Master Your Passwords For Good With Lastpass’ Security Challenge

James Frew 30-08-2016

Let’s face it — remembering passwords is really tough. We spend more of our time online than ever before, which means more login details.


Mix together work passwords, with social networks, music streaming sites, and all your utilities and you’ll be struggling to remember which is which… and then we all end up taking shortcuts, like reusing passwords.

A password manager like LastPass can help you improve your security by securely storing all of your passwords The Complete Guide to Simplifying and Securing Your Life with LastPass and Xmarks While the cloud means you can easily access your important information wherever you are, it also means that you have a lot of passwords to keep track of. That's why LastPass was created. Read More in a vault, and can be accessed on multiple devices. Securely storing your passwords isn’t enough though to protect you against security breaches and hacks which are happening more frequently than ever.

With LastPass’ Security Challenge you can improve your “security hygiene Protect Yourself With An Annual Security and Privacy Checkup We're almost two months into the new year, but there's still time to make a positive resolution. Forget drinking less caffeine - we're talking about taking steps to safeguard online security and privacy. Read More ” by having LastPass analyze your passwords, look for compromised email addresses and passwords, and make suggestions on how to improve your overall password security.

Import Into Lastpass

The first step is to import all of your accounts into LastPass (if you haven’t already). Getting started with LastPass is fairly straightforward as they guide you through the process of importing your passwords.

It’s worth taking the time to make sure you import everything, even the old accounts that you may have forgotten about. Just because you don’t use them anymore doesn’t mean that a breach on that site wouldn’t hurt you later on.


Visit the LastPass Security Challenge Website


Once you have created a LastPass account and imported all your passwords it’s time to face the Security Challenge. Head to the website and click Show My Score for the analysis to begin.

The security-focused side of you might initially be thinking that uploading all of your passwords to LastPass’ servers is rather insecure — and that’s exactly why you don’t have to.

When you run the test LastPass downloads your encrypted data and then uses JavaScript What is JavaScript, And Can the Internet Exist Without It? JavaScript is one of those things many take for granted. Everybody uses it. Read More to locally decrypt and analyze your vault, meaning that your unencrypted data never leaves your computer.



Enter Your Master Password


Entering your Master Password at this stage allows your LastPass vault to be decrypted locally to analyze your passwords. Your Master Password is the password that you have chosen to protect all your LastPass data. To prevent unauthorized access to your LastPass account you should make this password unique and complex — the beauty of LastPass is that you only need to remember one password rather than hundreds.

Check For Compromised Accounts



LastPass helpfully maintains a list of known security breaches and while it’s running the Security Challenge, it looks at the email addresses in your vault and asks you if you’d like to check to see if any of them have been exposed in a breach.

If LastPass spots a match then they will send you an email confirming which account was compromised and in which breach. Although this is an optional test there is no reason not to take advantage of it.

Results Summary


Once LastPass has analyzed your passwords and usernames you’ll be presented with the results page. Right up at the top is a summary of your scores broken down into three categories; Security Score, LastPass Standing, and Master Password Score.


Your Security Score is a measure of how secure your vault is overall based on a number of criteria:

  • Password strength
  • Total of duplicate passwords
  • Multifactor Authentication
  • Compromised Passwords

Not that you can be deducted a point if you permit offline access, allow unrestricted mobile devices access to your vault, or if you have trusted devices that you have set to bypass multifactor authentication — if you have it enabled. Those options are all customizable and the choice to either enable or disable them is largely down to your own preference of security versus convenience.

Improve Your Score


You aren’t left alone to try and figure out why your score was less than the perfect 100%. LastPass breaks down four steps to improving your score; changing compromised passwords, changing weak passwords, changing reused passwords, and a friendly reminder to change old passwords. By expanding each section you’ll be presented with the sites that LastPass has recommended you change.

View Your Detailed Stats


The “Improve Your Score” section prompts you to focus on the most urgent areas of your password security, but that doesn’t mean those are only areas to take a look at.

In the Detailed Stats section you can view each password in your vault, along with a rating on the password strength meter, anything below 50% on this meter is considered weak, and ideally you should be aiming for something around 80% or higher.

In order to help you speed through some of these password changes, LastPass has an auto-change feature for certain sites. If the website is listed with “Auto-Change Password” then in a click of a button LastPass will open the site, change the password to an auto-generated one, and save it in the vault for you.

Remove Duplicates


One of the biggest risks with any hack where passwords are leaked is if you have reused passwords on several sites, leaving yourself vulnerable to the hackers.

The Security Challenge reminds you that duplicate passwords are a bad idea, and even breaks down which sites you have reused passwords on.

In the screenshot you can see that each of my duplicated passwords has an amber bar at 46%. If I were to change just one of those passwords so that they were both unique, then the score would improve for both, and as long as I have chosen a secure password then the meter should be pushed into the green.

