Most people have many logins for many sites. The problem is managing all the user IDs and passwords, at least keeping track of them in a secure way. For me, I store all my login information in LastPass. While it can be difficult to trust a service that stores my login information on the cloud, I understand how LastPass keeps my data safe, so I’m not worried about security.
As with most things about security – you can never be too careful. With that in mind, I have compiled a list of some options that I have set within my LastPass account that will help give even more peace-of-mind relief about storing my passwords online with LastPass. The following are my tips for keeping your passwords safe with LastPass.
Accessing the Security Options
By default, LastPass is really secure. But there are a few more settings that you may want to use, or make sure they are being used, to add to that security. The first thing you need to do is access your LastPass Account Settings. You can do so, in one of two ways.
Through the LastPass Plugin/Extension
If you have the LastPass Web browser plugin or extension installed, you can do the following to access your account settings:
- Left-click the LastPass icon and then click the “Preferences” option.
- In the “LastPass Control Panel”, click “Account Settings” from the menu on the left.
- Click the “Click here to launch Account Settings” link on the right to open your account settings in your Web browser.
Through the LastPass Website
You can also access your account settings directly from the LastPass website using the following steps:
- Open your Web browser and navigate to the LastPass website.
- Click the “Sign In” link at the top right.
- Enter your email address and master password and click the “Sign In” button. Your “Vault” is displayed after sign in.
- Click the “Settings” option on the left to display your account settings.
Now that your account settings is display, you can confirm that a few options are set to make sure you can get the most security from LastPass.
Long and Strong Password
Choosing a nice long and strong master password for your LastPass account is by far the most important tip that I can give to secure your LastPass account.
A master password should consist of alphanumeric (uppercase, lowercase, and numbers) as well as symbols. The password should be at least 10 characters in length, and the longer the password the better.
Note:
Do not forget your master password. LastPass never stores, or receives your master password so they can’t help you to recover it. If you forget your master password, you won’t be able to get access to your LastPass account.
If you would like to change your password, you can do so in the “General” section of your account settings. Just click the “Change master password” link just below the box that is displaying your email address.
Your LastPass Email Address
Most people would probably just use their regular email address with LastPass. I recommend you create an entirely separate email account for LastPass.
Why?
If someone knows your email address, then they already know half your login information. This is especially true when data gets stolen from another website, as has happened recently.
You can change your email address in the “General” section of your account settings. It is the first option in the “General” section.
It is best to create a new email address, preferably with an email provider you haven’t used in the past, for use specifically with LastPass.
Set Your Password Iterations
LastPass uses your master password to create your personal encryption key. It creates the encryption key by using the PBKDF2 function with SHA-256 a specific number of iterations. The number of iterations can be set by you.
The default value is 5,000 (may be less on older accounts), which provides a good balance between security and performance. The PBKDF2 iterations are performed on the client (your computer, phone, browser), and the resulting hash is sent back to LastPass.
If you set the number of iterations higher, it could impact performance on specific platforms (smartphones, perhaps), and Web browsers (Internet Explorer 7).
I suggest ensuring that the number “Password Iterations (PBKDF2)” iterations in the “General” section should be set to 5,000.
Allowing Only Logins From Specific Countries
LastPass provides the ability to only allow IP address that originate from specific countries to log into your LastPass account. If you don’t do traveling, or travel infrequently – a few times a year – then you will want to set this option to the country that you will be accessing your LastPass account the most.
The reason I like this feature is that many times hackers will be in a different country than the one you live in, and this option will prevent them from logging in – even if they somehow have your login ID and master password.
I suggest you select the country, or countries, that you will access LastPass on a regular basis and leave the rest unchecked.
Prevent Access from Tor
This option is a personal preference as I know many users probably like browsing the Internet from the Tor network. The problem is that most hackers are also active on the Tor network, and do much of their nefarious deeds from Tor, as well.
If you don’t use Tor, you may want to check the “Disallow logins from Tor network” option under the “General” section of your account settings. This will prevent people from trying to get access to your account from the Tor network.
Enable Two-Factor Authentication
Two-factor authentication is becoming increasingly popular online as many sites are starting to offer a second verification to the standard user ID and password combination.
I highly recommend you enable two-factor authentication so that if someone were to attempt to login with your user ID and master password, they will need to give a third piece of information to get access to your account.
LastPass supports several different methods of two-factor authentication. The options listed in the “Multifactor Options” section of the account settings include:
- YubiKey
- Google Authenticator
- Toopher
- Duo Security
- Transakt
Out of the above list I recommend Google Authenticator since it is free and the app can be easily installed on your smartphone. Plus, many other websites can also be used with Google Authenticator so you won’t need a separate app for each website to use two-factor authentication.
The above tips will help make sure your LastPass account, and all your personal information, is as secure as possible. There are many other options you can change to add even more security, but the above list provides a good basis for securing your account.
In addition, do you have your own tips for keeping your passwords safe with LastPass? How about with another password management tool, or even without using a password manager?