7 Ways to Make Your LastPass Account Even More Secure

So you know you should be using strong passwords to protect your online accounts. And you ran the LastPass Security Challenge to help you keep improving your passwords. But did you know there are even more security features in LastPass that can help you better protect your account and the data you store in it? Check out these seven security features, and challenge yourself to enable at least one today:

1. Lock Down Your Account with Multifactor Authentication

Multifactor authentication, or two-factor authentication, requires that a second piece of information be entered before allowing access to your account. This essentially creates another barrier to entry if someone’s trying to gain unauthorized access to your account.

LastPass supports 10 multifactor authentication options, so choose the one that works best for your workflow and enable it in your LastPass Settings in your vault. If you have a smartphone, we recommend checking out Duo Security, Toopher, or Google Authenticator. For LastPass Premium users, we recommend checking out the YubiKey.

2. Restrict Access to A Specific Country

Lock down your account by only allowing access from a specific country or countries. For example, if you only ever login from the US, then you would restrict access to the US. Open the “Settings” menu in your LastPass vault to adjust your restrictions. If you plan to travel, just be sure to add any new countries before you leave, and remove them when you return!

3. Logoff Automatically When You’re No Longer Browsing

Keep your LastPass account safe from prying eyes by setting it to logoff automatically. In the LastPass browser extension icon, you can launch the Preferences menu to enable the autologoff options. You can set LastPass to logoff automatically after a set period of time when the browser is either closed or goes idle.

4. Reprompt for the Master Password

LastPass can also prompt you for your master password when you take specific actions (viewing a password, editing secure notes, etc) or when you’re launching specific websites (such as banking or billing logins). The password prompts help protect your account from prying eyes, should someone start browsing while you’re still logged in to LastPass. Turn these prompts on in the LastPass Settings menu from your vault, or edit a specific login in your vault to reprompt on a site-by-site basis.

5. Monitor Account Activity with Security Notifications

LastPass can alert you to certain actions taken within your account, which can help you confirm changes you made as well as identify any unauthorized access to your data. In the Settings menu in your vault, go to the “Security” tab to manage your email preferences, where you can enable the alerts for master password changes, email address changes, site login username or password changes, and more.

6. Keep LastPass Activity Hidden with a Secret Email Address

Rather than have LastPass send critical account notifications to your primary email address, you can set up a secondary, secret email address that is only used as a security email for LastPass.

Once you add this email address in your Settings under the “Security” tab, this means that any sensitive notifications, such as those for account recovery or disabling multifactor authentication, will be sent to the security email address rather than your primary email address. So even if someone gets access to your primary email address, they won’t be able to login to LastPass if you’ve locked it down with a strong master password, multifactor authentication, and an obscure security email address.

7. Combat Keylogging with One Time Passwords

If you know you’ll be traveling or using an untrusted computer, like that in a library, hotel, or even at a friend’s, use a “throwaway” password to login to your account. The throwaway password, or one time password, works exactly like it sounds – the password that’s generated for you can only be used to login to your account once.

Generate the throwaway passwords by clicking the menu at the top right of your vault and launching the one time passwords page. You can generate as many as you need and print off the list to be carried with you. When you login at www.LastPass.com you can choose the One Time Password login option, and type in one of the OTPs. This protects you from keylogging by allowing you to bypass entering your master password with the secure one time password.

28 Comments

  • Anonymous says:

    #4 would be much easier to use if users were not forced to re-authenticate immediately after authenticating when they are going into LastPass to access a password with the “reprompt” setting enabled. It makes no sense to force the same credentials to be entered twice, in immediate succession. But I gave up hoping this would ever get fixed years ago, so I simply don’t use that setting any more. Fix it or stop suggesting it, LastPass.

    • Anonymous says:

      Lastpass has a significant number of useability issues, but the Lastpass company is just deaf to suggestions. I have concluded long ago that (a) they are not listening and (b) many of their staff cannot possibly be using their own product in earnest, or their internal feedback is being suppressed. Why is it that users see all these issues but that Lastpass staff do not ?

    • Anonymous says:

      Especially since this is such a easy feature to implement. I wonder much about their usability. Like why does the password prompt screen close in prompt if I fail to enter my very long master password incorrectly.

    • Amber Gott says:

      Thanks, this has been marked as a feature request and we do continue to work to improve the usability of these security features overall – appreciate the feedback!

  • Anonymous says:

    There is need to be an option for a third factor authentication. With only 2 factors, with one of them at least being something that a person in the same house as me can access (like, my phone) – it becomes necessary to either remember your password by heart (not easy), or write it down, which in this case exposes you to the snoopy roommate vector of attack completely. A third factor that is easy to remember (dare I say something personal that only you know) can protect you from snoopers with little effort.

    • Anonymous says:

      I agree, this would be a good idea. It could be a very flexible authentication option also. Even a 3-digit PIN or a short password is better than nothing at all.

    • Anonymous says:

      Use Authy and password protect your codes.

    • Amber Gott says:

      Thanks for the feedback, guys, we’ve submitted feedback to the product team and we’ll keep looking to improve the usability overall of these security features.

  • 2BlueSC says:

    What about disable autologin?

  • Anonymous says:

    #3 would be a ton better if the setting was stored server-side. As it stands, the auto-logoff setting must be set manually in each browser (on each computer) that has the plugin installed.

    • Anonymous says:

      Yes. +1,000 for this.

    • Matt Arnold says:

      Totally agree on this as well!

    • diymoney says:

      Yes I am a die-hard lastpass premium user and I have been wanting this for years. It baffles me that this feature isn’t available.

    • Mike Chu says:

      At least for the Chrome extension, it should just be a matter of using chrome.storage API I’d think. They might be trying to work out a cross-extension solution. In any event +1 for me too.

    • Anonymous says:

      I agree. I use multiple browsers on multiple computers and I have to change many Lastpass options from their defaults so that Lastpass does not get in my face and become a major distraction. I just really hate having to go through pages of options manually, time and time again. Please, please fix this so we can have all options set uniformly and centrally. This is a major disincentive to use Lastpass the way it is currently.

    • Anonymous says:

      Lastpass, are you reading this? What’s the hold-up on the feature?!

    • Amber Gott says:

      Thanks for the feedback, this has been submitted as a feature request for the dev team to consider.

  • Matt Arnold says:

    8. Use Lastpass on a secure locked down computer like a chromebook.

    • Anonymous says:

      Yes, because Chromebooks are impervious to malware, Windows 8 is just as insecure as Windows 95, and having all your data in the cloud is always the best idea.