Last week, security researchers Martin Vigo and Alberto Garcia demonstrated how a compromised machine could potentially put a LastPass account at risk. The good news is their research was first reported to us over a year ago, and our team took immediate action to implement additional protections. We value and welcome research that helps us improve and strengthen LastPass. We have implemented new security options, such as expiring trusted devices every 30 days on browsers and mobile apps, strengthening account recovery with an SMS recovery option, and more clearly warning against using “remember password.”
Though we continue to do everything in our power to fortify LastPass, we also believe helping LastPass users better understand not only the security options we offer, but also how they can best protect their devices from malware and other threats.
Here are our recommendations for keeping LastPass, and your technology, safer:
- Use “remember master password” features with caution. If you are at all concerned about the scenario of malware compromising your computer, simply do not use this option.
- Install the binary version of LastPass. Running the “binary” version of LastPass does provide additional protection. The “binary” component allows us to add more security and functionality by communicating directly with the operating system. Check in the LastPass Icon > Tools > About, if binary status is “false”, use the button to activate it, or use the full installer to download LastPass.
- Use SMS recovery. This adds an additional layer of protection by requiring another verification step before the master password can be reset on your LastPass account.
- Turn on two-factor authentication. Even if someone steals your master password, they still can’t get to your account without the additional two-factor authentication data.
- Increase your password iterations to 5000 or more. We can incrementally improve security by increasing the number of iterations used to strengthen the encryption for user accounts. Check in the “Account Settings” panel from your LastPass vault, and ensure it’s been increased to 5,000. This also happens automatically if you update your master password.
- Disable account recovery, if preferred. Turn it off in the Preferences menu of the LastPass browser extension (this must be done in each browser) or with an organization-wide security policy if using LastPass Enterprise.
- Use a security email address. If you do not wish to use SMS recovery but also want to mitigate the risk of someone compromising your email account, set a secondary, “security” email address in Account Settings. Emails for account recovery or disabling multifactor authentication will be sent there, instead of your primary account email.
- Restrict access to trusted countries. In your Account Settings, ensure you restrict access to only the location(s) where you regularly access LastPass.
- Disable TOR access. TOR is used to communicate anonymously on the Internet, so it is often used by hackers. Disable access from TOR in your LastPass Account Settings.
- Follow good security practices:
- Use a unique, strong master password. Never reuse your master password, ever.
- Keep a clean machine by regularly running antivirus.
- Keep software up to date, including browsers and extensions.
- Watch for phishing and social engineering attacks.
- Don’t download apps, documents, or extensions from untrusted people, or even from trusted people if it seems out of the blue or out of context.
- Use the LastPass Security Challenge to eliminate duplicate passwords and improve your password security.
As always, we remain committed to improving the security of LastPass as new threats and research emerge. Our ongoing mission is to provide the most secure password manager to safeguard your online life, and we continue to invest all of our resources in strengthening LastPass.