Multifactor Authentication For Bonus Points


Multifactor authentication is one of the best ways to secure your accounts What Is Two-Factor Authentication, And Why You Should Use It Two-factor authentication (2FA) is a security method that requires two different ways of proving your identity. It is commonly used in everyday life. For example paying with a credit card not only requires the card,... Read More . It adds an extra layer of protection to your account by requiring that you provide some time sensitive information that can show that it is really you accessing the site. Most of these authentication methods are in the form of a generated number either sent to you by SMS or by using an authenticator app The 5 Best Alternatives to Google Authenticator Google's two-factor authentication app isn't the only one out there. Here are the best alternatives to Google Authenticator. Read More .

Not only should you be using this on every site where it’s available, but LastPass also strongly suggests doing the same to protect your LastPass vault — after all, it is your digital safe, storing all of your passwords.

If you want some easy points to improve your security score, enable multifactor authentication for LastPass and you will be rewarded with 10% on your Security Score.

Auto Generate Secure Passwords


After putting in the time to sort out your old passwords, I’m sure you’ll be wondering how you can prevent your score dropping every time you sign up for a new website. Two ways to keep that score high is either to make sure that you create secure passwords 13 Ways to Make Up Passwords That Are Secure and Memorable Want to know how to make up a secure password? These creative password ideas will help you create strong, memorable passwords. Read More or to have LastPass do the legwork for you.

Since LastPass works on most devices and web browsers you aren’t likely to be without it, so you don’t actually need to remember your passwords any more, which means they can be total gibberish.

LastPass can auto generate passwords to a length that you set (the default is 12 characters) this means that you have a secure password that no one is likely to guess stored safely in your vault and you never need to try and remember the long string of letters, numbers, and symbols.

Better Now Than Never

I was burnt in the 2013 Adobe hack where I had used the same password for multiple accounts including my then main mail provider, Outlook. Three years later my account is still regularly hit with attempts to log in from countries all around the world, but a newer, more secure, unique password along with two factor authentication is keeping them out.

Using LastPass was my first step to securing my passwords and knowing exactly what I had and where, but the Security Challenge and my relentless need to improve my score, helped me to get to grips with my lack of password hygiene.

You only have to look at the news to know that one day you may be unfortunate enough to end up caught in the cross-hairs, and when you do you’ll be glad that you took the time to use LastPass’ Security Challenge to up your game.

Have you ever been stung by a security breach? Do you use a password manager? Show off your high Security Challenge scores in the comments below!

Related topics: LastPass, Online Security, Password, Password Manager.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Anonymous
    August 30, 2016 at 9:26 pm

    One more important advantage to using a password manager (be it Lastpass or Chrome, etc.): With so many attempts at phishing and webpage spoofing -- pages with addresses or contents that look like the real thing may fool us humans -- but they won't fool a password manager. If you click an email link to a web sign-in page and your password manager doesn't recognize it, that's your red flag right there! Do not manually enter your logon ID and password, blindly thinking the password manager must be asleep. Dump the page altogether and type in the sign-on page address yourself - or use your own bookmark.

    • James Frew
      August 31, 2016 at 9:37 am

      That's a great idea! If I get an email asking for action on a website I nearly always just go direct to the website rather than clicking the link. It's always worth maintaining a cautious eye on links.

  2. Anonymous
    August 30, 2016 at 4:11 pm

    With all the hacking going on, AND increasing, are you sure it is the right thing to recommend an online password manager? I would never sleep 1 night quietly knowing the site ca be hacked @ any time.

    • James Frew
      August 30, 2016 at 5:06 pm

      LastPass doesn't store your unencrypted passwords. Instead they store an AES-256 bit encrypted vault with PBKDF2 SHA-256 and salted hashes.

      Entering your master password decrypts your passwords but only locally on your device, so no unencrypted passwords will ever be uploaded to their servers.

      There is obviously still the possibility that your master password could somehow be compromised, however, making it unique to the rest of your passwords and making it strong should minimize this risk.

      Another thing to consider - Google can also store all of your passwords when saved in Chrome protected only by your Google password, which is significantly less secure than LastPass and is common practice among many internet users.

      • Anonymous
        August 30, 2016 at 5:51 pm

        OK, whatever suits.
        As for storing passwords in Chrome: if there is 1 thing that's asking for trouble it is storing sensitive passwords there. I only use the feature for "innocent" sites where my activity is not confidential. For all other passwords I use a password manager, but certainly NOT an online one.

        • James Frew
          August 30, 2016 at 5:53 pm

          I think you said it right with "whatever suits". Everyone has different requirements or different levels of comfort with cloud based solutions so not everything will be appropriate for everyone. Which offline manager do you use?

        • Anonymous
          August 31, 2016 at 11:41 am

          KeePass - have been using it for 8 years. Recently discovered its feature (semi) auto-type, very useful, which makes me even not store the password for "innocent" sites anymore. On a separate note, EU personnel use it so much that the EU is having the app audited to be able to use it officially. I did not know about this till I read about it recently.