I’m a big fan of the password manager LastPass – I use it to store, organise and audit the majority of my passwords.
It is however a massive security vulnerability.
It’s a treasure trove of passwords which normally you wouldn’t even think of sharing with someone – but instead they’re just sitting there in the browser extension ready for anyone with access to your computer.
Fortunately there are several options to lock down LastPass. Here’s some of my favourite.
Use auto log out
The quickest, easiest and most obvious option is to use the auto log out options in the browser extension.
To access these settings click on the extension (when logged in) and then ‘Preferences’
Enable and configure both settings:
- Automatically Log out when all browsers are closed and Chrome has been closed for (mins)
- Automatically Log out after idle (mins)
Note: “idle” is determined by no mouse or keyboard movement inside the browser.
Disable auto fill login info
While the auto fill of usernames and passwords is convenient – it’s also a feature that’s been the focus of vulnerabilities in the past. Where the browser extension has been tricked into providing passwords for other websites.
To disable auto fill login info, click on the extension (when logged in) and then ‘Preferences’
Under ‘General’ untick ‘Automatically Fill Login Information’
Prevent access from Tor network
The Tor network … anonymous, probably, secure – not so much.
The Tor exit nodes may know who the traffic – but they can sniff out the traffic including HTTPS.
For this reason I would never recommend using your usernames and passwords over the Tor network – especially your LastPass master password.
Preventing access from the Tor network stops accidental usage as well as stopping unauthorised people using it to brute force (guess) your master password.
NOTE: this may be disabled by default for some users – but it’s worth checking.
To prevent access from the Tor network
- Open the LastPass website https://www.lastpass.com
- Log in
- Open ‘Account Settings’
- On the ‘General’ tab, click on ‘Show Advanced Settings’ at the bottom of the window
- Under ‘Security’ make sure ‘Disallow logins from Tor networks.’ is ticked.
Prevent access from unknown mobile devices
This option will prevent new mobile devices from using your account with the LastPass app.
While you’re there it would be worth checking the list of authorised devices and removing any that no longer need access.
- Open the LastPass website https://www.lastpass.com
- Log in
- Open ‘Account Settings’
- Open the ‘Mobile Devices’ tab
- Now click ‘Enable’ at the bottom of the screen
Enable two factor authentication
Two factor authentication is where a second step is required to login – for example, entering a temporary authorisation code.
LastPass has several two factor authentication options – they can be found by following these steps:
- Open the LastPass website https://www.lastpass.com
- Log in
- Open ‘Account Settings’
- Open the ‘Multifactor Options’ tab
Re-prompt for master password
This option makes LastPass prompt for the master password before accessing any passwords – in addition to logging into the browser extension.
- Open the LastPass website https://www.lastpass.com
- Log in
- Open ‘Account Settings’
- On the ‘General’ tab, click on ‘Show Advanced Settings’ at the bottom of the window
- Under ‘Re-prompt for Master Password’ tick both
- ‘Access a Site’s password’
- ‘Access a Secure Note’
Now when you access a password the browser extension will ask you for your master password.
Other ways to keep your website password security tight
Website two factor authentication
If the website supports two factor authentication, consider using it.
Two factor authentication makes your accounts significantly harder to get unauthorised access to.
Don’t “remember me”
Don’t use a websites “remember me” feature – login each time you want to use it.
If the website doesn’t give you this option and forces its own “remember me” (e.g. Facebook) – make sure to log off when you’re done.
Exclude critical accounts
I wouldn’t use LastPass for any critical accounts – for me that means bank accounts and work accounts.
Anything that will have serious financial or legal consequences if the wrong person got hold of the login details.
Other ways to secure LastPass?
Leave a comment to share your ways to secure LastPass.