By now, you should know the basic principles of keeping your online accounts secure: use two-factor authentication, create strong passwords, don’t use the same password on two different sites, and use a password manager.
There are lots of password managers to choose from, each with different strengths and weaknesses. The most popular is LastPass. It has the highest number of users, the most features, and the best support.
But it’s not as simple as just signing up and forgetting about it. All your passwords are stored there. You need to make sure your account is watertight.
Here are eight steps you can take to make your LastPass account even more secure.
1. Require Master Password to See Other Passwords
When you first create your account, you will notice you can view all your saved passwords by clicking the eye icon.
It’s better to get LastPass to prompt you for your master LastPass password whenever you click on the eye. If you’ve not enabled automatic logouts, it will stop someone in possession of your machine from gained unfettered access to your various credentials.
Go to Account Settings > General > Show Advanced Settings > Alerts > Re-prompt for Master Password and check the boxes next to Access a Site’s password and Access a Secure Note.
2. Use One-Time Passwords
In an ideal world, you’d never use a public computer to access your LastPass account. PCs in libraries, hotels, and internet cafes are notorious for malware, keyloggers, and a lack of updates.
Unfortunately, sometimes it’s inevitable. Maybe you need the details for your Airbnb account while you’re on holiday or for your Amazon account to send a last-minute gift to a friend.
LastPass mitigates the risk by offering one-time passwords. Go to More Options > One Time Passwords > Add a New One Time Password to set one up.
To use a One Time Password, go to the LastPass website, click Log In, then select Log in using a One Time Password. As the name suggests, once you’ve used it once, it’s useless.
3. Prevent Logins From Unknown Mobile Devices
Head to Account Settings > Mobile Devices. You’ll be shown a list of all the mobile devices you’ve used to log into your account, along with its 128-bit Universal Unique Identifier (UUID) number.
Delete any you don’t recognize or no longer use, then click the Enable button next to To restrict access to all mobile devices except those allowed above, click “Enable”.
4. Increase the Number of Password Iterations
LastPass uses Password-Based Key Derivation Function 2 (PBKDF2) as part of its cryptography standards.
In layman’s terms, the higher the value, the longer it takes for LastPass to determine whether your password is correct, or for a hacker to brute-force your account. LastPass recommends you set this figure to at least 5,000. Theoretically, the figure can be as high as you want, but the more iterations you use, the slower the login process will be.
Navigate to Account Settings > General > Show Advanced Settings > Security > Password Iterations to change the figure.
5. Prevent Access From Certain Locations
You can easily prevent logins from specific countries. To enable the feature, go to Account Settings > General > Show Advanced Settings > Security > Country Restriction. Mark the check boxes next to the countries you want to allow.
The smaller the country in which you live, the more effective this is. If you’re lucky enough to live in somewhere like Luxembourg, you’re immediately preventing 99.98% percent of the world from logging in.
Just remember to re-allow specific countries before you take a foreign vacation!
6. Stop Logins From the TOR Network
The Tor network uses “onion routing” to send traffic through more than 7,000 relays. It’s a great tool in the never-ending battle against encroachment into your privacy, but it’s also picked up a reputation for being a haven for criminals.
If you don’t use Tor yourself, you need to make sure this is disabled. Allowing logins from Tor is only going to weaken your security.
To prevent logins from Tor, go to Account Settings > General > Show Advanced Settings > Tor Networks.
7. Deploy Multifactor Authentication
Multifactor authentication boosts your account’s security by requiring an extra login step beyond simply entering your password.
Even if a hacker has your credentials, they still won’t be able to get into your account. The second step could take the form of an SMS message, push notification, or even a USB device.
LastPass offers six free multifactor authentication options: its own LastPass Authenticator (which works with all sites that support Google Authenticator), Google Authenticator, Toopher, Duo Security, Transakt, and Grid. Premium users also have access to YubiKey, Sesame, and fingerprint sensors. The Enterprise package adds Salesforce Authenticator.
Go to Account Settings > Multifactor Options to set-up multifactor authentication.
8. Use Automatic Log Outs
LastPass needs a browser extension to let it auto-fill your passwords. It’s an important part of the way it works; if it couldn’t auto-fill passwords, fewer people would use the service.
But it does represent a security issue. What happens if your laptop gets stolen? Or a colleague starts using it without your permission? Or you need to take it to a computer shop for repairs?
You need to enable automatic logouts. Go to Account Settings > General > Show Advanced Settings and change the time for both Website Auto-Logoff and Bookmarklet Auto-Logoff.
You can also tweak your settings on a browser-by-browser basis. Click on your browser extension and navigate to Preferences > Automatically Logout After Idle.
How Do Your Secure Your LastPass Account?
If you implement these eight tips you’ll be safe in the knowledge that all your login details are as safe as they can possibly be.
Of course, there are more measures you can take. LastPass is packed with security tools and settings. That’s why I want to know what steps you’ve take to protect your account. Are there any settings everyone should be changing? Have I overlooked some of the most important?
Let me know your tips and recommendations in the comments section below.