11 ways to increase the security of LastPass password manager

Top tips for password managers

Security login and fingerprint

A password manager like LastPass is an essential utility for remembering all the login details of the websites and services we use. Here are the best ways to increase LastPass security.

You might think your password manager is secure by default right from the start and it is, but there are different levels of security and the defaults do not always provide the best security that is possible. There are many options and settings in LastPass that enable you to increase the security and make it much harder for hackers to access. Your password manager contains everything that is valuable to you so it makes sense to ensure that the information it contains is super secure.

Although these tips are for LastPass, some of them apply to other password managers. Look for similar features in your own service if you use a different one.

1 Use a secure LastPass master password

  1. Click the browser icon and select Open My Vault
  2. Click Account Settings
  3. Select the General tab
  4. Click Change Master Password
  5. Enter a more secure password
Change the LastPass master password at the website

A password manager like LastPass lets you create very complex passwords that are very secure. They are impossible to remember but that is OK because the password manager remembers them for you.

However, the master password for a password manager must be one you can remember and this means that it cannot be too complex. Make it as difficult to guess as you can while still being able to remember it. The harder it is to guess, the more secure it is.

One way to create complex passwords is to take the first letter of words in a phrase, like RoYGBiV (Richard of York Gave Battle in Vain), or SCFLEAD (SuperCaliFragiListicExpiAliDocious). Phrases are easier to remember than words with no meaning, but make sure they aren’t well known ones like these examples.

If you think you might forget it, write it down and store it somewhere secure and well away from your computer.

2 Don’t re-use the LastPass password

If the current master password has been used for anything else anywhere on the web, ever, change it immediately. If it is used with another site or service and that gets hacked, the hacker might try the password with your password manager. It should be unique and not used anywhere else.

3 Don’t save the LastPass password

Log in to LastPass using the Chrome extension

Logging into LastPass in order to access your passwords or use the auto-fill on web pages is a pain. The web browser extension enables your email and password to be remembered, which solves the problem, but it reduces security.

To improve LastPass security, clear the option to remember the master password. Remembering the email saves you having to type it in to log in, and this also reduces security, but to a far lesser degree. Even with your email address, people cannot log in without the password.

4 Use LastPass multifactor authentication

  1. Open the LastPass vault
  2. Click Account Settings in the sidebar
  3. Select the Multifactor Options tab
  4. There are several different methods and if you already have one of the items, like Google or Microsoft Authenticator apps on your phone, select it, otherwise use LastPass Authenticator.
  5. Follow the instructions to set it up – you will need to install an app on your phone and authorise it. Once done, no-one but you will be able to access your LastPass account.
LastPass multifactor authentication

Multifactor authentication, sometimes called 2FA or two factor authentication, is a way to stop people from accessing your LastPass account even if they know your email and password.

When you, or someone else, tries to log in to your LastPass account and gain access to the passwords and other information it contains, you are asked to enter a code. There are several ways to generate this code, but it can only be done on your phone and not someone else’s. A hacker would therefore need to know your login details and also have your phone and be able to unlock it, and it is probably protected by a password, PIN or fingerprint.

It makes security more of an irritation because you must enter three things to access your account – email, password, and code. However, it is worth it for the increased security.

5 Use a VPN in public

When accessing LastPass website and other internet services using public Wi-Fi it is best to use a VPN to add an extra layer of security to ensure that your activities cannot be spied upon. A VPN encrypts the Wi-Fi connection so that the hotspot owner or a hacker lurking on the network cannot eavesdrop on your internet connection.

There are many VPNs available and it can be hard to choose between them. My favourite is NordVPN, but Surfshark VPN, Ivacy VPN and PureVPN are well worth considering too.

Our Offers and Recommendations page has great deals on VPNs for your Mac, PC and phone. Save $$$ on your subscription.

6 Use a one-time password with Lastpass

  1. Open your LastPass vault
  2. Click More Options at the bottom of the sidebar
  3. Expand the Advanced section
  4. Click One Time Passwords
  5. Click Add a new One Time Password
Log in into the LastPass website using a one time password

Web browsers store the information that is entered into forms and this includes usernames and passwords. This is clearly a problem if you have to use someone else’s computer, a work computer, phone or tablet to access your LastPass account, perhaps to look up a password or other information. The next person to use the computer or device could get your password and log in to LastPass. There may even be a keylogger on the computer recording keystrokes.

