settings:

Select “Show Advanced Settings”

Scroll down to “Alerts” and look for “Re-prompt for Master Password.

There are multiple options here, and which ones you choose will depend on how intrusive you want LastPass to be. The most secure choice is to select all of them (as I have). If you choose to do the same, be prepared to enter your master password A LOT.

If you want a less annoying experience, you may be willing to forget a little account security. It’s up to you.

If you only want this level of security on specific sites, you can also set that up too.

9. Set Up Account Activity Notifications

If someone ever attempts to log in to your LastPass account, you will want to know about it.  And there is a way to set up notifications, so you always know if someone is trying to attack you.

How to Set Up Activity Notifications in LastPass:

Open “Account Settings”

You will be in the “General” tab (the first tab). Scroll down until you see a “Links” row under “Account Information”, and select “Email Subscriptions”

Tick all the site notification boxes. Then tick the box that says you don’t want to receive promo emails from LastPass (if you don’t want marketing email from them).

Now click “Update”.

You will now receive emails anytime a major activity happens on your account…whether you did it or not.

  • Restrict Mobile Access

You may want to add extra protection to your LastPass account by restricting new mobile devices from being added to the account.

This stops attackers from adding their own devices to your account if they find your username and master password.

How to Restrict Mobile Devices from Your LastPass Account:

Open “Account Settings”

Select the “Mobile Devices” tab and select “Enable” at the bottom.

This option tells LastPass that it should only give account access to devices that you approve on this screen. If this option were disabled, anyone with your username and password could download Lastpass and login to your account.

Now that you have enabled this option, you will need to approve any new devices on this page. If you want to add a new mobile device of your own, this is how you will do it.

 Warning: What if you see a device you do not recognize trying to gain access? Deny it!

How to Deny an Authorization for a Mobile Device in LastPass

Un the “Access” column next to the device you do not recognize, hit the dropdown. Select “Denied”

You will then be asked to confirm if you want to end any current sessions. Select Yes.

This will also log you out of LastPass. Do not be alarmed. This does not mean you have kicked yourself out of your account. LastPass is just being cautious and ending everyone’s session. You can now just log back in.

  • Take the LastPass Security Challenge

LastPass has created a checklist for you to run through that will help maximize the security of your account.  You can find that checklist by heading to the “Security Challenge” tab just above “Account Settings”.

A few of the items on that list will be like the ones you did here. But we have added many more, so this task may not be necessary.

  1. Hide LastPass Activity with Secret Email Address

To hide your valuable information, LastPass enables you to set up a secret email address. A separate email will serve for this activity. The LastPass info will not be in your primary email, preventing leaks and hacks.

To set up a secret email, log in to your LastPass account, go to the Security menu and find the Settings. Here you’ll see the security email bar where you can enter the secret email address. Click on the test email to confirm everything is set up properly and you are all set.

  1. Disable Logins from Unknown Devices

This feature helps you protect your information from unidentified access locations. To enable this service, you need to log in to your LastPass account > go to the Account Settings > Devices. Here you will see a list from all the devices you have used your LastPass account with. You can enable/disable what devices get access to your LastPass account.

  1. Set Automatic Logouts

The automatic logout is useful when working on a device where there is a chance of other people using it. To enable this function, access the LastPass extension in your browser > Preferences > General. Check the box “Log Out when all browsers are closed”. Also, check “Log out after this many minutes of inactivity (minutes)”. Then save the changes and restart your browser for the changes to take effect.

  1. Use One-Time Passwords

The one-time password (OTP) works like a throwaway password. It is handy when using a device that you don’t trust. We mean a public computer in an internet cafe or a library or even someone else’s computer. The OTP also prevents someone else from stealing your master password via keylogging.

There is a separate page in the LastPass menu where you get to generate as many OTPs as you need. Print them out and use them when logging from a non-trusted device.

  1. Increase Password Iterations

Password iterations point to the time LastPass needs to determine if your password is correct. There is a recommendation for this value to be set at 5000 or more. But you need to note that the higher the value, the longer the login will take.

To set password iterations: Account Settings > General > Show advanced settings > Security. Scroll down in the list and you will see the password iterations and you can change this number.

  1. Disable Logins from Specific Locations

LastPass provides you with the option to set up a country-specific login. This way your account can be accessed only from the Country Restrictions options. The list of countries is in the Settings > General > Show Advanced Settings.

Click the “Only allow access from selected countries” and check the countries you want. As always, click on the Update button to save the changes and you are all set.

  1. Disable Logins Over Tor

The Onion Router is a complex network where the traffic is relayed many times. No matter how secure this may seem, it is also the favored channel for hackers and other online attackers.

To prevent login from Tor, go to Account Settings > General > Show Advanced settings. In the list, you’ll see the Tor Networks box. Uncheck the box and you will not be able to log in to your LastPass Vault from the Tor network.

  1. Use the Screen Keyboard

A Keylogger works by capturing keyboard clicks but is unable to capture mouse clicks. When using a computer, you do not trust, you can use the virtual keyboard provided by LastPass.

You can enter your email and Master Password without ever having to touch the keyboard. You are not giving a keylogger a chance to log in to the characters in your email and password.

When logging in to your LastPass account, you’ll see a small keyboard sign next to the password bar. Click on it and a virtual keyboard will be shown that you use with your mouse.

  1. Uncheck Remember Email and Password

This is pretty self-explanatory. Every time you log in to your account from an untrusted device, make sure to uncheck “Remember Email and Password”. Note that this option is disabled when logging into an account from an untrusted device.

  1. Disable Master Password Reminder

The Master Password Reminder is a hint that will remind you of your Master Password. LastPass DOES NOT remember your Master Password.

Log in to your LastPass account > General settings > Login Credentials. You will see the Mater Password Reminder option and you can click on the View button to see what you’ve entered. By disabling it, there is nothing that could point an attacker to your Master Password.

  • Set Lock Options to “Immediately”

When not in use, the LastPass app locks up after a set amount of time. For the best effect, you need to set the lock time to “Immediately”. When you are inactive on your Lastpass account, it will instantly get locked.

To get access, you’ll need to enter your Master Password. To do this, go to the Account Settings > Show Advanced Settings > Security > Lock Options. Set the toggle switch to immediately and you are all set.

  • Set Clear Clipboard to 30 Seconds

The LastPass clipboard clears after a set amount of time. This is done to protect your sensitive data when copying and pasting it on online forms. To protect your data, set the Clear Clipboard to a short time like 30 seconds. This will give you enough time to copy and paste your data where you need it.

To do this, first, install the binary component in your app, and then going to the Account Options > Advanced. Check the box “Clear Clipboard after use (seconds)” and set the time to 30 seconds.

  • Set Default Search Engine to Start Page

Set your default search engine to share the login between all the browsers where the plugin is. For this option, open the Preferences > Advanced and see which is the Default Search Engine.

Conclusion

LastPass does everything in their power to ensure your passwords are well protected. The only weak link in the actual user of the LastPass services. To be safe, you should follow our suggestions outlined above. Of course, create a strong Master Password.

Only then you can save yourself the headaches of remembering a lot of passwords. Freely go about your life while LastPass takes care of your sensitive info.

Comments are closed.