LastPass Best Practices: 10 Ways to Keep it Safe
Sometimes a piece of software being the most popular in its category doesn’t necessarily mean that it’s the best. However when it comes to LastPass, it is currently the most popular password manager and undeniably the best in the industry. While KeePass is an excellent open source offline password manager that is very flexible and extensible, it does require the user to be experienced in computers to be able to set it up and also to use it correctly.
LastPass has additional advantages over KeePass which include online cloud storage that allows you to access your password from anywhere as long as there is an Internet connection. It is also easier to setup and use if compared to KeePass. An important thing in using a password manager that a lot of people aren’t aware of is their role in keeping their password management account safe. Most people would only think that it is the company’s responsibility in keeping their encrypted password safe on their servers and very quickly to put the blame on LastPass when their account got compromised.
The 2 major security breaches in LastPass show that only small parts of the database that can be used to crack the user’s master password have been copied out by the intruder but did not touch the encrypted user vault data. So if you’ve used a strong non-dictionary master password together with a multifactor authentication, there is a very very low chance that your LastPass login account information can be illegally accessed by the hacker.
In order to further safeguard and secure your LastPass account, here are 10 guidelines you should follow.1. Use Screen Keyboard
When you want to login to your LastPass account either from the official website or the browser extension, ensure that you always use the on-screen virtual keyboard to enter your password rather than using your physical keyboard. Below is a screenshot example of LastPass Master Login window. Simply click at the “Screen Keyboard” link located at the bottom of the dialog.
Your default browser will launch and automatically load the LastPass login page with the screen keyboard enabled. You can type your email address using your keyboard, but make sure the password is entered by using your mouse cursor to click on the characters.
This will effectively protect against a keyboard logger from capturing your LastPass master password. However this is still not enough because a screen logger can still be configured to automatically capture your screen on mouse clicks.
2. Use Multifactor Authentication
You can do your best in protecting your LastPass master password, but humans can make mistakes. When a hacker manages to get hold of your master password, they’d be prevented from logging in to your LastPass account if you’ve enabled multi factor authentication. This feature adds another effective layer of security in protecting your LastPass account. Below is an example of LastPass prompting for YubiKey authentication after entering a valid master password.
LastPass supports many different two-factor authentication methods which are smartphone-based apps, software-based services and hardware tokens. Obviously the hardware tokens like YubiKey are most effective because unlike a smartphone that can also be infected by malware to redirect messages to the hacker, hardware tokens are offline devices. To enable multifactor authentication, login to your LastPass account, go to Account Settings and select Multifactor Options. Choose the options that are possible for you to use.
Do take note that the 2 factor authentication only adds another layer of security, but does not add more strength to the encryption of your database. This means that if you are using a very weak password and a hacker managed to successfully brute force your master password, they still cannot login due to the 2nd factor authentication.
3. Configure SMS Account Recovery
In every online account, there is definitely a feature to recover your login information by sending a unique link to your registered email address. LastPass actually comes with a better method which is by sending a text message to your phone but you must first register your cellphone number with the system for this to work.
Login to your LastPass account, go to Account Settings and at the General tab, scroll down until you see “SMS Account Recovery”. Click the Update Phone button, click the Add Number button, enter your LastPass master password to confirm the action, select the country and enter your phone number. Finally click the “Send Test Code” button and wait for LastPass to send you a text message with a 6 digit which has to be entered in the final step.
If you are unable to find the link to configure SMS account recovery, you can do so from this direct link https://lastpass.com/update_phone.php.
4. Enable Country Restriction
If you haven’t noticed, a lot of online services have started to detect if the user is logged in from a different country based on the IP address. For example, if you normally log into your Facebook account from the US and suddenly someone logs in to your account from Russia, Facebook would start showing photos of your friends and ask you to choose the names associated with the photos as a verification. You can also find a similar but more strict restriction which is to allow login from selected countries.