For this reason, LastPass provides one-time passwords. They can be used once and then they don’t work again. They are useful when using public computers or work computers so you don’t leave a working password on them.

More than one One Time Password can be created and you just create as many as you need. The passwords must be copied and stored somewhere that is secure, perhaps in an app like OneNote (Android) or Apple Notes (iPhone), which have notes that can be locked with a fingerprint. Each password can be used only once, so delete one after using it.

To use a One Time Password, go to the LastPass website and click Log In. Click the link to Log in using a One Time Password.

7 Block unknown devices using LastPass

  1. Go to the LastPass vault
  2. Click Account Settings in the sidebar
  3. Select the Mobile Devices tab
  4. Your phone will be listed if you have used it with LastPass
  5. Click Enable at the bottom to lock out all other phones
Block unknown devices from accessing LastPass

LastPass keeps track of the phones and tablets that are used to log in to the service and this can be used to prevent unauthorised access from unknown devices.

It can be a bit confusing if you have had a LastPass account for a long time and have had several phones and tablets. All are listed with names like Android or iPhone. It is much easier with a new account or if you delete old entries and then access LastPass so it records just the one device.

Clicking the Enable button at the bottom enables blocking of all devices not on the list. It is one more layer of security that keeps your passwords safe.

8 Block other countries from accessing LastPass

  1. Go to the LastPass vault
  2. Click Account Settings
  3. Select the General tab
  4. Click Show Advanced Settings
  5. Scroll down to Country Restriction
  6. Tick the checkbox Only allow login from selected countries
  7. Select the country or region to allow
Limit the countries that can access LastPass password manager

One simple way to prevent hackers and unauthorised attempts to access your LastPass account is to limit where it can be accessed from. Only allow logins from your own country or region and you block a large part of the world. There may be hackers where you live and there is nothing you can do about that, but at least you can stop those in other countries.

Be aware that if you go on a trip or holiday to another part of the world, you will be blocked. Either add the country or temporarily disable the country blocking feature.

9 Block access to LastPass from Tor

  1. Go to the LastPass vault
  2. Click Account Settings
  3. Select the General tab
  4. Click Show Advanced Settings
  5. Scroll down to Tor Networks
  6. Tick the checkbox Disallow logins from Tor networks
  7. Select the country or region to allow

If you are not familiar with it, Tor is a way to access the internet anonymously and it makes it very hard, maybe even impossible to identify people or track what they do. There are legal uses, but it is also useful for hackers and other people that are doing illegal things on the internet, so blocking access via Tor is an essential setting. You would not use it

10 Increase LastPass password iterations

  1. Go to the LastPass vault
  2. Click Account Settings
  3. Select the General tab
  4. Click Show Advanced Settings
  5. Scroll down to Password Iterations
  6. Increase the number if it is low. It used to be 500, but 10000 is much better

LastPass syncs data across computers and devices by syncing with Lastpass cloud storage. When sending your credentials to LastPass servers, increasing the iterations increases the security of the data sent and makes it much harder to crack if anyone should attempt it.

Your data is re-encrypted and then sent to the LastPass server online. You are then logged out. Log back in and you are now more secure.

11 Log out of LastPass automatically

  1. Click the LastPass icon in the browser’s toolbar
  2. Click Preferences
  3. Select the General section
  4. Tick the checkbox Automatically log out when all browsers are closed
  5. Tick the checkbox Automatically log out after idle (mins)
  6. Enter a time, like 15 or 30, after which you will automatically be logged out of Lastpass
LastPass timeout settings to automatically log out of the password manager

Picture the scenario, you are working on your computer and decide to go and get a drink or something to eat. While you are away, someone could sit at your computer and use your browser while it is logged into LastPass and access all your passwords.

Of course, you should lock your computer when you step away, but you may forget or be distracted and it is a security risk leaving a browser logged into your password manager.

To increase security LastPass should be set to automatically log out when all browser windows have been closed, and also after a set time, like 15 or 30 minutes, whatever suits you best. A short timeout means more frustration to you because you need to keep logging in to use LastPass, but it also prevents others from accessing your account.


What's next?