LastPass Hack-Proof: How to Up Your Security Game Instantly
It has been a couple of months since LastPass suffered what is arguably the worst data breach to ever affect the password manager industry. The way the entire scenario was handled by the company, and the lack of transparency circling the aftermath of the attack resulted in many users switching to rival services.
If you are a regular reader, you may be aware about our stance towards LastPass. We don't recommend using it because of incidents in the past and how these were handled, and advise users to migrate to Bitwarden, KeePass or 1Password. However, the fact remains that there are still thousands of users who are still using LastPass. This article is meant to help those people who plan to continue using the service, you might as well take the time to ensure that your account is as secure as possible.
The first thing that you need to do is to use a strong, unique master password, I would reset the password to be extra careful after the data breach. The next step is to check whether 2-factor authentication (2FA) has been enabled for your account. It is also advisable to keep your registered email address safe with a strong password, and its own 2FA. Now that is pretty much what most people do to protect their account. There is one more thing that you should do that has been recommended by security experts, and something that we suggest Bitwarden users to do too.
Cloud-based password managers hash your data before uploading them to the servers, this process is called KDF, which stands for Key Derivation Function. The number of times the hashing is done is referred to as iterations. LastPass uses PBKDF2, and runs 100,100 rounds to hash your passwords. This is actually less than what the Open Web Application Security Project (OWASP) recommends. It should be set to 600,000. So here's how to do that.
Warning: Please note that changing the iteration count will log you out of your devices, apps and extensions, and you will need to reauthenticate them. You should take a backup of your vault data, by exporting the credentials from the Vault's Advanced Options > Export option. The process will re-encrypt your data, and the vault will load slower.
How to increase the server-side KDF iterations in LastPass
1. Login to your LastPass account at https://lastpass.com/
2. It should load your vault's page. Click on Account Settings in the side panel to the left.
3. A panel pops into view. Hit the Show Advanced Settings button. It will cause the pop-up to scroll down slightly.
4. Scroll further down the page till you see Password Iterations. It's set to 100100.
5. Click on the box, and change the value to 600000
6. Click the update button, and LastPass will prompt you to enter your master password.
LastPass will log you out of your account, and re-encrypt the data. You can now re-login to your account, and continue using it.
Note: If you have been using LastPass for a long time, chances are that your account could have a lower iteration count instead of 100100. That could be because LastPass never changed it for old users, or prompted them to, something which has been strongly criticized by security experts.
Since someone said the article would be better if there was a step-by-step guide how to migrate to a different password manager, I thought I’d link to a couple of guides: https://www.ghacks.net/2021/02/17/how-to-migrate-from-lastpass-to-bitwarden-password-manager/ Migrate to Bitwarden how-to guide.
https://www.ghacks.net/2021/02/20/migrating-from-lastpass-to-an-alternative-password-manager-keepass-vs-bitwarden-which-one-will-you-choose/ Bitwarden vs KeePass.
Maybe it would be a good idea to have an updated guide explaining the differences between Keepass, KeePassXC, BitWarden, browser password managers, there’s also Google Password manager where you can set it up so it uses your own password instead of your Google Account password. I know people here aren’t fans of Google, but I think Google password manager is overlooked.
Big thank you!!! Just checked my pw iterations and it was set to “32”. Been paying since 2011 and I’m sure i was a free user for awhile before that. I might have been notified about it or maybe i should have done there security review… but I’m shocked a forced update with a notification didn’t happen.
While this advice helps in case of a future vault leak, it doesn’t seem to do anything to help with the 2022 vault leak.
If you had a short or weak or low entropy vault password previously then consider changing all your site passwords, and at least all the significant ones (banks, email, LastPass master password etc.)
If you had low number of KDF iterations (below 100k) do likewise.
Thank you Ashwin, Iterations changed from 5000 !!!!!! to 600000.
This is suicide
You have a typo in step 5. Should be 600000. You have 60000.
Thank you!
+1 on what Ry and Davin have said. LastPass have repeatedly dropped the ball on the thing that matters most – security – and also are seriously lacking on support (based on personal experience, as a former LP user).
There are free, open-source alternatives that suck less, despite recent alarmist posts about Bitwarden and KeePass’s theoretical “vulnerabilities” on this site.
Happy 1Password user here for 2 years so far.
Know that there are 2 1Password apps: Version 7 (local storage) and Version 8 (cloud storage). Version 7 is Legacy and you have to look for it on the 1PW website. Version 8 is the one on Google Play.
I have V7 because I trust my own system. My new PC came with Core Isolation and Secure Boot.
5. Click on the box, and change the value to 60000
Hopefully no one does this. It should be 600000
After the latest hack, it’s time to drop LastPass and switch to another password manager such as 1Password. We can no longer trust LastPass
Article would have been a lot better if it just walked through switching away from last pass. Truly cannot imagine trusting them after everything, including losing everyone’s vaults.
yes, I agree. Some websites no longer recommend using LastPass and to switch to another password manager such as 1Password
In step 5, you say to change the value to 60000. I think you left off a zero.
It’s worse than that. I hadn’t changed my master password in years (I know, I know), and it was still set to 5000 iterations. And LastPass never warned about this.
Same here. I was like wtf when i saw 5000 while people kept panicking about having “only” 100000 iterations. My 32-character master pass is also the same since 2015 when i found out about Lastpass’s existence and it will probably stay that way because i’m way too old for memorizing such crap.