To enable the country restriction option, login to your LastPass account, go to Account Settings, click “Show Advanced Settings” located at the bottom of the screen, and tick the checkbox for “Only allow login from selected countries“. A list of countries will be shown together with the checkboxes, so just select the country that you’d most likely be in when you want to login to your LastPass account.
Although this restriction isn’t fool proof because the hacker can easily bypass this by using a proxy or a VPN that is located in the same country as you, it can add another layer of security.
5. Use One Time Passwords
One Time Passwords are great for logging into your LastPass account on a public computer that does not allow any installation of software or extensions. All you need to do is login to your LastPass account, go to the One Time Passwords web page and click the “Add a new One Time Password” link on the page to generate a unique password that can only be used once to login to your LastPass account. There is also a print button for you to easily print out the one time passwords without having to manually write it down on a piece of paper.
To generate your one time passwords, login to your LastPass account, go to More Options, expand Advanced and click on “One Time Passwords”. Alternatively you can also directly visit this URL https://lastpass.com/otp.php. Do take note that logging in to your LastPass account using the one time passwords must be done from the same URL that you generated the OTP.
6. Use Bookmarklets
This method is safe from keyloggers because there is no typing from the keyboard nor is there any copying or pasting that involves the clipboard that can also be captured by keylogger software. The LastPass bookmarklets option is however quite hidden and you can find it in More Options > Advanced > Bookmarklets.
7. Use LastPass Portable
If the public computer permits, it is best to run your own portable Firefox or Chrome from your USB flash drive with LastPass extension installed. However, do take note that if you want to use LastPass Portable, there is a specific portable version of LastPass for Firefox and Chrome which can be downloaded from the official LastPass website. To install, visit the link provided, click on Windows tab, and scroll down until you see the LastPass Portable download button for Firefox or Chrome.
The reason why there is a special build of LastPass Portable for portable web browsers is because the normal version would save the encrypted offline database cache in the user’s LocalLow folder in AppData. When you use LastPass Portable, the extension doesn’t save the offline database to the local computer.
8. Use strong Passphrase as Master Password
We’ve said this a couple of times in this article and the people from LastPass also stress the importance of using a strong master password. A strong password is at least 8 characters long, contains uppercase and lowercase letters, numbers and symbols. With this incredible combination, it is very likely that you’ll find trouble memorizing it in the first place, or even worse if you one day forget it. A better and more efficient strong password would be to use a passphrase.
Here is an example of a strong password: 3Rv*dPprjy*1
And here is an example of a strong passphrase: Mybirthdayis0nthe1st0fjanuary198o!
You can of course make an effort in memorizing the super strong password but it would be much easier if you use the strong passphrase instead. It has much more characters and easier to memorize. Simply replacing some of the vowels with numbers and adding one or two symbols will greatly increase the strength of the password.
9. Run Security Challenge
If you’ve been using LastPass for a very long time or have imported your login credentials from another password manager, it is good to run the LastPass Security Challenge to automatically analyze the strength of all passwords stored in the LastPass vault. With this analysis performed locally on your computer and not on LastPass remote servers, you get to quickly know which password needs to be changed or updated with a stronger one.
To start the Security Challenge, click at the LastPass icon, go to tools and select Security Challenge. If going from the online Account settings, it is found at the left hand sidebar. Alternatively you can also use the direct link below to instantly access the Security Challenge webpage.
Visit LastPass Security Challenge
10. Enable Mobile Device Restriction
If you have a premium subscription for LastPass which allows you to sync your vault with smartphone apps, then it is best to enable the mobile device restriction option. The concept of this feature is similar to the MAC address filtering found in most wireless routers that only allow connections from recognized MAC addresses of wireless adapters.
You can enable the Mobile Device Restriction feature in your LastPass Account Settings, go to Mobile Devices and click the Enable button located at the bottom of the page. Take note that you should only enable this restriction AFTER you’ve finished installing the app on your smartphone and logging in to your account. Enabling this restriction will prevent any mobile from being able to login to your LastPass account.
Awesome review as always. First time I’ve heard of it. Looks very helpful.
Great post. I’ve been using LastPass for a while and last month news about hacked LastPass accounts were really worying. Thanks for sharing tips how to make it more secure then.
I have been using Lastpass since the time it has been launched. Its a great service and passwords are very much secured. I now don’t even remember my email accounts password.
Thanks Raymond for reminding me about the Bookmarklet’s feature. I was stupidly installing plugin on public computers also. Though I used to uninstall it after use.
I have been using LastPass for over an year now and I think it’s an excellent product.
I have been using Lastpass for more than 20 months now, without much issues.
thanks for making our on-line life easier & safer.
Great review. Looking into lastpass already …
It would be convenient to using a secure online password manager such as LastPass.
I use this program for some time and I will say honestly that I can not imagine life without him.
Lastpass is awesome! Lots of features for being a free program and love the password generator for creating new passwords. Easy to group and organize the passwords too thru the vault
Having started using LastPass just a couple months ago, it makes me feel more at ease to see that you’ve chosen to go with them as well.
Thanks for putting in the time to constantly update this valuable site!
lastpass is very nifty.
I often forget the password that I have, take a file containing a list of passwords is definitely not the right choice, this is a good opportunity for me to be able to have a lot of passwords without having difficulty remembering a list of passwords that I have
I’ve never used online password manager before due to the fact that hackers are very smart people! =) But after reading your post on lastpass best practice, I find it quite worthwhile and secure to at least try it out since it provides multi-factor authentication. Thanks for sharing.
No1 for passwords
easy to use
I’m loving me some LastPass, just started using it recently as well. I’ve always worried about someone getting one of my 3 commonly used passwords because those 3 passwords are used on 95% of the sites I visit.
Love Love Love the auto generation and save feature.
I’ve been using LastPass for a few years and I absolutely love it. In my opinion it’s the best password manager out there.
I’ve been using LastPass for a while now. Thanks for this post because now I know a lot more about how great of an idea it was to get it. I never knew LastPass had all of the features that you mentioned here though, thanks! :)
Thanks for that review,Raymond.I’ve been using the free Lastpass for a few months and wouldn’t like to be without it now.Just wish I could make a hard copy of all my info on it as Ron said earlier.When you rely on it and something occurs as it did a couple of weeks ago you need a record.Also had trouble getting an update to load permanently.Get a reminder soon after logging on,update appears to install but when next logging on to computer it all happens again.Only get round it by doing a complete uninstall using Revo(another brill prog)then doing a new install.Keep up the good work,my friend.
Been using Lastpass since a long time and it works flawlessly. Very good product.
Multifactor authentication requires the user to present both username/password and information from another physical item such as the Grid (printable card), Sesame (USB flash drive), YubiKey, Fingerprint and SmartCard authentication.
I’ve been using this for about 2 years now, and only had trouble with it once, after the breach. I don’t know if I missed how to verify that my password was secure. I reinstalled Lastpass and everything back to normal, and it’s working go with Fire Fox Beta 5.
thanks for the info – I have been looking into this and appreciate the detail
This will be a keeper Raymond. Thanks a million or more.
According to me lastpass is also good as pass manager
LastPass is one of the best cloud based password manager I’ve ever used. It is simple great!
I have never used any password management program before but from what I read here it seems LastPass is quite a secure program with many features well thought out.
I’ve been using LastPass for about a year now and have loved it’s features. Good product! Thanks for the additional info!
I have used LastPass since it was in beta and love it, would recommend it to anyone. I thank you for the work you do here on this website. Keep it coming love!
I’m using the standard Last Pass since a year ago and can’t live with it anymore. Strong passwords all the way!
I use Last Pass and have done so for about a year, it’s good to know that it’s passed the “Raymond” test as well!
Lastpass is great. Hadn’t thought about the master reset every couple of months and using a random one. One thing i would add is having an export of your data in case lastpass goes down or goes away (They recently went down for about a week and didn’t have my logins easily).
already a premium user, great review!
I have been using LassPass for 2 years and there is no problem in migrating platform from Windows to Linux. It even has mobile phone support.
thanks for the review and suggestions to tighten the process.
Been using LastPass for a few months. It is a keeper.
I use Lastpass for two years and never had any problems. For me this is the best password manager. Thank you for your very useful information and advice.
I use LastPass, but can’t afford the premium version. I’ve found it very easy to use. Thanks for the tip about bookmarklets. I didn’t know about that feature, but then I usually use my home computer.
Hey Ray. Exellent article, I used to use roboform, but switched to LastPass after Roboform decided to not honor the lifetime license and charge their clients again. I haven’t looked back, really like LastPass and it does seem pretty secure. I like the Yubikey idea, seems to make it that much more secure. Thanks again.
And the last shall be first and the first last. Whichever way it goes, this is great defensive software. Thanks, Raymond and LastPass.
Never used a password manager, would like to give this a go based on your review though.
Thank you, Raymond.
I was looking for a good Password Manager and after reading your article, I am going to use LastPass!
I’ve been using LastPass ever since RoboForm failed to honour its “lifetime” upgrade policy.
While it’s the best free tool out there, LastPass still misses many times:
– even after saving form data, it doesn’t complete all fields in some websites
– auto login is inconsistent in setting it up
– turning off auto login is unclear
I’ve always been a bit scared off by the idea of storing passwords in the cloud, but based on your very positive review, and all the good tips I’ve picked up here over the past few years, I would like to give this a try. Thanks Raymond!
No Doubt its a great product and i am using one of their acquisition company product and it is great product…
But if we think saving passwords and trusting someone else will solve our problems then No.. nothing is secure even LastPass which is recovering from a breach…
I have been using LastPass for about two months now and really like it. I started using it since RoboForm reneged on their promise of life time support. RoboForm is not available for Firefox4.
I have been using Kee Pass for a long time (more than 3 years) and it was very easy to use as I have been using it only from my home PC. But now a days I find it difficult to keep my KeePass Database updated as I travel a lot ans have access to more than 3-4 PCs. That’s when I was searching for the best Cloud based PassMgr. LassPass looks very interesting. Let me check it out.
I have been using LastPass for a few yrs. It is so easy to use. The Secure Note” feature is a big helper too.
This article is great for people like me who has literally 50 over strong passwords. I used to write them down on a piece of paper until i lost it and had to manually “Reset ALL forgotten password” …
Anyway, I am also very interested about Multifactor Authentication for logins. I am VERY paranoid about logging into accounts in public, especially emails and student portal because i have been hacked even with non-dictionary password! Would you write an article on Multifactor Authentication using external devices such as those you have mentioned (specifically YubiKey) ?
I would love to try YubiKey but have totally no idea how to incorporate it with login in public places.
Thank you Raymond!!
LastPass is great service!
LastPass is excellent for me.
I did use before Roboform and then moved to lastpass. It has everything what i could need and it works better then those commercials.
Wonderful SW.. Great to use when browsing in public places..
I had never used some apps for password managing, but before some weeks i found info that lastpass is good choice. i cheched out a lot articles about different pass managers, but after this article i am sure that soon will start using lastpass! And it’s because of Raymond’s very informative post.
I’ve installed lastpast since the last time you talked about it. I’m also going to put it on my parents’ (how do you turn the computer on?) computer since my mom still used birthdays and dead pet names in her passwords. >.<;
She's so clever.
Lastpass is the best I’ve seen out there, also try their password strength test for strong passwords and duplicate on your entire range. Its also a good bookmark keeper ( they bought Xmarks btw) . Check out the full review on Security now for an in depth security review of the service. Its exceptional, and the first thing I install on any computer I use.
Nice to hear about it..
I’m using lastpass for a while..
still learning something!
Lastpass is undoubtedly the best password manager that I’ve come to use. Having tried most other password managers previously, I ended up with Lastpass. I haven’t used the multifactor authentication yet. One small niggle is that it is not as well integrated with other browsers as it is with Firefox.
A useful password manager and its free too .